nanog mailing list archives

Re: gmail security is a joke

From: Jimmy Hess <mysidia () gmail com>
Date: Wed, 27 May 2015 19:07:30 -0500

On Wed, May 27, 2015 at 6:04 PM, Peter Beckman <beckman () angryox com> wrote:
[snip]

I was thinking about using the last 2 digits of the year as the cost
factor, but that might not scale with hardware linearly.


It is strongly recommended that when used for password storage, the
work factor for BCRYPT, SCRYPT, or PBKDF2 be hand-tuned   based on the
current best available consumer desktop computing hardware.

Whenever it is manually adjusted; it should be tuned so that 1
password hash generation on a newly generated hash takes  a minimum
500 milliseconds average at full throughput on the best current
generally available consumer hardware.

Or for an application where performance is more critical than
security....  no less than 100ms
on the server hardware.

Today; I believe the baseline would be a workstation with  4   5th
generation Intel i7 3.1GHz  Quad-Core procs.


And I would suggest  SCrypt() with a hefty selection for required
amount of RAM to compute the hash;  in order to help foil attempts to
accelerate a hash-breaking process  using  GPU  or FPGA technology.

Bcrypt or PBKDF2 with random salts per password is really what anyone
storing passwords should be using today.

Beckman

--
-JH

Current thread:

Re: gmail security is a joke, (continued)
- - - Re: gmail security is a joke John R. Levine (May 27)
    - Re: gmail security is a joke James Downs (May 27)
    - Re: gmail security is a joke Barry Shein (May 27)
    - Re: gmail security is a joke Barry Shein (May 27)
    - Re: gmail security is a joke William Herrin (May 27)
    - Re: gmail security is a joke Barry Shein (May 27)
    - Re: gmail security is a joke Rich Kulawiec (May 27)
    - Re: gmail security is a joke Barry Shein (May 27)
    - Re: gmail security is a joke Peter Beckman (May 27)
    - RE: gmail security is a joke John Souvestre (May 27)
    - Re: gmail security is a joke Jimmy Hess (May 27)
    - Password storage (was Re: gmail security is a joke) Robert Kisteleki (May 28)
    - Re: Password storage (was Re: gmail security is a joke) Christopher Morrow (May 28)
    - Re: Password storage (was Re: gmail security is a joke) shawn wilson (May 28)
    - Re: Password storage (was Re: gmail security is a joke) Michael Thomas (May 28)
    - Re: gmail security is a joke Saku Ytti (May 26)
    - Re: gmail security is a joke Valdis . Kletnieks (May 26)
    - Re: gmail security is a joke Christopher Morrow (May 26)
    - Re: gmail security is a joke Mark Andrews (May 26)
    - Re: gmail security is a joke Owen DeLong (May 27)
    - Re: gmail security is a joke Joe Abley (May 27)

(Thread continues...)