![nanog logo](/images/nanog-logo.png)
nanog mailing list archives
Re: gmail security is a joke
From: Jimmy Hess <mysidia () gmail com>
Date: Wed, 27 May 2015 19:07:30 -0500
On Wed, May 27, 2015 at 6:04 PM, Peter Beckman <beckman () angryox com> wrote: [snip]
I was thinking about using the last 2 digits of the year as the cost factor, but that might not scale with hardware linearly.
It is strongly recommended that when used for password storage, the work factor for BCRYPT, SCRYPT, or PBKDF2 be hand-tuned based on the current best available consumer desktop computing hardware. Whenever it is manually adjusted; it should be tuned so that 1 password hash generation on a newly generated hash takes a minimum 500 milliseconds average at full throughput on the best current generally available consumer hardware. Or for an application where performance is more critical than security.... no less than 100ms on the server hardware. Today; I believe the baseline would be a workstation with 4 5th generation Intel i7 3.1GHz Quad-Core procs. And I would suggest SCrypt() with a hefty selection for required amount of RAM to compute the hash; in order to help foil attempts to accelerate a hash-breaking process using GPU or FPGA technology.
Bcrypt or PBKDF2 with random salts per password is really what anyone storing passwords should be using today. Beckman
-- -JH
Current thread:
- Re: gmail security is a joke, (continued)
- Re: gmail security is a joke John R. Levine (May 27)
- Re: gmail security is a joke James Downs (May 27)
- Re: gmail security is a joke Barry Shein (May 27)
- Re: gmail security is a joke Barry Shein (May 27)
- Re: gmail security is a joke William Herrin (May 27)
- Re: gmail security is a joke Barry Shein (May 27)
- Re: gmail security is a joke Rich Kulawiec (May 27)
- Re: gmail security is a joke Barry Shein (May 27)
- Re: gmail security is a joke Peter Beckman (May 27)
- RE: gmail security is a joke John Souvestre (May 27)
- Re: gmail security is a joke Jimmy Hess (May 27)
- Password storage (was Re: gmail security is a joke) Robert Kisteleki (May 28)
- Re: Password storage (was Re: gmail security is a joke) Christopher Morrow (May 28)
- Re: Password storage (was Re: gmail security is a joke) shawn wilson (May 28)
- Re: Password storage (was Re: gmail security is a joke) Michael Thomas (May 28)
- Re: gmail security is a joke Saku Ytti (May 26)
- Re: gmail security is a joke Valdis . Kletnieks (May 26)
- Re: gmail security is a joke Christopher Morrow (May 26)
- Re: gmail security is a joke Mark Andrews (May 26)
- Re: gmail security is a joke Owen DeLong (May 27)
- Re: gmail security is a joke Joe Abley (May 27)