Hacker News new | past | comments | ask | show | jobs | submit login

SHA256 is very fast, which makes it relatively easy to brute-force if someone gets their hands on your hashed password file.



Even with long, unique salts?


Yes. A GPU can calculate more than two billion SHA-256 hashes per second, and adding 32 random bytes to each hashing is not going to slow it down enough to matter. Salting protects against rainbow tables; it's not an effective protection against someone just trying to brute-force guess passwords.


This is true. The bruteforce attempts will include the salts in, simply adding to the length of the textdata being hashed. After they get the matching string to the hash, it's an easy enough process to then figure out which part is the password and which is the salt. Attempts to get around this are done by things such as:

md5(sha1(md5(md5(password) + sha1(password)) + md5(password)))

Which is not an appropriate method to circumvent.

SHA512 is obviously a bit most costly, and therefore harder to bruteforce, but if you truly care about security you would be best to use PBKDF2 at minimum (built into Django's standard).


I'm confused. That combination of SHA1 and MD5 is, itself, a hash function, and should be brute-forceable using the exact same methods you would use to brute force any other hash function. It's also easy to GPU-accelerate.


I think the meaning was that combining SHA1 and MD5 is not an appropriate method to circumvent brute-forcing.


Salts do absolutely nothing to make cracking take longer.

The length of the salt might incur 1-2 additional calls to the SHA core permutation function, which is nothing.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: