[cryptography] Master Password

Nico Williams nico at cryptonector.com
Thu Jun 7 19:27:48 EDT 2012


On Thu, Jun 7, 2012 at 4:14 PM, Steven Bellovin <smb at cs.columbia.edu> wrote:
> There's another, completely different issue: does the attacker want a particular password, or will any passwords from a large set suffice?
>
> Given the availability of cheap cloud computing, botnets, GPUs, and botnets with GPUs, Aa * Ah * Ap can be very, very high, i.e., the attacker has a strong advantage when attacking a particular password.  Some say that it's so high that increasing Ad is essentially meaningless.  On the other hand, if there are many passwords in the set being attacked, a large Ad translates into a reduction in the fraction that can be attack in any given time frame.

If the attacker can't easily identify the user IDs...  If usernames
are put through a PBKDF as well to generate the lookup key with which
to find the password verifier, how much does the defender gain?  For
any one password, not much, because there's less entropy in usernames
than passwords, so the Ad barely improves -- but if the attacker can't
identify that one password then the slight increase in Ad helps slow
the attacker's progress through all of the verifiers they have.
Moreover, the verifier DB could be peppered with chaff with which to
further slow down the attacker.  Does this make sense?

Nico
--



More information about the cryptography mailing list