Giter VIP home page Giter VIP logo

Comments (2)

tytso avatar tytso commented on September 14, 2024 1

If you read the full report, they are assuming that a password is "crackable" assuming that it is hashed using MD5. MD5 is an ancient cryptographic checksum, which is widely considered to be insecure, precisely because passwords can be cracked in seconds[1].

[1] https://security.stackexchange.com/questions/19906/is-md5-considered-insecure

There are no doubt some legacy systems that may still be using MD5 for hashing passwords. But more modern systems don't do this. For example, BitWarden uses 600,001 iterations of the KBPDF2 algorithm[2], which is vastly more secure than bare MD5. Bitwarden will be soon switching to using Argon2 for its password hashing, which requires using far more memory than can be used in a graphics card, to avoid hardware acceleration for brute force cracking[3]. The tradeoffs for using these more secure password hashing algorithms is that on older / cheaper mobile devices, the time for the legitimate user to do the password hash might delay their login by a second or more, which is not a great user experience. (On the other hand, it's probably less painful than having to type a 16 character purely random string....)

[2] https://en.wikipedia.org/wiki/PBKDF2
[3] https://stytch.com/blog/argon2-vs-bcrypt-vs-scrypt/

In any case, the Hive Systems report is clickbait, because MD5 has been known to be weak forever, and no competent system designer would be using MD5 in the twenty-first century. And all of this assumes that the hash is available to the attacker. Many systems do not expose the hash to the attacker, and if you try more than a small handful (3 to 10) bad passwords, the account is locked. This also prevents brute force attacks.

Since pwgen doesn't know whether or not you are trying to use a system which has been competently engineered or not, it doesn't make sense to change pwgen's defaults assuming an incompetently designed system. After all, such systems probably of far worse security vulernabilities, since I wouldn't trust any system designed by someone who thought using MD5 in the post-2000 era was a good idea.....

from pwgen.

matlads avatar matlads commented on September 14, 2024

I agree with most of these points.

Closing this issue.

from pwgen.

Related Issues (9)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.