|KevinBooks||how big should the column be?|
|CareBear\||KevinBooks : char(64) for a sha256|
|seekwill||CareBear\: Ok, let's say it is "broken". How long does it take to break?|
|CareBear\||seekwill : 2^69/2^40/86400/365=17 years with 1Tops|
|seekwill||Yeah... 17 years...|
|CareBear\||1Tops isn't all that much though?|
GHz programmable logic doesn't cost many $
|KevinBooks||Tops = TeraFLOPS ?|
|seekwill||What are our computers doing these days?|
I would say something is broken if it can be cracked w/o a brute force.
|CareBear\||seekwill : 2^80 would be brute force|
|CareBear\||KevinBooks : Tops = tera operations, one operation=one hash|
seekwill : 2^69 < 2^80
seekwill : But you mean without searching at all?
CareBear\: Is the cost of calculating a sha256, and storing it, really worth it to all practical applications?
There's a point that if your entire operations isn't at that level of security, it won't matter.
"There would be a real danger if someone found a way to reverse the hash and reveal the plaintext message that the sender had signed."
|CareBear\||seekwill : You are completely right. Always choose security based on the threat.|
But I do think the 32 extra bytes are worth it.
|mksm||you could just change passwords like monthly|
|CareBear\||Who knows how long it will take to find collisions tomorrow.|
|seekwill||Is the SSL layer used to transport the password at least 256??|
|CareBear\||mksm : Sure. But unless there is an existing secure communications path from the system to the user it's hard to notify the user of updates.|
|mksm||i would be more worried about the user|
|CareBear\||seekwill : Even if it isn't, the network traffic is not neccessarily stored anywhere (disregarding data remanescense in routers) while the database will be by design.|
|seekwill||He writes the password on a postit, sticks it to his monitor...|
CareBear\: Snif snif
|CareBear\||The user is always a weak link!|
Probably the most rewarding attack vector.
The web sucks. :p
|mksm||yeah. How much $ is a password worth?|
|seekwill||Depends on application. If it's worth anything substatial, I would hope you didn't have to ask here.|
|CareBear\||mksm : Some online banking systems just use a password for login and another for transaction signatures.|