Re: What is best way to set_rand?
- Posted by CoJaBo2 Jan 26, 2013
- 1121 views
Wouldn't that depend upon the length of the password and the length of the Alphabet?
A limit of 20 character passwords from an Alphabet of 96 characters produces a very large number of potential passwords, around 4.5*10^39. So if our cracking software does a billion passwords per second, that would still take about 10^25 years on average to crack one password.
If we assume the two 32-bit hashes were cryptographically secure, they were then concatenated, and fed to a cryptographically secure stream cipher, this places an absolute upper bound of 2^64 passwords that could possibly be generated.
Assuming 65 billion keys per second (based on what was used to crack DES some years ago), this would take no longer than a year to crack (less if using more or faster machines).
However, the hashes used are not concatenated, they are ones with very well known mathematical properties, and the "stream cipher" in this case is Eu's random number generator which is very much not suited for that purpose. This could dramatically reduce the time it takes to brute-force. And, if either the keyfile or passphrase are known, it would be downright trivial to brute-force, even without caring about other weaknesses.
I don't see the connection between generating passwords and hashing? It is possible to generate passwords without using any hashing function at all.
The question in this thread was about how to hash data to generate a password.
The currently implemented hashing algorithms in Eu are not designed for cryptographic purposes, however a few of them are quite secure of most other purposes.
The design of the hash() built-in function allows for other, including modern, algorithms to be implemented in future.
This should probably be done "soon"..
Though it may be a good idea to name the function for cryptographic hashes something else.
