From Newsgroup: comp.os.linux.security

I just encountered an article saying that, since today's GPUs are so
powerful, there's no such thing as a secure password any more.
The death of the password is a bad thing, because smartphones
can get lost, broken, or bricked. Indeed, if people have to use
smartphones to log on to everything, they will be the new high-value
target.
However, Linux can set an example of how to make passwords work.
Using a GPU to brute-force a password requires an attacker
to have gotten a copy of the password file from the target
machine - that's how an attacker can try zillions of passwords, instead
of being locked out after three failed attempts, each of which took
several seconds.
So if one changed how password files stored passwords...
Use a better hash function.
Use 128-bit salt.
Use Blowfish encryption as a stage in the process.
So when a Linux system is installed, a random and unique key is
generated for the encryption phase in checking passwords against
the password file.
Of course, that unique key still has to be stored somewhere on the
system, so an attacker could still obtain it. Another possibility too...
*most* cryptographic algorithms today are careful to avoid any
conditional branch operations, because they're conducive to attacks
which grab the key by monitoring power consumption. But such an
algorithm - one that does use a lot of conditional branches - would be
hard to implement efficiently on a GPU.

John Savard
--- Synchronet 3.19c-Linux NewsLink 1.113

From Newsgroup: comp.os.linux.security

John Savard <quadibloc@gmail.com> writes:

I just encountered an article saying that, since today's GPUs are so powerful, there's no such thing as a secure password any more.
The death of the password is a bad thing, because smartphones
can get lost, broken, or bricked. Indeed, if people have to use
smartphones to log on to everything, they will be the new high-value
target.
However, Linux can set an example of how to make passwords work.
Using a GPU to brute-force a password requires an attacker
to have gotten a copy of the password file from the target
machine - that's how an attacker can try zillions of passwords, instead
of being locked out after three failed attempts, each of which took
several seconds.
So if one changed how password files stored passwords...
Use a better hash function.

Have a look at scrypt or argon2, designed specifically for password
hashing.
--
https://www.greenend.org.uk/rjk/
--- Synchronet 3.19c-Linux NewsLink 1.113

From Newsgroup: comp.os.linux.security

On Thu, 28 Jul 2022 11:25:49 -0700 (PDT)
John Savard <quadibloc@gmail.com> wrote:

I just encountered an article saying that, since today's GPUs are so powerful, there's no such thing as a secure password any more.

I depends on the length. Longer passwords are better. The process of
cracking passwords when a hash table is available, even if salted, is decreasing because GPUs become faster and this process can easily be
split on many machines.
There are some steps that can increase the time:
Longer passwords (The amount of time needed increases exponential with
the length of the pw)
unique salts per password (Then every password must be tested
individually per user hash and not only one time for all users with the
same salt)
Privileges that deny normal users access to the hashed passwords, like
most Linux distributions use /etc/shadow and don't allow read access to
users.
--
Gruß
Marco
--- Synchronet 3.19c-Linux NewsLink 1.113