04-17-2013, 05:35 AM
(04-17-2013, 04:58 AM)Incisive Wrote:(04-17-2013, 02:44 AM)jpgoldberg Wrote: Remember that unlike the passwords that 1Password saves for people, the Master Password has to be memorable and typable by humans. If one uses a diceware password phrase (as we recommend to 1Password users) then a three word pass phrase has a mean time to crack of 22 hours. A four word one has 19 years, five words is 150,000 years. After that it is millions of years.
In other words, this does change the kind of advice we have to give users. Please keep in eye on the AgileBits blog for more details.
What dictionary sizes are you assuming for the various passphrases?
Isn't the point of the OCLHashcat optimizations that these are being brute forced? Using a dictionary attack is a whole different ballgame.
And as to the "master password", I'm not sure what jpgoldberg means by "three word" passwords, but I assume this to mean many characters, not just three characters. If this is the case, then these time estimates are obviously wrong (or things are obviously broken). (What kind of security would a 7-character password offer then? Mere minutes?)
The whole point of using PBKDF2 is that it is key-stretching. You simply aren't attacking a password that has been straight SHA hashed. It sounds like these optimizations have removed a bunch of the key-stretching in PBKDF2, leaving in the words of the OP:
Quote:Instead of calculating a 256 bit key in the PBKDF2, we just need to calculate 128 bit. Since SHA1 gives us 160 bit, we can save exactly twice the number of calls to sha1 transform. This way I was able the reduce the calls to SHA1 transform from 8000 to 2002
If I understand this correctly, the brute force attack is against a 128 bit (or maybe 160 bit) key (either way, no matter). Even if there was only one iteration (not 2002) you're still looking at 2^128...
Here's a useful discussion (showing the futility of brute forcing even relatively weak keys): http://security.stackexchange.com/questi...-are-expos