Overclock.net banner

1 - 5 of 5 Posts

·
Registered
Joined
·
8 Posts
Discussion Starter #1
Hi everyone,

Reading an interesting article: http://chargen.matasano.com/chargen/...w-about-s.html

Quote:


Originally Posted by From Website

Why is bcrypt such a huge win? Think of the problem from two perspectives: the server, and the attacker.

First, the server: you get tens of thousands of logins per hour, or tens per second. Compared to the database hits and page refreshes and IO, the password check is negligable. You don’t care if password tests take twice as long, or even ten times as long, because password hashes aren’t in the 80/20 hot spot.

Now the attacker. This is easy. The attacker cares a lot if password tests take twice as long. If one password test takes twice as long, the total password cracking time takes twice as long.

The bit I don't understand is that server part. Surely, the more complex the hash, the more processing required on the server when converting plaintext pass' to hashed = > latency. What does he mean by 80/20 sweet spot?

Or is all he is really saying compared to all the other operations happening on the server, increasing the part means negligable noticeable latency.
 

·
Banned
Joined
·
7,990 Posts
Man the part I read was cool. I hope I can download and read it all once I get my Kindle.

Rep+ for the interesting read
 

·
Premium Member
Joined
·
13,477 Posts
If an attacker is trying passwords, you want to slow him down. But legitimate users shouldn't have to wait too long.
 

·
Banned
Joined
·
7,990 Posts
Quote:

Originally Posted by error10 View Post
If an attacker is trying passwords, you want to slow him down. But legitimate users shouldn't have to wait too long.
We're talking in the order of ms though, right?
 

·
Premium Member
Joined
·
13,477 Posts
Quote:

Originally Posted by AMD+nVidia View Post
We're talking in the order of ms though, right?
Sure, but if the hardware speeds up, you can slow the algorithm down even further.

 
1 - 5 of 5 Posts
Top