Score:4

Password hashing and salting with SHA-256 on $2^{64}$ password space

bm flag

If a password is randomly chosen from a space of $2^{64}$ passwords and is stored as an SHA-256-bit hash and a 128-bit salt, how many hashes does an attacker need to perform to recover the password in the worst case?

Would it just be $2^{256}$ hashes because SHA-256 provides $256$ bits of security in a pre-image attack?

kelalaka avatar
in flag
Levgeni keep the title non Latex as much as possible. This helps for the search and hnq.
Maarten Bodewes avatar
in flag
Please do accept answers that resolve the question for you. This is important as it shows any readers that the question does have an answer, and it gives reputation to the person answering the question. It's the best way of saying "thanks" on Stack Exchange. It also gives persons an incentive to answer any new questions that you may have.
Score:4
in flag

If your password space is just $2^{64}$ then the attacker only needs to search for the $2^{64}$ distinct passwords. It is simple as this function;

findPassoword( salt,targetHash)

  for i in (1,2^64)
     if SHA-256(i||salt) = targetHash
        return i

This is still a pre-image search with limited input space. The input space is really important in the pre-image attack. The generic cost for SHA-256 is $2^{256}$ however when we specify the input space then is the minimum of the generic cost and the input space.

For password hashing, let's forget the cryptographic hash functions, we have special password hashing algorithms to achieve that like PBKDF2, Scrypt, Argon2, and Balloon hashing.

CryptoGuru avatar
bm flag
Oh so even the 128-bit salt that is hashed with the password, won't impact it? And in the worst case, the hacker will only need to do 2^64 hashes regardless of the salt?
kelalaka avatar
in flag
Salt is used to prevent to rainbow tables. It is assumed to be known by the attacker. Only the passwords are secret to be kept. Strong password like dicewire or bip39 is adviced. Password hashing algorithms are must since the users tent to use bad passwords. The simplest countermeasures is the iteration. For example if you iterate the hash 2^20 times the attacker's cost is increased with the same amount.
Score:2
bs flag

Input length - Calculated by k^n where k is the keyspace for a single character and n is the number of characters. For example, if I used the uppercase and lowercase English letters plus the numbers 0 to 9, I would have a k = 62 = (26+26+10). If I allowed 10 characters in my password, my password would be k^10 = 62^10 = 8.39e17.

Output length - The size of the output hash. Measured in 2^n where n is the number of bits of the output. Needs to be large enough that you don't have hash collision. Most commonly, this is 32 bytes or 64 bytes.

Salt length - Used to prevent rainbow table attacks by reducing the likelihood that the attacker has pre-computed the outputs for a given password. In general 16 bytes is recommended.

The number of guesses it takes to crack a password in the worst case scenario is whichever is smaller: the input length or the output length. In practice, what tends to be a bigger problem than picking the right hashing parameters is people picking simple passwords out of convivence. We can help mitigate this problem by using tools such as zxcvbn to check for these simple passwords when creating new passwords.

I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.