考虑到摩尔定律的密码强度检查器? [英] Password strength checkers that take into account Moore's Law?
问题描述
我正在对我的帐户进行年度密码更改,并尝试各种网站(微软,最后通过等)来尝试使用假设的密码。有些网站在评估密码方面似乎比其他网站更加彻底,但这让我想知道是否有任何网站考虑到摩尔定律。也就是说,一个人听到关于如何需要13万年来破解X密码,但这是否考虑到电脑每两年的速度翻倍?
我真的很好奇,看看这些网站是否考虑到这一点,还是有人可以建议的网站?
p>这些计算都没有考虑到摩尔定律。但是让我们看看我们是否可以显示为什么我们不必这样做:
摩尔法律规定,处理能力将每18个月翻一番(不是很好,但对我们来说足够好目的)。那么这意味着今天的13万年将是18个月的65k年。而36个月内有32.5k,依此类推。
我们可以提出一个方程式!
-at-time = cost-today * 0.5 ^(months / 18)
所以今天插入成本,我们可以看到这个很好的
I was going about doing my annual password change on my accounts and tried various sites (microsoft, lastpass, etc) to try out hypothetical passwords. Some sites seem a bit more thorough than other sites in their evaluation of password strength but this made me wonder if any of the sites take into account Moores law. That is, one hears about how "it would take 130,000 years to crack X password" but does that take into account that computers double in speed about every two years?
I'd be really curious to see if these sites take this into account, or if there any sites that someone can suggest that do?
None of these calculations really take into account mores law. But let's see if we can show why we don't have to:
Moore's law states that processing power will double every 18 months (not quite, but good enough for our purposes).
So that means what's 130k years today, will be 65k years in 18 months. And 32.5k in 36 months, and so on, and so on.
We can come up with an equation for that!
cost-at-time = cost-today * 0.5 ^ (months / 18)
So plugging in cost today, we can see this nice pretty graph (x is years):
y = 130000 * .5 ^ (x / 1.5)
So, let's see what our cost will be for our 130k year password, in 50 years:
y = 130000 * .5 ^ (50 / 1.5)
y = 130000 * .5 ^ 33.3333
y = 0.000012 years (~6.3 minutes)
That's pretty fast!
How about 10 years?
y = 130000 * .5 ^ (10 / 1.5)
y = 130000 * .5 ^ 15
y = 1279 years
That's still quite strong...
However. It also misses the point of tunable algorithms like bcrypt and scrypt which are designed to be able to defeat Moore's law.
So if you use bcrypt, scrypt or PBKDF2, and keep tuning the cost so that it runs in a constant time, your password that takes 130k years today to crack (estimated), will still take 130k years to crack in 50 years.
Now, of course that doesn't solve the case where an attacker steals the password hash today, and spends the next 50 years attacking it... But I have to ask, what is your password protecting that a crypto-nerd will spend the next 50 years trying to attack it?
这篇关于考虑到摩尔定律的密码强度检查器?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
