In computer science, speed is all. Everything we do, we want to do as fast as possible. Right? No. Consider slow hashing algorithms. Some hashes are intentionally computationally expensive. Why? Because attackers have multi-GPU dedicated password cracking machines that can try millions of variations per second. A hash that requires more computation power is much slower to crack because of the time it takes to try each variation. Sure, your user may have to wait for half a second longer for the authentication form to go away and his page to load, but his/her credentials are many times more resistant to breach if an attacker obtains the hashed passwords. Consider this. On a fast, multi-GPU cracking machine, as many as 180 billion password hashes could be cracked per second. With bcrypt, that number would fall to 71 thousand hashes per second. Which one would you want YOUR password encrypted with?
No comments:
Post a Comment