You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
BitCoin mining shows you can get hardware to do 90 TeraHashes/s (SHA256).
It seems PBKDF2 does in the order of 1 MegaHashes of SHA1. This is not the same as SHA256, but if you can build a machine that does 90 TeraHashes/s of SHA256, it is not unreasonable to assume you can do the same for SHA1.
This means you can test 90000 passwords per second or 2838240000000 passwords per year. This is would brute force a password of 7 chars using a single machine. This is well within the power of any TLA agency.
BitCoin mining shows you can get hardware to do 90 TeraHashes/s (SHA256).
It seems PBKDF2 does in the order of 1 MegaHashes of SHA1. This is not the same as SHA256, but if you can build a machine that does 90 TeraHashes/s of SHA256, it is not unreasonable to assume you can do the same for SHA1.
This means you can test 90000 passwords per second or 2838240000000 passwords per year. This is would brute force a password of 7 chars using a single machine. This is well within the power of any TLA agency.
https://en.wikipedia.org/wiki/Password_Hashing_Competition was made to find an alternative, and Argon2id is today the recommended method to use.
The README of https://github.com/alexedwards/argon2id suggests it is easy to change PKCS5_PBKDF2_HMAC_SHA1 to argon2id.CreateHash.
The text was updated successfully, but these errors were encountered: