

‘SRP’ Does Not Protect Blizzard's Passwords - See how it's not better than SHA1 - zaroth
http://www.opine.me/blizzards-battle-net-hack/

======
stipes
Your numbers show that SRP-SHA1 is about 50000 times better than salted SHA1.
Not great, better than nothing (at least for those of us without dictionary-
targetable passwords).

~~~
zaroth
I've been continuing to work on this through the night. Initial benchmarking
on EC2 show you can test SRP passwords at a rate of ~180k / sec on c1.xlarge,
at $0.66/hr per instance.

Particularly with Blizzards strange 'case-insensitive alphanumeric only'
policy, anything less than truly random 8+ character passwords are within
reach.

For 90% of their users, this spells trouble. If you've seen John the Ripper,
you know 'dictionary-targetable' is an increasingly ambiguous term.

My main point is that Blizzard is coming out and saying in their press
release: "We use Secure Remote Password protocol (SRP) to protect these
passwords, which is designed to make it extremely difficult to extract the
actual password"

And in their FAQ: "Cryptographically scrambled versions of passwords for North
American players were accessed, protected by Secure Remote Password (SRP)
protocol.... The added layer of protection from SRP makes that process
computationally very difficult and expensive."

When what they SHOULD be saying is, "we used industry standard best practices,
but even so the majority of the passwords have most likely already been
cracked. Please make sure you change them immediately."

It would be nice if I could still tweak the title at this point.

~~~
stipes
Agreed.

As a point of comparison, it looks like you can get 650 million/s on a
cg1.4xlarge instance [1] (Amazon's GPU computing instance with 2x Tesla Fermi
M2050 GPUs), and it looks like they cost $2.10/hour per instance. So some
quick math does show that cracking SRP is only about 572 times slower, if we
normalize for cost of the instances on EC2.

1\. [http://www.nervous.it/lang/en-us/2012/06/cracking-sha1-on-
am...](http://www.nervous.it/lang/en-us/2012/06/cracking-sha1-on-amazon-ec2/)

~~~
zaroth
I posted a follow-up -- there may even be a way to fully reduce SRP into SHA1
given that N is a 256-bit value.

See: <http://www.opine.me/srp-to-sha1/>

