Stop giving your users passwords to Troy Hunt! Eg. hash and salt them! But use a really slow hash. Lets say the hashing speed is one hash per second, then it would take trillion years to brute force the password "hello".
You have that backwards. You don't bruteforce a single password. You compute the hashes of all the dictionary words and then compare the hashes. So your 'trillion years' is probably more along the lines of a few weeks, for all the words in the dictionary at once.
Yes! (I've edited my comment and added "and salt") and with a tiny bit of obscurity like a hashing algorithm that can't easily be calculated by a GPU or ASIC, then the hackers probably wont bother. Because scrypt is used by Litecoin, Dogecoin, et.al there are now ASIC's capable of billions of scrypt hashes per second.
Exactly! A password "hash" function is an algorithm that will turn a password string into a seemingly random string. Where it's impossible to figure out what the password is - based on the output string from the hash function. And the hashed string is saved in the database instead of the password. When the user logins the database runs the hash function. eg "SELECT * FROM user WHERE pw = hash($pw_input)" For example my md5 hashed password is a8b767bb9cf0938dc7f40603f33987e5
Now hackers are smart and will generate a "rainbow table" of all possible words and their corresponding hash (try google the md5 hash above). But then we can "salt" the password by adding a random string that is unique to each user, and the rainbow table becomes useless. "SELECT * FROM user WHERE pw = hash(concat($pw_input, salt))"
But hackers don't give up so easily. Using GPU's and dedicated hardware they can generate billions of hashes per second, so they will just "brute force" hash all possible words (dictionary and more) together with the salt.
To counter this we use a slow hash function, a function that takes up to 100ms to run, and now the hacker can only brute force ten passwords per second! Meaning it will take years to find even a simple password.
If we all start doing this: slow hash function + salt - then Troy Hunt wont have any more passwords! Sorry Troy!
And also if users use long passwords with some special characters like !"#¤%&/()= for increased entropy, then it will be even harder for the hackers to brute force them. Using only numbers a five letter pasword has 10^5 combinations. Using only lowever case letters there's 28^5 combinations. Using upper and lower case plus special characters and numbers there's like 80^5=3 billion combinations. If we now increase the password length from five to ten characters there's now 80^10=ten Quintillion combinations. Cracking it with 10 hashes/per second would take 30 billion years. But if it was a fast hash lile any of the popular md5 or sha where you can have a few billion of hashes per second it would take "only" 30 years. Where as a password with only five letters would take less then a second to crack.
Now you think 30 years is a lot, but then there's Moore's law, where number of transistors will double every second year, leading to increased compute power. So two years from now those 30 years would only be 15 years. And 20 years from now those 30 years will be only one year! Think of this when you use what was considered best practice in the 80's
