Hacker News new | past | comments | ask | show | jobs | submit login

Well there is one important factor about these 20 trillion passwords: are they associated with real user accounts?

If not then it really doesn't matter that they got published. They're useless to hackers without knowing what email to type in. The attack model is that the attacker actually has to log into a website and you don't get 20 trillion attempts.




Never underestimate the ingenuity of the user. They might search for a list of good passwords, find it, and pick one.

> The attack model is that the attacker actually has to log into a website

Not to find the password. If it was then nobody would get upset about plaintext password storage.


Well if we're talking about the possibility of an offline attack against a password database that's a bit different. The standards for a good password are higher for that attack.

But anyway if you pick a password from a list of 20 trillion where the offline attacker knows the list, it doesn't actually help them much because a single selection from 20 trillion options has 44 bits of entropy.

Passwords that users choose typically have less entropy than that afaik


Most passwords are worse, yeah, but 44 bits isn't great. With a fast hash that's less than a GPU-week. It's basically enough if you use bcrypt, but even then it's not protected from an attacker with a lot of money to throw at it. (8 GPUs per server, 10 servers per rack, 50 racks, suddenly you're hashing work-factor-10 bcrypt passwords at about 2 million per second and average cracking time is 50 days.)


Right - "attacker gets an old database backup, and wants to escalate to access to the live website" (or perhaps "attacker breaches QA", or something) is a realistic attack model. Take all the known passwords, hash them, match the hashes against the database, look at the next column over to see whose accounts you compromised.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: