A 16 character password randomly consisting of upper and lower case letters and numbers only using bcrypt with a cost factor of 10 would take ~6.046727765959351e+18 years to crack on a single Nvidia 2080Ti.
The Gab passwords are hashed using bcrypt. I don't know what their cost factor was configured as.
Yep. As other guy said, rainbow tables will probably snag a decent percent of real world passwords. The good passwords are safe, but Darth Helmet's luggage code will be easy pickens. And the people using bad passwords tend to reuse them.
Rainbow tables are completely ineffective once you introduce a salt of sufficient length to the password because you've now made the storage requirements exponential.
Since bcrypt uses a salt of 22 characters encoded as base64, this gives you a possibility of:
5444517870735015415413993718908291383296
combinations just for the salt alone. You're not going to be storing rainbow tables for that many salts much less the 31 character password+salt hash that follows.
Cert programs never cover the underlying details of cryptographic primitives, so I'm not surprised. Nor do they explain why things are the way they are.
If this is an area you're interested in, I would highly recommend the book Applied Cryptography by Bruce Schneier. There are others, but his is a great introduction on how a lot of this stuff works; it provides enough detail without getting buried in the weeds.
A 16 character password randomly consisting of upper and lower case letters and numbers only using bcrypt with a cost factor of 10 would take ~6.046727765959351e+18 years to crack on a single Nvidia 2080Ti.
The Gab passwords are hashed using bcrypt. I don't know what their cost factor was configured as.
Yep. As other guy said, rainbow tables will probably snag a decent percent of real world passwords. The good passwords are safe, but Darth Helmet's luggage code will be easy pickens. And the people using bad passwords tend to reuse them.
They won't.
Rainbow tables are completely ineffective once you introduce a salt of sufficient length to the password because you've now made the storage requirements exponential.
Since bcrypt uses a salt of 22 characters encoded as base64, this gives you a possibility of:
5444517870735015415413993718908291383296
combinations just for the salt alone. You're not going to be storing rainbow tables for that many salts much less the 31 character password+salt hash that follows.
Read this response on SO for an explanation why.
Rainbow tables are only effective for something like MD5 without salting.
Read this on rainbow table defenses and on bcrypt specifically.
Cool. Thanks for the info. I have a cyber security cert, but salting was only covered briefly in the course and not mentioned in the test.
Cert programs never cover the underlying details of cryptographic primitives, so I'm not surprised. Nor do they explain why things are the way they are.
If this is an area you're interested in, I would highly recommend the book Applied Cryptography by Bruce Schneier. There are others, but his is a great introduction on how a lot of this stuff works; it provides enough detail without getting buried in the weeds.