Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update: Password Storage Cheatsheet #1043

Closed
oddcb opened this issue Jan 2, 2023 · 5 comments
Closed

Update: Password Storage Cheatsheet #1043

oddcb opened this issue Jan 2, 2023 · 5 comments
Labels
ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. HELP_WANTED Issue for which help is wanted to do the job. UPDATE_CS Issue about the update/refactoring of a existing cheat sheet.

Comments

@oddcb
Copy link
Contributor

oddcb commented Jan 2, 2023

What is missing or needs to be updated?

PBKDF2 iterations.

Looking into the past commits to the cheat sheet it seems the current ones were sourced from:

https://twitter.com/sc00bzt/status/1322164349738262528

These recommendations were updated again this December:

Parallel PBKDF2
PPBKDF2-SHA512: cost 2 (Based on RTX 4090 as "1.5 GPUs")
PPBKDF2-SHA256: cost 5 (Based on RTX 4090 as "1.5 GPUs")
PPBKDF2-SHA1: cost 10 (Based on RTX 4090 as "1.5 GPUs")

PBKDF2 (worst)
PBKDF2-HMAC-SHA512: 210,000 iterations (Based on RTX 4090 as "1.5 GPUs")
PBKDF2-HMAC-SHA256: 600,000 iterations (Based on RTX 4090 as "1.5 GPUs")
PBKDF2-HMAC-SHA1: 1,300,000 iterations (Based on RTX 4090 as "1.5 GPUs")

https://infosec.exchange/@sc00bz/109599362314030488

See also: https://tobtu.com/minimum-password-settings/

How should this be resolved?

Update cheat sheet with new values. I'd also add a reference to source for anyone wondering where these numbers come from.
@oddcb oddcb added ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. HELP_WANTED Issue for which help is wanted to do the job. UPDATE_CS Issue about the update/refactoring of a existing cheat sheet. labels Jan 2, 2023
@jmanico
Copy link
Member

jmanico commented Jan 4, 2023

This is super useful. Would you care to PR? If not I can.

@oddcb oddcb mentioned this issue Jan 11, 2023
Merged
3 tasks
@suyash5053 suyash5053 mentioned this issue Jan 13, 2023
Closed
@Moksh45
Copy link
Contributor

Moksh45 commented Jan 22, 2023

Could you please provide me with additional information regarding this issue?

@kwwall
Copy link
Collaborator

kwwall commented Jan 23, 2023

@Moksh45 Specifically what additional information met regarding this issue are you seeking? If you are referring to specific comments made on these 2 PRs, then please reference a link to the specific comment and when asking about it, please also @-mention the individual who made the comment. Otherwise, we have to look for it and try to guess what you are specifically asking about. Thanks!

@Moksh45
Copy link
Contributor

Moksh45 commented Jan 23, 2023

@kwwall The issue I had regarding these two pull requests has been resolved.

Thank You.

jmanico pushed a commit that referenced this issue Jan 23, 2023
@oddcb
Update PBKDF2 work factors according to RTX4000 #1043 (#1055)
ba94e5c 
* Update PBKDF2 work factors according to RTX4000

* PBKD2 Workfactor in introduction

* Minor formatting changes for PBKDF2 section

* Fix trailing space
This was referenced Jan 24, 2023
Closed
Merged
@Sc00bz Sc00bz mentioned this issue Jan 24, 2023
Merged
3 tasks
szh added a commit that referenced this issue Jan 29, 2023
@suyash5053 @szh
Added Paralle PDKF2 in #1043 and Login Throttling in #892 (#1070)
d1cc154 
* Added Parallel PKDF2 and resolved lint issues

* Added Login Throttling icluding subheading as Account Lockout

* Update cheatsheets/Authentication_Cheat_Sheet.md

Made Account Lockout as a new subheading

Co-authored-by: Shlomo Zalman Heigh <[email protected]>

---------

Co-authored-by: Suyash Srivastava <[email protected]>
Co-authored-by: Shlomo Zalman Heigh <[email protected]>
@mackowski
Copy link
Collaborator

I see that this is already addressed. I am closing the issue

This was referenced Feb 21, 2023
Open
Open
@ekmixon ekmixon mentioned this issue Feb 23, 2023
Open
@snyk-bot snyk-bot mentioned this issue Feb 26, 2023
Open
@ekmixon ekmixon mentioned this issue Mar 1, 2023
Open
@KevinAtSesam KevinAtSesam mentioned this issue Apr 14, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. HELP_WANTED Issue for which help is wanted to do the job. UPDATE_CS Issue about the update/refactoring of a existing cheat sheet.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@oddcb @jmanico @kwwall @mackowski @Moksh45