15

I'm sure everyone here has seen the rise and further rise of bitcoin. The process used for mining bitcoin is basically "let's brute force an SHA256 hash that is less than this amount"

That being said, it seems to really be getting popular. Now there are extremely fast ASIC miners out there that are capable of over 60,000 Mhashes/s

Although they are probably rather specialized for bitcoin, I assume it wouldn't be impossible to put them to black/gray-hat use and employ their bruteforce power to find a password from a salt and hash. Because of this, should SHA256 be considered a risky algorithm to trust passwords to?

Earlz
  • 604
  • 2
  • 6
  • 15

3 Answers3

15

Ability to compute a lot of hashes very fast with dedicated hardware is a problem for password hashes, but not a new problem. Before the advent of ASIC specialized in SHA-256, we were already taking FPGA into account (see for instance this research machine, from already five years ago). An ASIC can roughly be clocked at two to three times the frequency of the equivalent FPGA; mass production further lowers costs. This does not qualitatively changes the situation, but it sure gives a boost to the attacker, something like, say, 3 bits or entropy.

Of course, a simple SHA-256 for password hashing is not a good idea; it is way too fast even when the attacker has "only" classic PC; I assume we are talking here about PBKDF2, a construction for slow hashing which relies on an underlying PRF, usually HMAC, which itself is built over a hash function such as SHA-256.

Theory already says that, all other things being equal, password hashing should use the underlying hash function that is most efficient on the hardware which will process it in the "honest system", i.e. a PC. That's the point of hashing functions such as bcrypt or scrypt. If you want to stick to PBKDF2, using SHA-512 would be a good idea, because SHA-512 uses a lot of 64-bit arithmetic operations, something which a modern PC is very good at, but which GPU suck at. ASIC specialized in SHA-256 do not change that recommendation.

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
  • besides, ASICs can't be used for arbitrary hashing (anything which is not mining basically): http://bitcoin.stackexchange.com/a/7264/1666 – defhlt Apr 23 '13 at 20:51
5

SHA256 has never been considered a secure algorithm for password hashing. Use bcrypt, pbkdf2 or scrypt instead.

See this is amazing answer by @ThomasPornin for more information.

  • Well, it seems that it was always "good enough" when compared to md5 and is the default in many authentication setups – Earlz Apr 15 '13 at 17:33
  • 7
    @Earlz Most programmers know nothing about security. –  Apr 15 '13 at 17:34
  • @Earlz Many developers think that, but it is a pretty common misconception. It does not approach "good enough" even when looking at hardware from 3-5 years ago. It is better than md5, but not "good enough." – Anorov Apr 16 '13 at 22:03
4

ASICs are usually OTP (one time programmable [they are made directly from wafers]), so you can't reprogram them (e.g. switch to SHA1 or implement HMAC) and use them for cracking. Bitcoin uses two times iterated SHA256 (Mining), which is pretty useless in security considerations.

Please refer to Wikipedia concerning ASIC

Dr.Ü
  • 1,029
  • 8
  • 16