-3

Salted hashes don't seem to offer any real protection for user passwords by itself. So long as a hacker has a quick way to check if a password is right or wrong, it's trivial to brute force it to view the plain-text passwords. Especially if the attacker is using GPUs or an FPGA/ASIC solution.

From what I've gathered, I should be sending my hashed+salted passwords to a (hardened) dedicated server on my network whose sole task is validation (via secret keys). A hacker would have to gain access to both servers before plain-text passwords could be retrieved. I like this solution, but I don't like the cost of renting another server.

Are there any alternatives to using a dedicated validation server?

AviD
  • 72,708
  • 22
  • 137
  • 218
Mr. Smith
  • 207
  • 2
  • 8

2 Answers2

3

The usual solution is just to enforce passwords that are of a length which makes brute forcing very non-trivial.

Have a look at any of our questions on password strength or entropy and you'll see what password complexity/length is required to make sure even GPU-based brute forcers will fail over a time frame you need.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
1

The proper solution is not to use a simple salted hash, but instead a slow algorithm specifically designed for protecting passwords - such as bcrypt, PBKDF2, or scrypt.

There are plenty of questions here on how to properly protect passwords, and on those algorithms...

AviD
  • 72,708
  • 22
  • 137
  • 218