Reputation: 346
Is it possible to harden aes encryption against brute force attack?
is there any way to harden aes encryption against brute force attack without strengthening password. I mean users generally choose easy passwords. I don't want to force users to choose more and more complicated password.(This is the correct solution but it is useless when they forget their passwords continuously, and they cannot use their password) They choose their passwords from uppercase, lowercase and digits. And password length is 8. I want to make it difficult to brute force attacking without changing these password properties.
EDIT: Password length is exactly 8. Less length is not acceptable. And one more question over replies, keeping encrypted text on memory (using salting and key stretching) is a security problem?
Upvotes: 2
Views: 1114
Answers (4)
Reputation: 22850
If you want to secure your users against using passwords like "password", "12345678" or similar, then no there's no way to harden them.
You must be able to check if provided password matches the hash you have in reasonable time (that is, less than 1s on average hardware). Brute forcing simple passwords even when checking equality between hash and password takes 1s will take less than a day on an average PC.
If you want to secure average quality passwords (not in the top 1000 most common passwords or single words from few most commonly spoken languages), then password/key stretching is your best bet: scrypt, bcrypt or the standard PBKDF2 are good choices.
Upvotes: 1
Reputation: 90
Using multiple rounds will slow down the process of trying out passwords but thats about all I can think of.
Upvotes: 0
Reputation: 12687
It's hard to comment on the problem without knowing the exact nature of how it's being used. (For e.g., can the password only be stored as 8 characters?).
That said, choosing a good salt makes brute forcing harder. Most passwords stolen today are the result of failure to implement proper salting.
For more security you can employ consistent hashing to shard the salt over a range of values.
Upvotes: 2
Reputation: 39578
I'm tempted to say that: No, it is not possible. In order to make the brute force attack harder, you need more entropy.
That being said, you can actually make the guessing process slower if you do key stretching.
Upvotes: 3
Related Questions
- AES 128 how to brute force with partial key in python
- Passphrase vs. Brute Force Attacks
- Encrypt AES key?
- How should I implement a system to block password cracking?
- Making AES decryption fail if invalid password
- What can be done to protect against brute-force of compromised password databases?
- Can salt prevent dictionary or brute force attacks?
- How can I prevent brute-force attacks?
- Are there any security measures that are resistant to a brute force attack?
- Security using AES with salted password as key