How should one defend against an off-line brute force password attack?

Question

I was wondering if it was a common practice to salt and hash a password like

E(padding || hash(salt || password))

where || is concatenation and E uses RSA for example. I'm primarily asking this question for transport of a password database (not online storage where the server would have the private key to decrypt the encrypted password at all times).

I know that a cryptographic hash should be irreversible, but an off-line brute force attack on weak passwords would easily reveal a password. To eventually decrypt a record in this database, the server will know the length of padding and simply take away padding to reveal hash(salt || password).

This is not a typical problem, but I couldn't find a reference as to someone having to properly transport a password database and defend against an offline attack.

Answer 1

The only way to protect against bruteforce attacks is to use a slow hashing algorithm. Right now bcrypt or PBKDF2 is the way to go as it can be configured to require a lot of CPU time and ridiculous amounts of RAM. As CPUs get faster and memory cheaper you just need to increase the settings and slow down the hashing.

It really makes a difference if you can guess millions of hashes per second or only a few dozends.

CodingHorror has a great article about this topic: http://www.codinghorror.com/blog/2012/04/speed-hashing.html

Answer 2

All the other responses are good, but I'd add:

Force password changes on a regular basis.

This is the sure way to disrupt offline brute force attacks. It's harder to hit a moving target.

Answer 3

Encrypt the password file with something strong, then it doesn't matter how the passwords are stored inside the file.

Ie. use something like PGP for transport.

I noticed that this answer has been downvoted once, before someone else upvoted it, and just thought I would clarify it, since I suspect the person that downvoted my answer didn't actually read the question. On the other hand, perhaps full encryption of the entire file is not possible for the person asking the question. This would be a handy clarification in the question if that is the case.

Anyway, the question specifically states that this is about transporting the data(base). It also specifically states that this is not about online storage and usage.

As such, using a safe and secure encryption method for the entire file is really the best way to go, as then you're not limited to having to manipulate the file contents to try to mask each individual password.

Instead, the whole file would be meaningless, and if more than just the password file is to be transported, it would be lumped together with, and thus encrypted together with, a lot more data, making the process of identifying the passwords nearly impossible as well.

The attacks on such encrypted files are a lot less likely to succeed, if you pick a reputable encryption algorithm and implementation (PGP, GPG, etc.), than inventing something yourself, or at the very least making it easy for the attacker to find the individual passwords in small chunks.

Answer 4

The point would be that you would salt the password in the same way when you are comparing it while logging a user in and while storing the password. Having a good salt would prevent someone doing a standard lookup and it would also strengthen the hash against dictionary attacks. If the salt and the password are combined within a hash it would greatly reduce the use of offline attacks and you wouldn't need to take any special precaution of protecting it.

Answer 5

1. Use passwords that won't show up in a dictionary.
2. Use Key Strengthening.

Or just encrypt the password database itself. If you have no way to transport the decryption key, you can encrypt the decryption key using public key encryption.

Answer 6

if you control the function that try to decrypt the database, put a timer of 1 second between retry?

that would surely slowdown a bit the brute force