On Wed, May 27, 2015 at 01:51:35PM -0400, Barry Shein wrote:
Getting a copy of the database of hashes and login names is basically useless to an attacker.
Not any more, if the hash algorithm isn't sufficiently strong: 25-GPU cluster cracks every standard Windows password in <6 hours http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard... Quoting: "Gosney used the machine to crack 90 percent of the 6.5 million password hashes belonging to users of LinkedIn." Consider as well that not all attackers are interested in all accounts: imagine what this system (or a newer one, this is 2.5 years old) could do if focused on only one account. And of course epidemic password reuse means that cracked passwords are reasonably likely to work at multiple sites. And even if passwords aren't reused, there have now been so many breaches at so many places resulting in so many disclosed passwords that a discerning attacker could likely glean useful intelligence by studying multiple password choices made by a target. (We're all creatures of habit.) ---rsk