Is there a bruteforce-proof hashing algorithm?

Question

Well, from the discussion of hashing methods weaknesses, I've got that the only ol' good brute-force is efficient to break.

So, the question is:
Is there a hashing algorithm which is more rigid against brute-force than others?
In case of hashing passwords.

If *"the only ol' good brute-force is efficient to break"* is the lesson you took away from that thread then you weren't paying attention. OxA3 pointed you at a paper describing a pre-image attack on MD5 an order of magnitude faster than brute force. — dmckee --- ex-moderator kitten, May 06 '10 at 01:59

score 15 · Answer 1 · answered May 05 '10 at 08:11

15

The only protection against brute force is the fact that it takes an inordinately long time to perform a brute force.

Brute force works by simply going through every possible input string and trying it, one at a time. There's no way to protect against simply trying every possible combination.

answered May 05 '10 at 08:11

Dean Harding

71,468
13
145
180

1

I agree with @codeka, but you can make it even more difficult by implementing a time-delay after say, 3 unsuccessful login attempts in a row. Even though attempting to brute-force a password hash will take an extremely long time under normal circumstances, you can delay that by an order of magnitude simply by imposing a delay in your authentication routines of several seconds... – Richard May 05 '10 at 08:40
5

@Richard: you are talking about a login *process* - but the question was about the *algorithm* itself. You can not slow down a MD5/SHA. – tanascius May 05 '10 at 09:04
@tanascius: You can make them slower by iterating over it multiple times. Of course, calculating MD5/SHA is still the same time, but to calculate it 1000 times is 1000 times slower. That is basically what pbkdf2 does. Scrypt, bcrypt are similar, and add some extra memory consumption to make even more expensive for GPUs and ASICs calculate. That is basically what you can do against off-line brute force atacks. – ReneSac Sep 04 '12 at 23:05
@ReneSac: of course you are right. But my comment was related to Richard's comment - and via the login process you can not slow down the implemented algorithm (whatever it is). You have to choose the right algorithm behind the GUI. – tanascius Sep 05 '12 at 09:20
Note that while you can't slow down any given algorythm, there are some algorythms specifically designed to be slow (read: just-fast-enough for human users) such as BCrypt – David Oct 14 '14 at 15:33

Your Common Sense · Accepted Answer · 2020-11-25T06:26:31.270

3

This question is a decade old and now I've got the answer.

Yes, there are bruteforce-proof algorithms. The key for such algo is being slow. It will do no harm if correctness will be verified in a few milliseconds. But it will drastically slow the brute-force. Moreover, those algorithms can adapt to the future CPU's performance increase. Such algorithms include

Particularly in PHP, the password_hash() function must be used for hashing passwords

edited Nov 25 '20 at 06:26

answered Nov 25 '20 at 06:07

Your Common Sense

156,878
40
214
345

It's worth pointing out that [there was an answer with this conclusion 10 years earlier](https://stackoverflow.com/a/2771619/157957), it just didn't list any specific examples. (It couldn't have listed Argon2, because that hadn't been designed yet, but bcrypt already had this property.) – IMSoP Oct 27 '21 at 14:49

Michael Borgwardt · Answer 3 · 2010-05-05T08:53:11.977

1

If you know that the input space is small enough for a brute force attack to be feasible, then there are two options for protecting against brute-force attacks:

Artificially enlarging the input space. This isn't really feasible - Password salting looks like that at first glance, but it really only prevents attackers from amortizing the cost of a brute force attack across multiple targets.
Artificially slowing down the hashing through key strengthening or using a hash algorithm that is inherently slow to compute - presumably, it's only a small extra cost to have the hash take a relatively long time (say, a tenth of a second) in production. But a brute-force attacker incurs this cost billions of times.

So that's the answer: the slower a hash algorithm is to compute, the less susceptible it is against brute-forcing the input space

(Original Answer follows)

Any additional bit in the output format makes the algorithm twice as strong against a straightforward brute force attack.

But consider that if you had a trillion computers that could each try a trillion hashes per second, it would still take you over 100 trillion years to brute-force a 128 bit hash, and you'll realize that a straightforward brute-force attack on the output is simply not worth wasting any throughts on.

Of course, if the input of the hash has less than 128bits of entropy, then you can brute-force the input - this is why it's often feasible to brute-force password cracking (Nobody can actually remember a password with 128 bits of entropy).

edited May 05 '10 at 08:53

answered May 05 '10 at 08:37

Michael Borgwardt

342,105
78
482
720

1

In practice, there are *password safes* around - you have to remember the master password only. The single passwords you are using to authenticate can have a very high entropy (and should have). – tanascius May 05 '10 at 08:46
@tanascius: in practice, only a tiny fraction of people know about those and are willing to deal with the extra hassle. – Michael Borgwardt May 05 '10 at 08:54
Unfortunately ... but the original question is still about *bruteforce-proof hashing algorithm* ... and the output length is in my opinion the most important parameter. Yes, slowing down the hashing will increase security (and yes, adding salt will do so, too). But any algorithm itself *is* fast (as will always be, this is a design goal) - you can slow down the authentication process - but that is a good answer for another question. I hope I can clarify my point - and I still hope that my answer is that wrong. – tanascius May 05 '10 at 09:01
@tanascius: people are coming around to the realization that with a hashing algorithm, *slowness* can be a desirable design goal. – Michael Borgwardt May 05 '10 at 09:04
I don't think so ... I read a bit about the http://en.wikipedia.org/wiki/NIST_hash_function_competition. Skein for instance explicitly states that speed is a design goal (*"Skein is fast."*, http://www.skein-hash.info/about). And again: the authentication *process* should be slow, no question, but the *algorithm* should be fast. – tanascius May 05 '10 at 09:08
2

@tanascius: Wrong. When you're hashing passwords, it's the *algorithm* that should be slow, because that cannot be circumvented - even when the attacker has a DB dump and does the brute-force attack offline. But of course passwords are not the only thing that is hashed - there can be different hashing algorithms design for different applications. – Michael Borgwardt May 05 '10 at 09:15
Did you look at the links I posted? Speed is a design goal. And SHA-3 will certainly be used for passwords, too. So a plain *wrong* is not enough, here. You are right - when the attacker has a db dump it is the time he needs to crack the passwords that matters. But that can be increased by using hashes with more bits, too. Of course you could use 1000 concatenated SHA hashed instead of one SHA. That will slow him down by factor 1000, too. But just 10 more bits will slow him down by factor 1024 (given "perfect" entropy) ... For a raw brute force attack the bit values do matter. – tanascius May 05 '10 at 09:29
1

@tanascius: Wrong again. A brute force attack on the hash output is already utterly impossible for 128bit. But with passwords, you attack the input, and that makes the size of the hash output irrelevant. And sure, you *can* use a hash algorithm designed for speed to hash passwords - it's just a *bad choice* for that purpose. For an example of an algorithm designed for slowness, see http://www.usenix.org/event/usenix99/provos/provos_html/node4.html – Michael Borgwardt May 05 '10 at 12:17
But may I remind you that MD5 is considered to be broken, not because a brute force attack on the input space is possible. But rather for the flaws in the algorithm that reduce the output space from 128bit to less? So the output space matters ... It maybe irrelevant if you have 128 or 160 bits today, but in the future it can be a huge difference. Nevertheless, I admit, that your answer "use a slow algorithm" is right, too. – tanascius May 05 '10 at 13:34
@tanascius: sure, weaknesses in the algorithm are a different matter. But I don't think you can assume that a larger output means the algorithm will remain more secure when weaknesses are found. And I'm not sure it's correct to say the weaknesses in MD5 are equivalent to a reduction of the output space. – Michael Borgwardt May 05 '10 at 13:38

score 0 · Answer 4 · answered Oct 14 '14 at 15:30

Brute force is the worst attack, nothing can be brute force proof...

right now ~80-90 bits is considered cryptographically safe from a brute force attack standpoint, so you only need 10 bytes if a Collision Resistant Hash function is perfect, but they aren't so you just do more bits...

the proof that nothing can be brute force proof is in the Pigeon Hole Principle.

since hash function H allows arbitrary sized input [0,1]^n and outputs constant output [0,1]^k when the size of input exceeds the output size:, n>k, there are necessarily some outputs that can be produced by more than one input.

you can visualize that with a square divided into 9 sub squares.

 0 | 0 | 0
 0 | 0 | 0
 0 | 0 | 0

these are your 9 holes. We are a brute force attacker, we have unlimited chances to attack... we have unlimited pigeons... but we at most need 10 to find a collision...

after 4 pidgeons and a good collision resistant hashing algorithm:

 P | 0 | 0
 0 | P | P
 0 | 0 | P

after 9 pidgeons:

 P | P | P
 P | P | P
 P | P | P

so our 10th pigeon will necessarily be a collision, because all of the holes are full.

but it really isn't even that good, because of another numerical property called the Birthday Paradox where given a number of independent selections you will find a duplicate much much faster than it takes to fill all of your "holes".

score 0 · Answer 5 · answered May 05 '10 at 08:14

0

Consider the output of the hash algorithms.

A MD5 (128 bit) or SHA-1 (160 bit) is certainly easier to brute-force than a SHA-2 (224, 384 or even 512 bit).

Of course, there can be other flaws (like in MD5 or a bit less in SHA-1) which weaken the algorithm a lot more.

answered May 05 '10 at 08:14

tanascius

53,078
22
114
136

2

what's the difference? As far as I understand brute-force, We have a string s, returned by a function f(x), and we want to find x. So, we just go over all variants of x. So, does it matter the form of s, if it's being used just to compare? – Your Common Sense May 05 '10 at 08:23
Well, you don't need to find **x**. It is sufficient to find *any* **y**, so that **f(x) = f(y)** ... It means that you don't have to enter the original password, but you can rather input any string as a password that will hash to the same value ... access will be given. Therefore as an attacker you don't attack the input space (which is arbitrary large), but the output of the hash to find *any* collision. – tanascius May 05 '10 at 08:33
2

the input space of passwords is arbitrarily large *in theory*. In practice, even when there are no explicit limitations on password length, nobody can remember a password that actually has 128 bits of entropy. So in practice, attacking the input space is much easier when it's passwords. – Michael Borgwardt May 05 '10 at 08:40
@Col. Shrapnel, @Michael: My point is, that an algorithm that outputs only 10 different values as a hash is easier to brute force than an algorithm that outputs 2^512 different values ... @Michael: isn't that what you wrote? *Any additional bit in the output format makes the algorithm twice as strong against a straightforward brute force attack.* – tanascius May 05 '10 at 08:40
yes, but that only applies when your input space is larger then the hash result. – Michael Borgwardt May 05 '10 at 08:55

score 0 · Answer 6 · answered May 05 '10 at 08:21

As Codeka said, no hashing algorithm is 100% secure against brute force attacks. However, even with hardware-assisted password cracking (using the GPU to try passwords), the time it takes to crack a sufficiently long password is astronomical. If you have a password of 8ish characters, you could be vulnerable to a brute force attack. But if you add a few more characters, the time it takes to crack increases radically.

Of course, this doesn't mean you're safe from rainbow attacks. The solution to that is to add a salt to your password and use a hashing algorithm that isn't vulnerable to preimage attacks.

If you use a salted password of 12-14 characters, preferably hashed with an sha2 algo (or equivalent), you've got a pretty secure password.

Read more here: http://www.codinghorror.com/blog/2007/10/hardware-assisted-brute-force-attacks-still-for-dummies.html

Nothing about passwords in the question - there are other uses for hashing. — Michael Borgwardt, May 05 '10 at 08:24
Hmm... I read Col. Shrapnel's previous question (mentioned in this one) and I remembered it being about passwords. I guess I just assumed this one was as well — Carson Myers, May 05 '10 at 08:33

rook · Answer 7 · 2010-05-05T08:47:43.017

0

All cryptographic systems are vulnerable to brute force. Another term for this is a "Trivial Attack".

A simple explanation for hashing is that all hashing algorithms we use accept an infinitely sized input and have a fixed sized output. This is an unavoidable collision, and for something like sha256 it takes 2^256 operations to find one naturally. md5() has a shortcut making it 2^39th operations to find a collision.

One thing you can do to make your passwords stronger is to hide your salt. A password hash cannot be broken until its salt is retrieved. John The Ripper can be given a Dictionary, a Salt and a Password to recover password hashes of any type. In this case sha256() and md5() will break in about the same amount of time. If the attacker doesn't have the salt he will have to make significantly more guesses. If your salt is the same size as sha256 (32 bytes) it will take (dictionary size)*2^256 guesses to break one password. This property of salts is the basis of CWE-760.

edited May 05 '10 at 08:47

answered May 05 '10 at 08:39

rook

66,304
38
162
239

6

Trying to hide the salt is IMO a fool's game. The system has to know the salt to verify logins, so anyone who breaks into the system can find out the salt. Any attempt to make that more difficult will only complicate the system needlessly, and complicated systems are vulnerable systems. Sure, it might be a good idea to have one component to the salt that's not in the database itself, just in case someone gets their hands on a DB dump, but beyond that it's not worth it. – Michael Borgwardt May 05 '10 at 09:01
The linked CWE has since been edited, and it's now clearer that it is not referring to *hiding* the salt, but to making sure the salt is *random*, rather than *predictable* (e.g. salting with a fixed string, or the username). – IMSoP Oct 27 '21 at 17:57

Is there a bruteforce-proof hashing algorithm?

7 Answers7

Linked