Just How Hard is it to Brute Force Attack Encrypted Keys?

Microsoft, Programming, Visual Studio No Comments

In today’s post Jeff Atwood from coding horror examines just how hard it is to brute force attack an encrypted key.

So how hard is it? Jeff quotes Jon Callas, the CTO of PGP corporation:

Imagine a computer that is the size of a grain of sand that can test
keys against some encrypted data. Also imagine that it can test a key
in the amount of time it takes light to cross it. Then consider a
cluster of these computers, so many that if you covered the earth with
them, they would cover the whole planet to the height of 1 meter. The
cluster of computers would crack a 128-bit key on average in 1,000

That is a staggering number. Imagine the difficulty of brute force attacking a 256-bit encrypted key!
He goes on to offer several other quotes, and analogies which really put the difficulty into perspective.

This leads me to another point I would like to make. Always encrypt passwords in a database. Except in extremely rare circumstances there is no reason to store user passwords in plain text. If the user forgets their password it is trivial to generate a new password for them, and store a 1-way hash of the new password in the database. When the user logs in, simply 1-way hash the password they entered (with the same algorithm) and compare the hash to the one stored in the database.

For security, user passwords should never be recoverable, even by administrators. This not only prevents a rouge employee from retrieving a list of all usernames and passwords in the system, but also protects against SQL injection attacks if you make a mistake securing you forms based authentication system.

Below is an example of a simple string in C#:

using System.Web.Security.FormsAuthentication;

private string HashPassword (string password2hash)
//hash password
string hashedpassword=
password2hash, “sha1”); return hashedpassword;

For a greater level of security, I recommend using a salted-hash, which
appends a number of random characters to a string prior to hashing.
This method will also prevent potential dictionary attacks. For those interested, David Hayden provides a simple method for adding a salt to hashes.

I highly recommend reading the blog posts by Jeff Atwood and David Hayden for more information of this subject.