01-11-2013, 06:25 PM
so, one year is "infinitely impossible" to you?
for one, you must have an awfully slow system. 256^7 at 23 G/s would take no more than five weeks. two, if you have access to the hashes you almost certainly have access to the encryption keys as well (and you do.)
so in the case of sha1(des(pass)), you are guaranteed 100% recovery of the entire password database in about a month, nearly regardless of the size of the database. that's less time than most people spend cracking large databases for only an 85-90% recovery rate.
it's purely security though obscurity. in the end, it ends up being significantly weaker than actually properly protecting the password.
for one, you must have an awfully slow system. 256^7 at 23 G/s would take no more than five weeks. two, if you have access to the hashes you almost certainly have access to the encryption keys as well (and you do.)
so in the case of sha1(des(pass)), you are guaranteed 100% recovery of the entire password database in about a month, nearly regardless of the size of the database. that's less time than most people spend cracking large databases for only an 85-90% recovery rate.
it's purely security though obscurity. in the end, it ends up being significantly weaker than actually properly protecting the password.