Can these encrypted passwords be decrypted?

I want to code a social networking website but I have to be serious about security as people will be sharing personal information. Can these encrypted passwords be cracked? I’m not comfortable with paying someone to code and do security for me, as then I have to trust a third party. Even Snapchat got a data breach, and they are supposed to be professionals. As someone who studies computing, I’d like to learn about encryption and securing passwords myself.

I used wolframalpha and bcrypt generator to generate these encrypted passwords.

A Twitter employee says that once a password is salted (so he should have authority as he works for twitter), it cannot be decrypted, and some other people are saying otherwise.

eb188ccb1d24f4bz275a110472a6173d

$2a$08$Pa6L2eXPP5.WaMnd/U5vAO8aqyIVxv8wOhQhMn.XYfpUjRB7z8l/S

Yes, but not easily. Bump the log rounds from 8 to 12 if you’re worried about it. Don’t go higher, or you’re effect performance.

The first one just looks like an MD5. If you didn’t salt it, you could probably put that in an online MD5 cracker and find it. Even if you don’t, then if it is an unsalted MD5, then someone with access to your database probably has a lookup table big enough.

Also don’t try to make them more secure by doing your own stuff to it. Just let BCrypt do it’s work. That’s what Ashley Madison did and all they did was make their passwords crackable.

If all encrypted passwords can be decrypted but not easily, what’s the point of encrypting passwords?

A Twitter employee says that salted passwords cannot be decrypted, and I’d like to test his claim. Some people are saying he’s wrong, but if he’s wrong, why does he work for Twitter?

Also Stack Overflow says that hashed passwords can’t be decrypted and got the accepted answer.
How do I know if they’re right or not?

The second one uses bcrypt, and the first one uses a different method.

Can the first password be decrypted?

They both can. Any password can. Even 32 loground BCrypt string can. Whether or not you have enough power to do it, is the question.

I think you’re misunderstanding both of those posts and reading what you want to read. The SO answer explains it nicely.

How much strength or cost do I need to do in bcrypt to defend against a rainbow table? Using a cost of 4 takes 4 minutes to generate a password, and that’s not realistic because it’ll make my website slow when people try to signup then they’ll leave my site thinking it’s crashed.

10 or 12 is recommended.

It should not. If this is taking 4 minutes on your machine, you have seriously underpowered hardware or something is wrong. A Pentium 1 wouldn’t take that long.

This link does not say that.

The column we’re really interested in is the “real” column. As you can see a cost of 5 only takes about 250 miliseconds while a cost of 15 takes a whopping 250 seconds (around 4 minutes).

Each increase is an exponential increase.

Thank you for help.

Can both encrypted passwords be successfully decrypted? I tried asking on Stack Exchange but they think I’m trolling. I was told it was the funniest question they’d seen all day and one asked if I was trying to hack into someone else’s password so I revealed the first letter of both passwords. The first letters of the passwords are both s.

Also Ashley Madison used bcrypt and they still got their passwords cracked.

Yes. Eventually.

Because they did some other things that broke the BCrypt protection, instead of relying on BCrypt to do it’s job. They were trying to be smart, but they were stupid.

This link does not say that.

The column we’re really interested in is the “real” column. As you can see a cost of 5 only takes about 250 miliseconds while a cost of 15 takes a whopping 250 seconds (around 4 minutes).

Each increase is an exponential increase.

The link does say that. Read this.

For the non Ruby people, this is a simple benchmark script that shows the time it takes to hash “yorick” with BCrypt with a cost/workfactor of 5, 10 and 15 a total of 100 times. The results of this benchmark would look like the following:

He’s talking about the time it takes to generate a hash from a plaintext password that someone types in from their keyboard.

No… it doesn’t.

https://www.dailycred.com/article/bcrypt-calculator

A lot of people in this thread have been telling you “yes”, and I think it requires further explanation.

Even if you do everything right, an attacker could still try to guess someone’s password (called brute forcing), and there’s nothing you can do to fully prevent that. The best you can do is slow them down. That’s where the cost factor comes in.

The article didn’t actually say that. It said salting makes it “impossible to create a rainbow table.” Also, who are these “some people” who say he’s wrong? What were their exact words?

The article didn’t actually say that. It says a cost of 5 takes 250 milliseconds, and the cost of 4 would be smaller but isn’t even ever mentioned.

They also used MD5, and that’s what lead to the leak.

I’m going to be honest… I think you need to make a point to read articles a lot more carefully. That you seem to so consistently misread information might be why people start to think you’re trolling.

3 Likes

An analogy might help.

I put together a 4 piece jigsaw puzzle.
I challenge you to remove the pieces in the same order that I placed them.
At worst, it will take you 16 tries.

I put together a 16 piece jigsaw puzzle.
I challenge you to remove the pieces in the same order that I placed them.
At worst, it will take you 65536 tries.

I put together a 64 piece jigsaw puzzle.
I challenge you to remove the pieces in the same order that I placed them.
At worst, it will take you 1.8 ^ 19 tries.
(that’s 18 Quintillion !!)

etc.

Can any and every possible challenge be solved? Yes

The larger the puzzle I put together, the more time and effort it will take me,

IMHO it should be a balance eg.
Protecting a forum account vs. protecting a bank account

For a forum account it might not be worth it to spend more to get the increased security.
For a bank account, it would be.

2 Likes

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.