|
|
|
|
|
|
by j-berman
1978 days ago
|
|
|
We use scrypt for password hashing. From the scrypt paper (which keep in mind is assuming hardware from 2002, and isn't assuming an attacker is using ASICs which have been developed since then), the estimated cost of hardware to brute force guess an 8 char password in 1 year is $4.8 million with our chosen parameters. [1] Ultimately we strongly recommend that developers using the end-to-end encryption mode of Userbase recommend their users use a password manager, since losing their password means losing their data (and we try to make this extremely clear to any developers using Userbase via the admin panel and docs). A password manager randomly generating passwords makes this a non-issue. But alas, we do recognize not everyone will, which is where scrypt comes in to play. [1](pg. 14): https://www.tarsnap.com/scrypt/scrypt.pdf |
|
|
Just to be clear, the scrypt paper assumes attackers use ASICs fabricated with 2002-era technology. Obviously there weren't any scrypt ASICs in 2002; but I was able to estimate what their performance and cost would have been.