Move default security algorithm to something better
Maxetto opened this issue ยท 0 comments
hashcat, popular fast & powerful GPU hash cracking program, recently updated to version 6.0.0 (now 6.1.1), adding along many other things support for cracking the default SHA256 AuthMe algorithm.
This is quite bad, being able to crack at 400 MH/s with a single RX 580.
I've tested with something like a medium sized test database (around 2.5k players) and ended up cracking 30.5% of passwords in just 2 minutes with the RockYou wordlist.
I'd suggest moving SHA256 to the Acceptable category and change the default algorithm for all future installations to BCRYPT with at least 8 rounds or PBKDF2.
SALTEDSHA512 could also be an ok alternative for low CPU servers but last time I tried it, it was broken and it was impossible to log in. This algorithm serves just to slow down hashing speed as it should be already or easy to integrate in hashcat.
XAUTH could be another alternative as it's a custom Whirlpool function that should be low priority to a big program like hashcat.
Also this should be a great opportunity to bump up the minPasswordLength requirement to at least 6 (or better 8)