Salted hashes don\'t seem to offer any real protection for user passwords by its

Question

Salted hashes don't seem to offer any real protection for user passwords by itself. So long as a hacker has a quick way to check if a password is right or wrong, it's trivial to brute force it to view the plain-text passwords. Especially if the attacker is using GPUs or an FPGA/ASIC solution.

From what I've gathered, I should be sending my hashed+salted passwords to a (hardened) dedicated server on my network whose sole task is validation (via secret keys). A hacker would have to gain access to both servers before plain-text passwords could be retrieved. I like this solution, but I don't like the cost of renting another server.

Are there any alternatives to using a dedicated validation server?

Explanation / Answer

The usual solution is just to enforce passwords that are of a length which makes brute forcing very non-trivial.

Have a look at any of our questions on password strength or entropy and you'll see what password complexity/length is required to make sure even GPU-based brute forcers will fail over a time frame you need.

Related Questions

Navigate

• Browse (All)
• Browse S
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.