Is it possible to harden aes encryption against brute force attack?

2
votes

is there any way to harden aes encryption against brute force attack without strengthening password. I mean users generally choose easy passwords. I don't want to force users to choose more and more complicated password.(This is the correct solution but it is useless when they forget their passwords continuously, and they cannot use their password) They choose their passwords from uppercase, lowercase and digits. And password length is 8. I want to make it difficult to brute force attacking without changing these password properties.

EDIT: Password length is exactly 8. Less length is not acceptable. And one more question over replies, keeping encrypted text on memory (using salting and key stretching) is a security problem?

4
securityencryptionaespassword-protectionbrute-force
That's the second off topic question out of two Mehmet. - Maarten Bodewes

4 Answers

3
votes

I'm tempted to say that: No, it is not possible. In order to make the brute force attack harder, you need more entropy.

That being said, you can actually make the guessing process slower if you do key stretching.

2
votes

It's hard to comment on the problem without knowing the exact nature of how it's being used. (For e.g., can the password only be stored as 8 characters?).

That said, choosing a good salt makes brute forcing harder. Most passwords stolen today are the result of failure to implement proper salting.

For more security you can employ consistent hashing to shard the salt over a range of values.

1
votes

If you want to secure your users against using passwords like "password", "12345678" or similar, then no there's no way to harden them.

You must be able to check if provided password matches the hash you have in reasonable time (that is, less than 1s on average hardware). Brute forcing simple passwords even when checking equality between hash and password takes 1s will take less than a day on an average PC.

If you want to secure average quality passwords (not in the top 1000 most common passwords or single words from few most commonly spoken languages), then password/key stretching is your best bet: scrypt, bcrypt or the standard PBKDF2 are good choices.

0
votes

Using multiple rounds will slow down the process of trying out passwords but thats about all I can think of.