WHO COULD HAVE GUESSED

https://virgilsecurity.com/telegram...

Long live Telegram and.. what was it called again.. MTProto? Always a top kek idea to bake your own crypto :v

@Condor

Telegram has far more issues than MTProto thou, the service does not know what security is.

You can basically bruteforce every single account too.

> you can bruteforce something

Well no fucking shit sherlock you can bruteforce anything given enough time, thats the motherfucking point of bruteforce

@Linux Exactly. I've registered to it mainly for the CodrTalk but regard all its messages as well as my identity there just as public (and volatile) as it is here. It sucks that they know my phone number though.. for services like that (and actually secure services like Signal) I should really get a separate SIM card.

For secure messaging I'd choose PGP-encrypted email any day! Come to think of it - do you have a PGP public key that I can retrieve somewhere? Just in case I need to email you for something. I'll also confirm it against my own key while I'm at it :)

@sharktits True but the time it takes to bruteforce something plays a monumental role in its feasibility. I technically could bruteforce your bcrypt-hashed 200 char password, but it'd take me an unsurmountable amount of time and thus not be worth it. Social engineering, heck even getting some hot AF dude to socialize, cuddle up and hopefully be able to go out with you and extract your password would be more feasible!

The key in bruteforcing is in how much it costs in time and power. Some hashing algorithms like MD5 and SHA1 are absolute fucking garbage because they're so easy to bruteforce even with mediocre hardware. Others like bcrypt on the other hand aren't (yet).

@Condor pls get a hot dude to go out with me

@sharktits become a state-level MVP that I'd like to pull identity theft on with thousands of euros/dollhairs on resource budget, and I'll make it happen :3

@Condor honestly you can get a lot of chinese or russian people to give you money for my info haha

@sharktits don't devalue yourself so much! Even in the east people aren't very easy to persuade. Currently experiencing that firsthand with some stupid AliExpress sellers who still didn't escalate my goddamn issue to their engineering team -.-
Granted, big fat checks might but eh, let's assume that they can't be bribed :)

While I agree with the general point of the article, some of the statements in there don't make much sense to me.
For instance, they cite many SHA-1 password hashes being hacked as a reason why SHA-512 is bad. Wtf? That's kind of a non-sequitur.
Also, 8-char passwords are easy to hash, therefore SHA-512 is bad. I mean, 8-char passwords are bad *regardless* of whatever algo you're using, so that's kind of a moot point really...
Hell, even if you used something as heavy as Cryptonight you could still churn out 2kH/s on a single Vega gpu - sprinkle in some easy assumption (such as uppercase+lowercase+numbers only), and you'll hack 90% of all passwords within a few days too.
Sure, SHA-512 being such a lightweight algo doesn't help, but there's only so many things you can do to protect a bad password...

@sharktits
If a service does not have protection against it - it is a crap service. It is not hard to have protection against it.

@sharktits

Well, what @Stallman said. Even wordpress sites has better protection against bruteforce.

The second I read about that feature I was like "oh god, please no".

Thanks for the article, been waiting for something like this!

@Stallman i guess you dont use wifi

Wtf! I didn't know sha512 was that easily crackable...

@sharktits

I do, but clients need to have a valid client certificate that has been issued by me.

I really agree with endor...
we all know that telegram has a strange definition of "security", but the way the article is written... it smells like bullshit... every point is forced to show they are right