On Sat, 26 Jun 2004 02:07:13 -0600, Joshua Lewis <[EMAIL PROTECTED]> wrote:


"I like to change the default algorithm used when encrypting a user's
password to the blowfish algorithm, as it provides the highest security at the greatest speed.

Is this an accurate statement? My current passwd_format is set to md5 and
I thought md5 was like "Da Bomb"(Ok white guy trying to be funny here).


Well, I'm no expert, but I stumbled across something interesting the other day after installing /usr/ports/security/john. It's a password cracker with a benchmarking component:

procyon# john --test
Benchmarking: Traditional DES [64/64 BS MMX]... DONE
Many salts:     301915 c/s real, 302860 c/s virtual
Only one salt:  258079 c/s real, 258483 c/s virtual

Benchmarking: BSDI DES (x725) [64/64 BS MMX]... DONE
Many salts:     10083 c/s real, 10099 c/s virtual
Only one salt:  9830 c/s real, 9923 c/s virtual

Benchmarking: FreeBSD MD5 [32/32]... DONE
Raw:    2375 c/s real, 2382 c/s virtual

Benchmarking: OpenBSD Blowfish (x32) [32/32]... DONE
Raw:    139 c/s real, 140 c/s virtual

Benchmarking: Kerberos AFS DES [48/64 4K MMX]... DONE
Short:  59810 c/s real, 59997 c/s virtual
Long:   200442 c/s real, 201069 c/s virtual

Benchmarking: NT LM DES [64/64 BS MMX]... DONE
Raw:    1849998 c/s real, 1852889 c/s virtual

Obviously, the security of an encryption algorithm is a many-splendoured thing, etc., but the above results seem to indicate that brute-forcing Blowfish is many times more computationally intensive (i.e. 'harder') than brute-forcing MD5. That's if I'm reading it right; I'm assuming c/s = "combinations per second". There's no man page and the internet frightens and confuses me.

I really doubt Blowfish is =faster= than MD5 when encrypting.

Danny MacMillan
[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to