The README.pgcrypto files contains some crack times, which I thought were worth sharing:
4.4. Comparison of crypt and regular hashes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Here is a table that should give overview of relative slowness of different hashing algorithms. * The goal is to crack a 8-character password, which consists: 1. Only of lowercase letters 2. Numbers, lower- and uppercase letters. * The table below shows how much time it would take to try all combinations of characters. * The `crypt-bf` is featured in several settings - the number after slash is the `rounds` parameter of `gen_salt()`. `------------'----------'--------------'-------------------- Algorithm Hashes/sec Chars: [a-z] Chars: [A-Za-z0-9] ------------------------------------------------------------ crypt-bf/8 28 246 years 251322 years crypt-bf/7 57 121 years 123457 years crypt-bf/6 112 62 years 62831 years crypt-bf/5 211 33 years 33351 years crypt-md5 2681 2.6 years 2625 years crypt-des 362837 7 days 19 years sha1 590223 4 days 12 years md5 2345086 1 day 3 years ------------------------------------------------------------ * The machine used is 1.5GHz Pentium 4. * crypt-des and crypt-md5 algorithm numbers are taken from John the Ripper v1.6.38 `-test` output. * MD5 numbers are from mdcrack 1.2. * SHA1 numbers are from lcrack-20031130-beta. * `crypt-bf` numbers are taken using simple program that loops over 1000 8-character passwords. That way I can show the speed with different number of rounds. For reference: `john -test` shows 213 loops/sec for crypt-bf/5. (The small difference in results is in accordance to the fact that the `crypt-bf` implementation in pgcrypto is same one that is used in John the Ripper.) Note that "try all combinations" is not a realistic exercise. Usually password cracking is done with the help of dictionaries, which contain both regular words and various mutations of them. So, even somewhat word-like passwords could be cracked much faster than the above numbers suggest, and a 6-character non-word like password may escape cracking. Or not. robert
pgpZXURDOPdRp.pgp
Description: PGP signature
-- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
