On Mar 15, 2013, at 3:18 AM, Andrew Findlay <[email protected]> wrote:
> On Thu, Mar 14, 2013 at 08:19:12PM +0100, Michael Ströder wrote: > >>>> userpasswordvalue = cleartext-password / prefix hashed-password >>> >>> I think you should replace "hashed-password" with "scheme-specific data" and >>> stop there. >> >> That's a conclusion of your opinion. But I want to describe the *order* of >> password and salt used by any server I saw using the scheme. > > Why not separate the description of the data from the overall syntax? > It will be easier to read that way, and much more obvious that the whole > thing is extensible and a bit informal. > > userPassword has Octet String syntax, so in principle the value is > <scheme name in curly brackets> <arbitrary data> > > A separate section of the doc could then describe (or refer to) the formats > of all the commonly-used storage schemes. I was about to call them 'hash > schemes' but that is wrong, as some servers support reversible encryption > schemes as well as hashes. > > > On a slight tangent, a rough guide to the current strength of various hash > schemes can be found on hashcat's front page: > > http://hashcat.net/oclhashcat-plus/ > > The table at the bottom gives the brute-force attack rate in crypts/sec > using a single PC with a good (mid-range gaming) graphics engine. > Numbers range from about 4k c/s for bcrypt up to 7500M c/2 for NTLM. > It does not explicitly list figures for SSHA and SMD5 but I suspect the > 'sha512crypt $6$' figure is indicative at 12k c/s. The difference per check of SSHA and SHA is one SHAUpdate call, even if this call account for 100% of the work, then SSHA should be no more than twice as expensive SHA. Likewise for other simple salted hash methods. -- Kurt > > Andrew > -- > ----------------------------------------------------------------------- > | From Andrew Findlay, Skills 1st Ltd | > | Consultant in large-scale systems, networks, and directory services | > | http://www.skills-1st.co.uk/ +44 1628 782565 | > ----------------------------------------------------------------------- > _______________________________________________ > Ldapext mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/ldapext
