https://bugzilla.wikimedia.org/show_bug.cgi?id=28419
--- Comment #16 from Tyler Romeo <[email protected]> 2011-09-27 18:56:34 UTC --- (In reply to comment #15) > (In reply to comment #14) > > First of all, I don't see how the speed of C code for a hashing algorithm v. > > the speed of PHP code means anything in terms of brute-forcing. Maybe I'm > > missing something (and if I am, please explain it). > > Suppose PHP executed hash algorithm 1 half as fast as C, and hash algorithm 2 > a > tenth as fast, for a fixed number of iterations. Suppose further that we > choose the number of iterations so that executing it in PHP takes 50 ms, so as > not to delay login noticeably. Then with algorithm 1, a C implementation will > execute twice as fast as PHP, i.e., 25 ms/hash, or 40 hashes/s. With > algorithm > 2, it will be 5 ms/hash, or 200 hashes/s. The fact that algorithm 2 can be > executed five times as fast in C relative to PHP, for the same number of > iterations, translates into an attacker getting five times the throughput when > cracking. It's all because we need to choose the number of iterations based > on > the speed in PHP, but the attacker gets to use C. Ah OK. That makes a lot more sense. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
