Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CANnLRdgCWRCeEOYJOG1NpmU9euZiwHYZQjCaeH3ZP1xmAf5D8w@mail.gmail.com>
Date: Thu, 24 May 2012 12:38:56 -0600
From: Stephen John Smoogen <smooge@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: Can Excessive Rounds make Password cracking Infeasable

On 24 May 2012 12:22, Brad Tilley <brad@...ystems.com> wrote:
>> On 05/24/2012 08:06 PM, Brad Tilley wrote:

>> Frank
>
>
> Yes, thanks Frank. I understand that and have no disputes or questions
> about that. My question is about the feasibility of cracking such hashes.
>
> Brad
>
>

Well feasibility is just a "how long do I figure this is secure." When
I first started doing password audits in 1992, the systems I had were
doing  I think 100 DES-crypt checks a second (it might have been 1000
but I am not sure). Now I can do billions per second with a standard
set of systems and GPU hardware. That takes into account Solar
Designers improved crypt methods and the fact that hardware is
cheaper/faster by large amounts. [The 20 Sun Boxes I used in 1993
would now be 2000+ GPUs at the same cost.] So if it takes 2 second to
encrypt a test now expect that in 20 years it will be at least 2000
times faster. And while you don't think 20 years someone would still
be using it.. I find in my audits that people use the same passwords
they did 20 years ago and a lot of systems are still DES-crypt.]


-- 
Stephen J Smoogen.
"The core skill of innovators is error recovery, not failure avoidance."
Randy Nelson, President of Pixar University.
"Years ago my mother used to say to me,... Elwood, you must be oh
so smart or oh so pleasant. Well, for years I was smart. I
recommend pleasant. You may quote me."  —James Stewart as Elwood P. Dowd

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.