Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux (RPM package) Pro for Mac OS X (dmg package) Wordlists   for password cracking passwdqc   policy enforcement phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login Services Publications Articles Presentations Community Mailing lists Community wiki Donations Resources Source code repository (CVSweb) File archive & mirrors How to verify digital signatures Password recovery resources Recommended books What's new

Date: Wed, 28 Jun 2006 06:43:59 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: faster scan for blowfish on OpenBSD 3.9

On Sun, Jun 25, 2006 at 10:30:46PM -0500, Randy B wrote:
> >and it is processed with a strong password hashing method.
> 
> *really* strong.  When I get presented a blowfish-encrypted password,

Not "Blowfish-encrypted", but rather "bcrypt-hashed" or "hashed with the
OpenBSD-style Blowfish-based method".  This hashing method is _very_
different from Blowfish encryption, although it is based on Blowfish.

Blowfish is a fast block cipher.  It is faster than DES.  bcrypt, on the
other hand, is a slow and variable-cost password hashing method built on
top of Blowfish.

> I start getting all shifty-eyed and try to find something else to do.
> There's really no good way to go about them, other than having a
> really good dictionary+ruleset and a reasonably poor password.

Actually, if strong passwords were not enforced on the target system,
chances are that you can get some percentage of passwords cracked
despite the use of bcrypt.  I did crack about 10% of bcrypt-hashed
passwords on a CommuniGate Pro mail server (which lacks password policy
enforcement capabilities) on one CPU in a couple of days.

> Pretty much, if I can't get even a DES password in 48 hours I give up
> - there are far easier and quicker ways to compromise a password.

It depends.

> Blowfish I'll usually quit after the first two passes -

I think that with extra-slow hashes like this, it makes sense to avoid
huge non-focused wordlists, but instead to let John run for a while in
"incremental" mode after having done with "single crack" and smaller
wordlists (with rules).

> it's [comparatively] so slow and those BSD-ers typically choose really
> nasty passwords.

Yes.  But bcrypt is starting to be used on non-BSDs as well:

	http://www.openwall.com/crypt/

> Your biggest chokepoint is the Blowfish algorithm itself -
> on an Athlon XP 1800 running 1.7.0.2, the Blowfish
> calculations are nearly 2000 times slower than DES.

Here, you're comparing bcrypt against the traditional DES-based
crypt(3).  Both are very different from Blowfish and DES, respectively.

Also, bcrypt is variable-cost, meaning that another bcrypt hash
(produced with different settings) may be even slower to compute (or a
little faster).

"john --test" currently benchmarks bcrypt at 32 iterations, which was
the default on OpenBSD for a short period of time when bcrypt was just
introduced.  The default has since been increased, and other systems may
use different defaults (Openwall GNU/*/Linux currently uses 256) - or be
configured differently, indeed.

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments

Was I helpful?  Please give your feedback here: http://rate.affero.net/solar

-- 
To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ