Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 28 Jun 2006 06:43:59 +0400
From: Solar Designer <>
Subject: Re: faster scan for blowfish on OpenBSD 3.9

On Sun, Jun 25, 2006 at 10:30:46PM -0500, Randy B wrote:
> >and it is processed with a strong password hashing method.
> *really* strong.  When I get presented a blowfish-encrypted password,

Not "Blowfish-encrypted", but rather "bcrypt-hashed" or "hashed with the
OpenBSD-style Blowfish-based method".  This hashing method is _very_
different from Blowfish encryption, although it is based on Blowfish.

Blowfish is a fast block cipher.  It is faster than DES.  bcrypt, on the
other hand, is a slow and variable-cost password hashing method built on
top of Blowfish.

> I start getting all shifty-eyed and try to find something else to do.
> There's really no good way to go about them, other than having a
> really good dictionary+ruleset and a reasonably poor password.

Actually, if strong passwords were not enforced on the target system,
chances are that you can get some percentage of passwords cracked
despite the use of bcrypt.  I did crack about 10% of bcrypt-hashed
passwords on a CommuniGate Pro mail server (which lacks password policy
enforcement capabilities) on one CPU in a couple of days.

> Pretty much, if I can't get even a DES password in 48 hours I give up
> - there are far easier and quicker ways to compromise a password.

It depends.

> Blowfish I'll usually quit after the first two passes -

I think that with extra-slow hashes like this, it makes sense to avoid
huge non-focused wordlists, but instead to let John run for a while in
"incremental" mode after having done with "single crack" and smaller
wordlists (with rules).

> it's [comparatively] so slow and those BSD-ers typically choose really
> nasty passwords.

Yes.  But bcrypt is starting to be used on non-BSDs as well:

> Your biggest chokepoint is the Blowfish algorithm itself -
> on an Athlon XP 1800 running, the Blowfish
> calculations are nearly 2000 times slower than DES.

Here, you're comparing bcrypt against the traditional DES-based
crypt(3).  Both are very different from Blowfish and DES, respectively.

Also, bcrypt is variable-cost, meaning that another bcrypt hash
(produced with different settings) may be even slower to compute (or a
little faster).

"john --test" currently benchmarks bcrypt at 32 iterations, which was
the default on OpenBSD for a short period of time when bcrypt was just
introduced.  The default has since been increased, and other systems may
use different defaults (Openwall GNU/*/Linux currently uses 256) - or be
configured differently, indeed.

Alexander Peslyak <solar at>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598 - bringing security into open computing environments

Was I helpful?  Please give your feedback here:

To unsubscribe, e-mail and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.