Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 24 May 2012 12:38:56 -0600
From: Stephen John Smoogen <>
Subject: Re: Can Excessive Rounds make Password cracking Infeasable

On 24 May 2012 12:22, Brad Tilley <> wrote:
>> On 05/24/2012 08:06 PM, Brad Tilley wrote:

>> Frank
> Yes, thanks Frank. I understand that and have no disputes or questions
> about that. My question is about the feasibility of cracking such hashes.
> Brad

Well feasibility is just a "how long do I figure this is secure." When
I first started doing password audits in 1992, the systems I had were
doing  I think 100 DES-crypt checks a second (it might have been 1000
but I am not sure). Now I can do billions per second with a standard
set of systems and GPU hardware. That takes into account Solar
Designers improved crypt methods and the fact that hardware is
cheaper/faster by large amounts. [The 20 Sun Boxes I used in 1993
would now be 2000+ GPUs at the same cost.] So if it takes 2 second to
encrypt a test now expect that in 20 years it will be at least 2000
times faster. And while you don't think 20 years someone would still
be using it.. I find in my audits that people use the same passwords
they did 20 years ago and a lot of systems are still DES-crypt.]

Stephen J Smoogen.
"The core skill of innovators is error recovery, not failure avoidance."
Randy Nelson, President of Pixar University.
"Years ago my mother used to say to me,... Elwood, you must be oh
so smart or oh so pleasant. Well, for years I was smart. I
recommend pleasant. You may quote me."  —James Stewart as Elwood P. Dowd

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.