Date: Thu, 24 May 2012 22:49:41 +0200 From: magnum <john.magnum@...hmail.com> To: john-users@...ts.openwall.com Subject: Re: Can Excessive Rounds make Password cracking Infeasable On 05/24/2012 08:06 PM, Brad Tilley wrote: > When do rounds make password cracking infeasible, or do they? For > example, the hash below is a SHA-512 hash with 391939 rounds applied. > You can actually feel the delay at logon (about 2 seconds on newer > machines): > > test:$6$rounds=391939$UqhsyLSZ$F/K1CGpBf9yefYXCRbY5uK/LW1HzW8EiPCzdq8PMVvZ4JLhb4F464ps87MX/YwYEI0s62KIsnZBuCt45a.A4I0:1002:1002::/home/test:/bin/sh > > So long as the passwords are sufficiently complex and users can't select > simple words such as 'password' for their password, I would think that > these hashes are close to un-crackable (certainly not in a reasonable time > period anyway). What do other John users think? As others pointed out there are reasons the default rounds figure is not higher. I can imagine if just *some* or even only one hash had a much higher round, I would get more interested in those. OTOH this could be used to fool attackers (using a couple of impossible passwords with a very high rounds figure) to waste resources on dummy accounts. FWIW, some very quick tests on Solar's test gear with the hash above: CPU (8 cores): 4.75 c/s GTX580: 4300 c/s HD7970: 6000 c/s So while the CPU speed is hopeless, using high-end GPU's the speed is not that bad. magnum
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.