Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 24 May 2012 14:06:10 -0400 (EDT)
From: "Brad Tilley" <brad@...ystems.com>
To: john-users@...ts.openwall.com
Subject: Can Excessive Rounds make Password cracking Infeasable

This is slightly off-topic as it does not specifically relate to John use,
but I wanted to ask the opinions of others here. When do rounds make
password cracking infeasible, or do they? For example, the hash below is a
SHA-512 hash with 391939 rounds applied. You can actually feel the delay
at logon (about 2 seconds on newer machines):

test:$6$rounds=391939$UqhsyLSZ$F/K1CGpBf9yefYXCRbY5uK/LW1HzW8EiPCzdq8PMVvZ4JLhb4F464ps87MX/YwYEI0s62KIsnZBuCt45a.A4I0:1002:1002::/home/test:/bin/sh

The source code of sha512-crypt.c sets this as the maximum number of
rounds so Linux sys admins could configure this number even higher:

   /* Maximum number of rounds.  */
   #define ROUNDS_MAX 999999999

So long as the passwords are sufficiently complex and users can't select
simple words such as 'password' for their password, I would think that
these hashes are close to un-crackable (certainly not in a reasonable time
period anyway). What do other John users think?

Thanks,

Brad






Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.