Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 24 May 2012 14:06:10 -0400 (EDT)
From: "Brad Tilley" <>
Subject: Can Excessive Rounds make Password cracking Infeasable

This is slightly off-topic as it does not specifically relate to John use,
but I wanted to ask the opinions of others here. When do rounds make
password cracking infeasible, or do they? For example, the hash below is a
SHA-512 hash with 391939 rounds applied. You can actually feel the delay
at logon (about 2 seconds on newer machines):


The source code of sha512-crypt.c sets this as the maximum number of
rounds so Linux sys admins could configure this number even higher:

   /* Maximum number of rounds.  */
   #define ROUNDS_MAX 999999999

So long as the passwords are sufficiently complex and users can't select
simple words such as 'password' for their password, I would think that
these hashes are close to un-crackable (certainly not in a reasonable time
period anyway). What do other John users think?



Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.