Date: Sun, 5 Aug 2012 07:09:59 +0400 From: Solar Designer <solar@...nwall.com> To: john-users@...ts.openwall.com Subject: Re: 1Password blog post about Dhiru's new/forthcoming 1Password module Hi Jeffrey, On Tue, Jul 31, 2012 at 11:45:50AM -0500, Jeffrey Goldberg wrote: > I just published a blog post for 1Password users about the new/forthcoming developments in JtR, once again exhorting them to use strong master passwords. It is here > > http://blog.agilebits.com/2012/07/31/1password-is-ready-for-john-the-ripper/ > > If you see any egregious errors, please let me know. > > And congratulations. I'm pleased that it was the JtR community that got here first. I have a lot of respect for Elcomsoft, and I really thought that they would be the first to publicly release a tool for 1Password cracking/recovery. But I'm glad it was you folk. I am impressed by the way you handled this. Thank you! This is not an error in your blog post, but JFYI I think that Elcomsoft's speed estimates were "more correct" than what Dhiru obtained so far. Sure, Dhiru's code is what actually exists and works now, but that code does not use SIMD yet. So a speedup on CPUs (maybe 4x) is expected when/if someone (on our team or not) implements that. On the other hand, Dhiru's guesstimate of 100x speedup with GPUs was relative to one CPU core. To get more accurate numbers for PBKDF2-HMAC-SHA-1 speeds with more optimal code, you may look at the speeds JtR is getting at MSCash2 (DCC2). This is PBKDF2-HMAC-SHA-1 with 10240 iterations (thus 20480 SHA-1's are computed). JtR achieves about 5350 c/s at it on FX-8120 CPU running an OpenMP-enabled build (or about 1600 c/s on one core in that same CPU - higher clock rate due to turbo). It achieves about 100k c/s on HD 7970. Now you may take these numbers and scale them to your desired iteration counts. However, you may need to halve them if the derived keys are wider than 160 bits (there are twice more SHA-1's per PBKDF2 iteration then - e.g., 40960 for 10240 iterations then). Dhiru's code for 1Password appears to always generate 256-bit AES keys. Is this the key size you actually use? Always? If not, then there's room for a 2x speedup when the AES key is 128 bits (fits in 160). Also, per Elcomsoft's slides, some older versions of 1Password did not use PBKDF2 yet (but used simple MD5 instead). Is this true? Can you provide more info on this (what versions, when they were released)? Thanks again, Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.