Date: Fri, 8 Feb 2013 20:07:01 -0500 From: Jon Schipp <jonschipp@...il.com> To: john-users@...ts.openwall.com Subject: Re: SSHA-512 supported? On Fri, Feb 8, 2013 at 8:00 PM, Stephen John Smoogen <smooge@...il.com> wrote: > On 8 February 2013 17:56, Jon Schipp <jonschipp@...il.com> wrote: >> On Fri, Feb 8, 2013 at 7:39 PM, Solar Designer <solar@...nwall.com> wrote: >>> On Fri, Feb 08, 2013 at 07:35:22PM -0500, Jon Schipp wrote: >>>> In case this helps, from pwdalg.cfg >>>> >>>> >>>> "cost_num=cost >>>> * >>>> * The default hashing iterations is 2^cost. The valid value of cost is >>>> * an integer between 4 and 31, inclusive. The default cost value is 6." >>> >>> Isn't this written in context of bcrypt hashes (which they call sblowfish)? >>> If so, we knew that, but it's irrelevant. >> >> Lines further down in the config describe the blowfish count: >> "The default hashing iterations is 2^cost. The valid value of cost is >> an integer between 4 and 31, inclusive. The default cost value is 8." >> >> A default of 8 instead of 6 previously mentioned. Again, I don't know >> if that is helpful or not. >> >>> Do you suspect they were dumb enough to apply the same low iteration >>> counts for sha512crypt, where each iteration is a lot cheaper? Well, >>> maybe. Got to test the 1 to 999 range. >> >> I'm curious and not a programmer, what do you mean by "where each >> iteration is a lot cheaper"? How are they cheaper? > > Ok so if this is basically saying how many times you are going to run > through your hash to get an answer. > > 4 = 2^4 = 32 > 6 = 2^6 = 64 > 8 = 2^8 = 256 > > so less rounds means the CPU is doing less work and thus it is > cheaper. You want to have LOTS of rounds if you want to hash something > that is expensive for a cracker.. so something like 10 as a minimum > (1000) versus 64. > Right, I thought Alexander was mentioning that there was something particular about the rounds themselves that made them cheap (different code etc.). I was imagining something more complex ;) Thanks for taking the time to look at it. I imagine that there aren't any other password crackers that support it either. At least, I haven't seen any yet.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.