OpenSSL libcrypto/libcrypt

Robert Connolly robert at linuxfromscratch.org
Wed Aug 29 20:13:14 PDT 2007


The README.pgcrypto files contains some crack times, which I thought were 
worth sharing:

4.4.  Comparison of crypt and regular hashes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Here is a table that should give overview of relative slowness
of different hashing algorithms.

* The goal is to crack a 8-character password, which consists:
  1.  Only of lowercase letters
  2.  Numbers, lower- and uppercase letters.
* The table below shows how much time it would take to try all
  combinations of characters.
* The `crypt-bf` is featured in several settings - the number
  after slash is the `rounds` parameter of `gen_salt()`.

`------------'----------'--------------'--------------------
Algorithm     Hashes/sec  Chars: [a-z]   Chars: [A-Za-z0-9]
------------------------------------------------------------
crypt-bf/8            28     246 years         251322 years
crypt-bf/7            57     121 years         123457 years
crypt-bf/6           112      62 years          62831 years
crypt-bf/5           211      33 years          33351 years
crypt-md5           2681     2.6 years           2625 years
crypt-des         362837        7 days             19 years
sha1              590223        4 days             12 years
md5              2345086         1 day              3 years
------------------------------------------------------------

* The machine used is 1.5GHz Pentium 4.
* crypt-des and crypt-md5 algorithm numbers are taken from
  John the Ripper v1.6.38 `-test` output.
* MD5 numbers are from mdcrack 1.2.
* SHA1 numbers are from lcrack-20031130-beta.
* `crypt-bf` numbers are taken using simple program that loops
  over 1000 8-character passwords.  That way I can show the speed with
  different number of rounds.  For reference: `john -test` shows 213
  loops/sec for crypt-bf/5.  (The small difference in results is in
  accordance to the fact that the `crypt-bf` implementation in pgcrypto
  is same one that is used in John the Ripper.)

Note that "try all combinations" is not a realistic exercise.
Usually password cracking is done with the help of dictionaries, which
contain both regular words and various mutations of them.  So, even
somewhat word-like passwords could be cracked much faster than the above
numbers suggest, and a 6-character non-word like password may escape
cracking.  Or not.

robert
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20070829/8443d4cc/attachment.sig>


More information about the hlfs-dev mailing list