From owner-freebsd-questions@FreeBSD.ORG Sat Jun 26 17:31:04 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6BE9716A4CE for ; Sat, 26 Jun 2004 17:31:04 +0000 (GMT) Received: from pd2mo1so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D1ED43D3F for ; Sat, 26 Jun 2004 17:31:04 +0000 (GMT) (envelope-from flowers@users.sourceforge.net) Received: from pd3mr2so.prod.shaw.ca (pd3mr2so-qfe3.prod.shaw.ca [10.0.141.178]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id <0HZX00HKPEMYK7@l-daemon> for freebsd-questions@freebsd.org; Sat, 26 Jun 2004 11:16:10 -0600 (MDT) Received: from pn2ml4so.prod.shaw.ca ([10.0.121.148]) by pd3mr2so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0HZX00D56EMY5870@pd3mr2so.prod.shaw.ca> for freebsd-questions@freebsd.org; Sat, 26 Jun 2004 11:16:10 -0600 (MDT) Received: from sirius.cg.shawcable.net (S0106004001438e5b.cg.shawcable.net [68.144.47.89]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id <0HZX00315EMYT4@l-daemon> for freebsd-questions@freebsd.org; Sat, 26 Jun 2004 11:16:10 -0600 (MDT) Date: Sat, 26 Jun 2004 11:16:09 -0600 From: Danny MacMillan In-reply-to: <1776a3885a58dea4d7ea.20040626010713.wzyrjvf@www.dslextreme.com> To: jmlewis@dslextreme.com, freebsd-questions@freebsd.org Message-id: MIME-version: 1.0 Content-type: text/plain; format=flowed; delsp=yes; charset=iso-8859-15 Content-transfer-encoding: 8bit User-Agent: Opera M2/7.50 (Win32, build 3778) References: <1776a3885a58dea4d7ea.20040626010713.wzyrjvf@www.dslextreme.com> Subject: Re: Building a Stable Secure FreeBSD Mail server X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Jun 2004 17:31:04 -0000 On Sat, 26 Jun 2004 02:07:13 -0600, Joshua Lewis wrote: > ... > > "I like to change the default algorithm used when encrypting a user's > password to the blowfish algorithm, as it provides the highest security > at the greatest speed. > > Is this an accurate statement? My current passwd_format is set to md5 and > I thought md5 was like "Da Bomb"(Ok white guy trying to be funny here). > > ... Well, I'm no expert, but I stumbled across something interesting the other day after installing /usr/ports/security/john. It's a password cracker with a benchmarking component: procyon# john --test Benchmarking: Traditional DES [64/64 BS MMX]... DONE Many salts: 301915 c/s real, 302860 c/s virtual Only one salt: 258079 c/s real, 258483 c/s virtual Benchmarking: BSDI DES (x725) [64/64 BS MMX]... DONE Many salts: 10083 c/s real, 10099 c/s virtual Only one salt: 9830 c/s real, 9923 c/s virtual Benchmarking: FreeBSD MD5 [32/32]... DONE Raw: 2375 c/s real, 2382 c/s virtual Benchmarking: OpenBSD Blowfish (x32) [32/32]... DONE Raw: 139 c/s real, 140 c/s virtual Benchmarking: Kerberos AFS DES [48/64 4K MMX]... DONE Short: 59810 c/s real, 59997 c/s virtual Long: 200442 c/s real, 201069 c/s virtual Benchmarking: NT LM DES [64/64 BS MMX]... DONE Raw: 1849998 c/s real, 1852889 c/s virtual Obviously, the security of an encryption algorithm is a many-splendoured thing, etc., but the above results seem to indicate that brute-forcing Blowfish is many times more computationally intensive (i.e. 'harder') than brute-forcing MD5. That's if I'm reading it right; I'm assuming c/s = "combinations per second". There's no man page and the internet frightens and confuses me. I really doubt Blowfish is =faster= than MD5 when encrypting. -- Danny MacMillan