Date: Sat, 26 Jun 2004 11:16:09 -0600 From: Danny MacMillan <flowers@users.sourceforge.net> To: jmlewis@dslextreme.com, freebsd-questions@freebsd.org Subject: Re: Building a Stable Secure FreeBSD Mail server Message-ID: <opr97ow7nzf82yxv@sirius.cg.shawcable.net> In-Reply-To: <1776a3885a58dea4d7ea.20040626010713.wzyrjvf@www.dslextreme.com> References: <1776a3885a58dea4d7ea.20040626010713.wzyrjvf@www.dslextreme.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 26 Jun 2004 02:07:13 -0600, Joshua Lewis <jmlewis@dslextreme.com> wrote: > ... > > "I like to change the default algorithm used when encrypting a user's > password to the blowfish algorithm, as it provides the highest security > at the greatest speed. > > Is this an accurate statement? My current passwd_format is set to md5 and > I thought md5 was like "Da Bomb"(Ok white guy trying to be funny here). > > ... Well, I'm no expert, but I stumbled across something interesting the other day after installing /usr/ports/security/john. It's a password cracker with a benchmarking component: procyon# john --test Benchmarking: Traditional DES [64/64 BS MMX]... DONE Many salts: 301915 c/s real, 302860 c/s virtual Only one salt: 258079 c/s real, 258483 c/s virtual Benchmarking: BSDI DES (x725) [64/64 BS MMX]... DONE Many salts: 10083 c/s real, 10099 c/s virtual Only one salt: 9830 c/s real, 9923 c/s virtual Benchmarking: FreeBSD MD5 [32/32]... DONE Raw: 2375 c/s real, 2382 c/s virtual Benchmarking: OpenBSD Blowfish (x32) [32/32]... DONE Raw: 139 c/s real, 140 c/s virtual Benchmarking: Kerberos AFS DES [48/64 4K MMX]... DONE Short: 59810 c/s real, 59997 c/s virtual Long: 200442 c/s real, 201069 c/s virtual Benchmarking: NT LM DES [64/64 BS MMX]... DONE Raw: 1849998 c/s real, 1852889 c/s virtual Obviously, the security of an encryption algorithm is a many-splendoured thing, etc., but the above results seem to indicate that brute-forcing Blowfish is many times more computationally intensive (i.e. 'harder') than brute-forcing MD5. That's if I'm reading it right; I'm assuming c/s = "combinations per second". There's no man page and the internet frightens and confuses me. I really doubt Blowfish is =faster= than MD5 when encrypting. -- Danny MacMillan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?opr97ow7nzf82yxv>