How many salted passwords can be crunched per second on a modern system

ballsystemlord · 09-15-2016, 03:06 PM

Hello,
I'm doing some interesting research on passwords.
I'm planning to publish my findings here despite the fact that it would make a cool paper because I'm not in college (never went).
I need to know how many passwords can be cracked per second on modern hardware.
I'm talking 10000 iterations salted. The ones I'm interested in are the typical *unix ones, blowfish, sha256, sha512.
I did a few searches online, but the web only yielded windows ntlm passwords and the researchers were probably using a rainbow table.
Thanks

smallpond · 09-15-2016, 03:46 PM

Why not just try it?
This article says about 0.22sec per hash computation but I imagine it could be made much faster.

http://stackoverflow.com/questions/6...-salt-provided

jpollard · 09-15-2016, 03:59 PM

It also depends on what you define a "modern system" to be.

Clusters can do password hashing REALLY fast - several million to billion per second.

Sefyir · 09-15-2016, 07:46 PM

It depends?

Code:

~ > inxi -C
CPU:       Quad core Intel Xeon E3-1285L v4 (-HT-MCP-) cache: 6144 KB 
           clock speeds: max: 3800 MHz 1: 3699 MHz 2: 3699 MHz 3: 3699 MHz
           4: 3699 MHz 5: 3699 MHz 6: 3699 MHz 7: 3699 MHz 8: 3699 MHz

Code:

./john --test
Benchmarking: descrypt, traditional crypt(3) [DES 128/128 AVX-16]... DONE
Many salts:	6260K c/s real, 6260K c/s virtual
Only one salt:	6000K c/s real, 6012K c/s virtual

Benchmarking: bsdicrypt, BSDI crypt(3) ("_J9..", 725 iterations) [DES 128/128 AVX-16]... DONE
Many salts:	216422 c/s real, 216422 c/s virtual
Only one salt:	211046 c/s real, 211046 c/s virtual

Benchmarking: md5crypt [MD5 32/64 X2]... DONE
Raw:	18106 c/s real, 18106 c/s virtual

Benchmarking: bcrypt ("$2a$05", 32 iterations) [Blowfish 32/64 X2]... DONE
Raw:	1142 c/s real, 1142 c/s virtual

Benchmarking: LM [DES 128/128 AVX-16]... DONE
Raw:	83677K c/s real, 83677K c/s virtual

Benchmarking: AFS, Kerberos AFS [DES 48/64 4K]... DONE
Short:	602572 c/s real, 602572 c/s virtual
Long:	2010K c/s real, 2010K c/s virtual

Benchmarking: tripcode [DES 128/128 AVX-16]... DONE
Raw:	5439K c/s real, 5439K c/s virtual

Benchmarking: dummy [N/A]... DONE
Raw:	90602K c/s real, 90602K c/s virtual

Benchmarking: crypt, generic crypt(3) [?/64]... DONE
Many salts:	402662 c/s real, 402662 c/s virtual
Only one salt:	400320 c/s real, 400320 c/s virtual

jpollard · 09-16-2016, 07:00 AM

That can be considered slow.

When some of the clusters do it they use the GPU for doing the specific computation - some of them can go about 10 times faster. Of course, those GPUs tend to also be the most expensive... Something in the neighborhood of $3000 to $7000 for each GPU, and there are clusters that have two to four per node.

There is even a Supermicro "Simcluster" system for deskside use (it weighs over 300 pounds) for $48,000 to $60,000 for a system.

That is why it depends on what you define a modern system to be.

An older reference to an article on password hashing: https://securityledger.com/2012/12/n...ds-in-seconds/

Indicates (in 2012) they were able to do 348 billion NTLM password hashes per second using a cluster of only 5 nodes with 5 GPUs per node (I think, the cluster had a total of 25 GPUs). And GPU computation has gotten even faster since.

273 · 09-17-2016, 05:23 AM

I'd say if you can crack even 1 salted password per day then Linux passwords are broken and you should go to a major new agency and state such.

jpollard · 09-17-2016, 06:13 AM

Quote:

Originally Posted by 273

I'd say if you can crack even 1 salted password per day then Linux passwords are broken and you should go to a major new agency and state such.

Wrong bet.

The problem depends on which method of encrypting... and how complex is the original password.

DES has LONG been cracked - initially by using rainbow tables.

Short passwords can be cracked fairly quickly no matter what encryption is used. If you want to slow the rate, the password has to be longer than 8-10 characters...

273 · 09-17-2016, 07:08 AM

Quote:

Originally Posted by jpollard

Wrong bet.

The problem depends on which method of encrypting... and how complex is the original password.

DES has LONG been cracked - initially by using rainbow tables.

Short passwords can be cracked fairly quickly no matter what encryption is used. If you want to slow the rate, the password has to be longer than 8-10 characters...

Then I need to start looking for another OS. I thought that the people who contributed to Linux were supposed to be intelligent? If you're telling me that Linux passwords can be cracked in under a day then you're telling me that morons wrote the code and nobody cares? Really? Is there a paper on this and why wasn't it major news?

ntubski · 09-17-2016, 08:16 AM

Quote:

Originally Posted by jpollard

The problem depends on which method of encrypting... and how complex is the original password.

DES has LONG been cracked - initially by using rainbow tables.

Do rainbow tables apply to encryption functions? I thought they were for hashing only. Anyway, in current times, the problem with DES is that it uses a 56 bit key which is simply too small to be useful.

Quote:

Short passwords can be cracked fairly quickly no matter what encryption is used. If you want to slow the rate, the password has to be longer than 8-10 characters...

Quote:

Originally Posted by 273

Then I need to start looking for another OS. I thought that the people who contributed to Linux were supposed to be intelligent? If you're telling me that Linux passwords can be cracked in under a day then you're telling me that morons wrote the code and nobody cares? Really? Is there a paper on this and why wasn't it major news?

Check your /etc/shadow file, it's probably not using DES (that's only kept around for backwards compatibilty with ancient UNIX versions, see crypt(3) for how to interpret the contents). If your password entry starts with $6 you're using the SHA512 iterated scheme (5000 iterations by default), which is fairly secure (see https://www.akkadia.org/drepper/SHA-crypt.txt). Also note that /etc/shadow can only be read by attackers if they have already broken in and obtained root.

However, as jpollard mentioned, the original password matters too; none of this helps if the moron user chose "password" as their password.

273 · 09-17-2016, 08:26 AM

Quote:

Originally Posted by ntubski

However, as jpollard mentioned, the original password matters too; none of this helps if the moron user chose "password" as their password.

Surely the point of a salt is to minimise the password's effect upon the final hash? I suppose the danger with weak passwords is that they allow only a small rainbow table to be generated to deal with the most common cases but, still, surely the point of the salt is to make even such a table unwieldy?

jpollard · 09-17-2016, 08:30 AM

Quote:

Originally Posted by 273

Surely the point of a salt is to minimise the password's effect upon the final hash? I suppose the danger with weak passwords is that they allow only a small rainbow table to be generated to deal with the most common cases but, still, surely the point of the salt is to make even such a table unwieldy?

When storage of petabytes is possible, rainbow tables still work...

And they can be reduced in size by generating entries for just the short and common passwords.

The key is that the storage is rather larger than what is common for a desktop, and is not even that common with the hackers.

Systems that can breeze through billions of hashes per second are almost as fast - and are much smaller in physical size, and cost.

jpollard · 09-17-2016, 08:44 AM

Quote:

Originally Posted by 273

Then I need to start looking for another OS. I thought that the people who contributed to Linux were supposed to be intelligent? If you're telling me that Linux passwords can be cracked in under a day then you're telling me that morons wrote the code and nobody cares? Really? Is there a paper on this and why wasn't it major news?

Doesn't matter what OS you look at. Windows, even with two factor (or three) still use passwords that can be broken (never mind that it also uses the so very vulnerable NTLM).

EVERY operating system uses passwords even if they don't call it that - biometrics? sorry the result is a hash, and that can be broken. Two factor authentication? once done - the result is a hash, again can be broken. Using a smart card? result is STILL a hash.

Use Kerberos with two factor authentication and AES? the result is STILL a hash - but the hash has a limited lifetime - hopefully, it takes longer to crack the hash than the credential lifetime.

All that has changed is where the hash gets generated. It used to be just from the password and salt. Now it is from other things. The only purpose for the "other things" is to attempt to reduce the occurrence of simple passwords that are trivial to crack.

The result is still the same. This is why passwords will never go away.

273 · 09-17-2016, 08:51 AM

Well, yes, hashes can be broken eventually but the opening post of this thread mentioned passwords being broken "per second". What I am suggesting is that any password scheme which can be broken in under a day without extremely expensive resources is almost pointless. In fact, for home use then user passwords under such a system are pointless at best and dangerous at worst.

Turbocapitalist · 09-17-2016, 10:23 AM

I am only speculating, but it might possibly be done quickly with parallel processing on GPUs or something. You can get devices with hundreds of cores cheaply now and it seems like a task that would lend itself to parallel processing. CUDA was one name I've heard used in that context, but there may be others.

ntubski · 09-17-2016, 11:33 AM

Quote:

Originally Posted by 273

Surely the point of a salt is to minimise the password's effect upon the final hash?

No, the point of salt is to prevent the attacker from using precomputed tables, and prevent breaking multiple passwords in parallel (this second point is basically irrelevant for single-user home systems). Remember the salt is not secret (or at least not more secret than the hash itself).

Quote:

I suppose the danger with weak passwords is that they allow only a small rainbow table to be generated to deal with the most common cases but, still, surely the point of the salt is to make even such a table unwieldy?

The danger is that a table is not even needed.

Quote:

Originally Posted by 273

Well, yes, hashes can be broken eventually but the opening post of this thread mentioned passwords being broken "per second". What I am suggesting is that any password scheme which can be broken in under a day without extremely expensive resources is almost pointless. In fact, for home use then user passwords under such a system are pointless at best and dangerous at worst.

The point is that it's not possible to talk about how long it takes to break a "password scheme", you must take the password itself into account as well.