lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 19 Feb 2013 05:27:22 +0400
From: Solar Designer <solar@...nwall.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Any "large verifiers" on the panel?

On Sat, Feb 16, 2013 at 09:59:39AM -0600, Jeffrey Goldberg wrote:
> I'm not familiar with everyone on the panel, but I think it would be useful to have someone with an understanding of having to deal with a large number of legitimate authentication sessions.  Someone who, say, manages Gmail logins (IMAP, web, etc) may have insight into what sorts of cost parameters they would like to have.
> 
> Basically, it would be really sucky to settle upon a winner and then have sites and services say, "we won't use that because we can't manage our verification costs the way we need to."

I am not exactly "with" a company of this sort, but I do have such
insight.  Specifically, the required performance numbers used in my
ZeroNights presentation are not arbitrary.  For some companies, a
throughput of more than ~1000/s per authentication server is required,
and latencies of more than ~10 ms are costly in terms of request queue
size growth on other servers.

http://www.openwall.com/presentations/ZeroNights2012-New-In-Password-Hashing/

Alexander

Powered by blists - more mailing lists