lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 18 Jan 2014 13:32:17 +0000
From: Peter Maxwell <>
Subject: Re: [PHC] Question about saturating the memory bandwidth

On 18 January 2014 09:47, Solar Designer <> wrote:

> On Sat, Jan 18, 2014 at 08:40:08AM +0000, Peter Maxwell wrote:
> > And therein lies the rub.  Saturating the memory bandwidth will not be
> > practical - or even nearly so - for the majority of use-cases.
>  Similarly,
> > the idea of the defender using GPUs will not be reasonable in most
> > instances either.  Yes, there are specific cases where it might be useful
> > but one needs to address far more mundane scenarios like busy web-servers
> > on current hardware.
> There's no problem with saturating the memory bandwidth for password
> hashing on busy web servers.
> ‚Äč
Ok, what would you consider reasonable "general use" parameters for a busy
web-service hosted on reasonable hardware that meets your idea of a minimum
security threshold: how much memory do you intend to use, how much
computation time/cycles do you suggest?

(yes, I'm being cheeky, there is going to be a follow up)

Content of type "text/html" skipped

Powered by blists - more mailing lists