lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 13 Mar 2014 18:20:24 -0400
From: Bill Cox <>
Subject: Re: [PHC] "Why I Don't Recommend Scrypt"

On Thu, Mar 13, 2014 at 5:58 PM, Peter Maxwell <> wrote:
> On 13 March 2014 16:53, Bill Cox <> wrote:
>> I think the NSA would prefer that we continue using Bcrypt and not
>> switch to Scrypt.  Let's assume they have liquid nitrogen cooled ASICs
>> with 1024 Bcrypt hashing cores running say 2X faster than the fastest
>> CPU on each core.  If I understand correctly, Bcrypt only requires
>> 4KiB of memory, so integrating 1024 of them is not unreasonable.  Per
>> board, let's guess they have 64 chips, and maybe 1024 boards, for a
>> factor of 134 million-to-1 compute power vs a high-end PC.
>> Bcrypt is safe against all those GPU crackers who don't have the money
>> to build what the NSA can, so bcrypt does a good job protecting the
>> public, while allowing government sized organizations the ability to
>> crack passwords far more effectively.  I think that's the NSA's
>> prefered sweet spot for the public.
> Sorry for resurrecting an earlier incarnation of this thread but wanted to
> pose the question: are we actually worried about people using ASICs for
> password cracking?

It depends.  For military strength security, I have to say yes, and
I'm hoping the PHC winner cares about that case.  I'd say it is very
likely that China has an ASIC based password cracking center.  For
most people, likely even including large companies like Apple and
Target, probably not.

> Have ASICs been used for password cracking to date?

Yes.  I notice no one replies to threads where I get specific about
that, so I'm going to stop doing that.

> If the NSA, GCHQ, et al. are targeting someone, do they not already have
> numerous measures to compromise hosts other than password cracking?

After reading so many Snowden revelations, I guess it's pretty clear they do.

I hope they aren't wasting my tax dollars, but if the NSA has
legitimate needs for cracking passwords that other's can't, then they
would be doing a very poor job without an ASIC based cracking center.

Another reason to focus on ASICs is that you defend against all
architectures when you defend against ASICs.  Commercial chips with
many CPU cores (say 1024 like my example) capable of hashing Bcrypt as
fast per core as my Intel Core i7 may be in our near future.  With
that event, Bcrypt security will drop tremendously.  Scrypt will fare
far better.

Given a chance to develop a new PHS, I would hope solutions will be
found that defend against ASICs, GPUs, and FPGAs to varying extents,
without giving up on any of them.


Powered by blists - more mailing lists