Building a Stable Secure FreeBSD Mail server
Danny MacMillan
flowers at users.sourceforge.net
Sat Jun 26 10:31:04 PDT 2004
On Sat, 26 Jun 2004 02:07:13 -0600, Joshua Lewis <jmlewis at dslextreme.com>
wrote:
> ...
>
> "I like to change the default algorithm used when encrypting a user's
> password to the blowfish algorithm, as it provides the highest security
> at the greatest speed.
>
> Is this an accurate statement? My current passwd_format is set to md5 and
> I thought md5 was like "Da Bomb"(Ok white guy trying to be funny here).
>
> ...
Well, I'm no expert, but I stumbled across something interesting the other
day after installing /usr/ports/security/john. It's a password cracker
with a benchmarking component:
procyon# john --test
Benchmarking: Traditional DES [64/64 BS MMX]... DONE
Many salts: 301915 c/s real, 302860 c/s virtual
Only one salt: 258079 c/s real, 258483 c/s virtual
Benchmarking: BSDI DES (x725) [64/64 BS MMX]... DONE
Many salts: 10083 c/s real, 10099 c/s virtual
Only one salt: 9830 c/s real, 9923 c/s virtual
Benchmarking: FreeBSD MD5 [32/32]... DONE
Raw: 2375 c/s real, 2382 c/s virtual
Benchmarking: OpenBSD Blowfish (x32) [32/32]... DONE
Raw: 139 c/s real, 140 c/s virtual
Benchmarking: Kerberos AFS DES [48/64 4K MMX]... DONE
Short: 59810 c/s real, 59997 c/s virtual
Long: 200442 c/s real, 201069 c/s virtual
Benchmarking: NT LM DES [64/64 BS MMX]... DONE
Raw: 1849998 c/s real, 1852889 c/s virtual
Obviously, the security of an encryption algorithm is a many-splendoured
thing, etc., but the above results seem to indicate that brute-forcing
Blowfish is many times more computationally intensive (i.e. 'harder') than
brute-forcing MD5. That's if I'm reading it right; I'm assuming c/s =
"combinations per second". There's no man page and the internet frightens
and confuses me.
I really doubt Blowfish is =faster= than MD5 when encrypting.
--
Danny MacMillan
More information about the freebsd-questions
mailing list