Check out the new USENIX Web site. next up previous
Next: Conclusion Up: Attacks and Vulnerabilities Previous: Algorithm Optimization

Hardware Improvements

In 1977 on a VAX-11/780, crypt could be evaluated about 3.6 times per second. In the last 20 years, machine speed has increased dramatically and the algorithm has been optimized in various ways.

The Electronic Frontier Foundation built a DES cracker in 1998 and was able to crack a 56-bit key in 56 hours with an average search rate of about $88\cdot 10^9$ keys per second [6]. While the EFF DES cracker cannot be used for password guessing, a comparable machine could crack traditional crypt by brute force in 22 days, compared to 875 years on the fastest alpha processor to which we had access.

The impact of increasing processor speed and better optimization of the password hashing algorithm is shown in Figure 5.

Both traditional and MD5 crypt operate with a fixed number of rounds. On a modern Alpha processor, traditional crypt can already be computed fast enough to render it unusable with readable password files. When using specialized DES hardware, the computing time can be reduced again by several orders of magnitude.

Neither traditional nor MD5 crypt support a variable number of rounds. With increasing processing power, these functions become steadily easier to compute. In contrast, bcrypt will adapt to more powerful attackers. Moreover, its inner loop relies exclusively on operations that are efficient on general-purpose CPUs, leaving little opportunity for specialized hardware to achieve dramatic improvements.


next up previous
Next: Conclusion Up: Attacks and Vulnerabilities Previous: Algorithm Optimization
Niels Provos and David Mazieres
4/28/1999