search for: hashcat

...ok try_first_pass use_authtok" should be added. Password hash rounds control seems to be almost unused. I got no responses in the CentOS 5 Security forum or on the general CentOS email list. People do not seem to understand how important this can be to password security. According to the oclHashcat (hashcat.net) documentation on the fastest GPU enabled PC they have tested, they get 797 million CPS (cracks per second) against SHA512. If the super fast PC is compared to the single CPU PC with no GPU, using the only algorithm common to all tests (NTLM), there is a speed difference of 1981 times....

Thank you for your reply. It's not that simple, though. Just because some core algorithms are standardised and should be compatible doesn't mean their use in different implementations leads to interoperable data. The key point here seems to be that Dovecot just supports SHA-1 with PBKDF2, not SHA-256. So I'm out of luck here. The different formats are no longer relevant then.

...it sceptical that CRYPT-SHA512 is less secure than PBKDF2. CRYPT-SHA512 is not "just" SHA512(salt||password), it does at least 1000 rounds of hashing in similar way as PBKDF2 does. So, what is your reasoning for claiming that PBKDF2 is much secure than CRYPT-SHA512? Also, if you look at hashcat cracking speeds, you'll see that the speed of cracking is slower for CRYPT-SHA512 than for PBKDF2-SHA512. See https://github.com/siseci/hashcat-benchmark-comparison/blob/master/1x%20GTX%201080%20TI%20hashcat%20benchmark.txt Aki > On 30/08/2020 19:54 Yves Goergen <nospam.list at unclassi...

Aki Tuomi wrote: > The use of salt, today, is to prevent the attacker from directly seeing > who has same passwords. Of course it also will make a rainbow table > attack less useful, Not just less useful, but almost infeasible. Given the use of random salts, you would have to generate (number of possible salts) rainbow tables. This drastically changes the CPU/storage tradeoffs. >

...u want passwords cracked. Of course if the passwords are longer than, say, 8 characters, it becomes less feasible. My point wasn't to say that SHA512 is fully insecure, and adding rounds does make it less so as the expenses rack up. https://killtacknine.com/test-driving-google-cloud-gpus-with-hashcat/ It's not available on the graphics (puzzling), but if you look at the gist, it'll show that SHA512-CRYPT is cracked at 247.9 kH/s and MD5-CRYPT (salted MD5) at 17579.7 kH/s. As comparison, straight non-salted SHA512 goes at 1402.7 MH/s and MD5 with no salting at 33677.6 MH/s. For referenc...