Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Yes, sure. You should not be using anything but Bcrypt et al for passwords (salt, salt, salt!) – but... Out of curiosity. What if these passwords were SHA-512 hashed (unsalted) rather than SHA1?

Anyone know of comparable articles?



As part of a presentation I did at a local OWASP chapter, here are some numbers based on just using CPython's Hashlib processing of 14,000,000 someodd passwords:

Intel Xeon E5-1620 3.6 GHz: SHA: 8.16 seconds, SHA256: 11.01 seconds, MD5: 8.7 seconds

AMD FX-8320 3.5 GHz: SHA: 10.63 seconds, SHA256: 13.49 seconds, MD5: 10.06 second

Intel Celeron N2840 2.2 GHz: SHA: 32.4 seconds, SHA256: 39.75 seconds, MD5: 28.95 seconds

Intel Pentium M 1.7 GHz: SHA: 37.98 seconds, SHA256: 48.12 seconds, MD5: 34.49 seconds

SHA512 isn't going to make it much better.


SHA-512 would be just 7-8 times slower. Not much of an improvement. Check hashcat's page for performance figures:

https://hashcat.net/oclhashcat/#performance


It's presumably not the most optimized for attacks, but you can try the "openssl speed" command (including specific algorithms, if you want, like "openssl speed sha1 sha512").


(cuda)hashcat can do SHA512 just fine, too.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: