Re: [google-appengine] Help resolve massive performance regression in 2.7 vs 2.5 runtime

2011-11-21 Thread Brian Quinlan
t to see who can offline crack a set of 1M users? Your bcrypt >>>>>> list vs my “Weird”   You don’t even have to give me the salt I’ll have >>>>>> 10k >>>>>> of those cracked in the first 72 hours.  10 to 1 odds you won’t get >>>>&

Re: [google-appengine] Help resolve massive performance regression in 2.7 vs 2.5 runtime

2011-11-21 Thread Waleed Abdulla
eady deciphered list of the most common passwords and you >>>>> calculate >>>>> the top 5k using bcrypt and you now have about 50% of the data in fewer >>>>> than 10k operations.**** >>>>> >>>>> ** ** >>>>> >>&

Re: [google-appengine] Help resolve massive performance regression in 2.7 vs 2.5 runtime

2011-11-15 Thread Nick Johnson
ass+UserID+Salt) be the best? Yes. But >>> MD5(Pass+UserID+Salt) is going to still going to be orders of magnitude >>> more difficult than Bcrypt(Pass+salt), because I can’t use knowledge of >>> frequency tables to predict likely outcomes or detect duplicate passwords.

Re: [google-appengine] Help resolve massive performance regression in 2.7 vs 2.5 runtime

2011-11-15 Thread Waleed Abdulla
beginning or end of the password. >> >> 4) Both MD5 and SHA1 are merkle-damgard construction hashes ( >> http://en.wikipedia.org/wiki/Merkle%E2%80%93Damg%C3%A5rd_construction). >> As a result, the concatenation of several hashes is no more secure than the >> most secure of

Re: [google-appengine] Help resolve massive performance regression in 2.7 vs 2.5 runtime

2011-11-15 Thread Jeff Schnitzer
** > > ** ** > > ** ** > > ** ** > > *From:* google-appengine@googlegroups.com [mailto: > google-appengine@googlegroups.com] *On Behalf Of *Nick Johnson > *Sent:* Monday, November 14, 2011 6:21 PM > > *To:* google-appengine@googlegroups.com > *Subject:* Re: [google

RE: [google-appengine] Help resolve massive performance regression in 2.7 vs 2.5 runtime

2011-11-14 Thread Brandon Wirtz
gle-appengine@googlegroups.com] On Behalf Of Nick Johnson Sent: Monday, November 14, 2011 6:21 PM To: google-appengine@googlegroups.com Subject: Re: [google-appengine] Help resolve massive performance regression in 2.7 vs 2.5 runtime Hi Brandon, What you say is fine if your threat model only

Re: [google-appengine] Help resolve massive performance regression in 2.7 vs 2.5 runtime

2011-11-14 Thread Stephen Buergler
It doesn't matter if you can have your ATI card up and running sooner if every single password attempt takes a whole lot longer to try. That is the main strength of bcrypt. -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To view this disc

Re: [google-appengine] Help resolve massive performance regression in 2.7 vs 2.5 runtime

2011-11-14 Thread Nick Johnson
roups.com [mailto: > google-appengine@googlegroups.com] *On Behalf Of *Nick Johnson > *Sent:* Monday, November 14, 2011 3:56 PM > > *To:* google-appengine@googlegroups.com > *Subject:* Re: [google-appengine] Help resolve massive performance > regression in 2.7 vs 2.5 runtime > &

RE: [google-appengine] Help resolve massive performance regression in 2.7 vs 2.5 runtime

2011-11-14 Thread Brandon Wirtz
gle-appengine@googlegroups.com] On Behalf Of Nick Johnson Sent: Monday, November 14, 2011 3:56 PM To: google-appengine@googlegroups.com Subject: Re: [google-appengine] Help resolve massive performance regression in 2.7 vs 2.5 runtime No! Please, please don't do this. Obscurity is no substi

Re: [google-appengine] Help resolve massive performance regression in 2.7 vs 2.5 runtime

2011-11-14 Thread Nick Johnson
> > Uniqueness of the method is more important than the method. > > > > -Original Message- > From: google-appengine@googlegroups.com > [mailto:google-appengine@googlegroups.com] On Behalf Of Brian Quinlan > Sent: Saturday, November 12, 2011 6:58 PM > To: google-appen

RE: [google-appengine] Help resolve massive performance regression in 2.7 vs 2.5 runtime

2011-11-12 Thread Brandon Wirtz
oups.com [mailto:google-appengine@googlegroups.com] On Behalf Of Brian Quinlan Sent: Saturday, November 12, 2011 6:58 PM To: google-appengine@googlegroups.com Subject: Re: [google-appengine] Help resolve massive performance regression in 2.7 vs 2.5 runtime Hi Pol, On Sun, Nov 13, 2011 at 1:48 PM, Pol

Re: [google-appengine] Help resolve massive performance regression in 2.7 vs 2.5 runtime

2011-11-12 Thread Brian Quinlan
Hi Pol, On Sun, Nov 13, 2011 at 1:48 PM, Pol wrote: > Hi, > > Since switching to 2.7 runtime, logging in to http://www.everpix.com > went from about a second to anywhere from 15s to 60s. I tracked it > down to this single password checking line: > > from bcrypt import bcrypt > bcrypt.hashpw(passw

[google-appengine] Help resolve massive performance regression in 2.7 vs 2.5 runtime

2011-11-12 Thread Pol
Hi, Since switching to 2.7 runtime, logging in to http://www.everpix.com went from about a second to anywhere from 15s to 60s. I tracked it down to this single password checking line: from bcrypt import bcrypt bcrypt.hashpw(password, self.password_hash) == self.password_hash This comes from "a n