https://bugzilla.wikimedia.org/show_bug.cgi?id=28419
--- Comment #15 from Aryeh Gregor <simetrical+wikib...@gmail.com> 2011-09-27 18:48:45 UTC --- (In reply to comment #14) > First of all, I don't see how the speed of C code for a hashing algorithm v. > the speed of PHP code means anything in terms of brute-forcing. Maybe I'm > missing something (and if I am, please explain it). Suppose PHP executed hash algorithm 1 half as fast as C, and hash algorithm 2 a tenth as fast, for a fixed number of iterations. Suppose further that we choose the number of iterations so that executing it in PHP takes 50 ms, so as not to delay login noticeably. Then with algorithm 1, a C implementation will execute twice as fast as PHP, i.e., 25 ms/hash, or 40 hashes/s. With algorithm 2, it will be 5 ms/hash, or 200 hashes/s. The fact that algorithm 2 can be executed five times as fast in C relative to PHP, for the same number of iterations, translates into an attacker getting five times the throughput when cracking. It's all because we need to choose the number of iterations based on the speed in PHP, but the attacker gets to use C. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
