Hi, i wanted to make some experiments with bcrypt's timing and it seems that i need to make a wide detour over fat python stuff.
First i installed package "bcrypt" which turned out to provide an application of the original Blowfish algorithm, which is so poor that the Debian version is not allowed to encrypt anything any more: Encryption support disabled. See http://bugs.debian.org/700758 In the web i found an example https://passlib.readthedocs.io/en/stable/lib/passlib.hash.bcrypt.html which i can replay after doing in my sandbox apt-get install python-passlib This added 2 MB, did not suffice, and proposed pip apt-get install python-pip 55 MB added. Then pip install bcrypt Here i forgot to measure how many MB. Duh. It lasted about 3 seconds. The "pip" run needed no superuser power. I assume that the bcrypt algorithm is not running with python speed but rather with binary program speed. So i did some benchmarks (qemu with kvm on 3.5 GHz 4 core Xeon): $ python >>> from passlib.hash import bcrypt The example with a "cost" of 13 needs about half a second: >>> bcrypt.using(rounds=13).hash("password") '$2b$13$IkrRofF47sgCo3CL/E.4ku.87dSGi1W0.3ZEgTYDrVuzXxpAYiUwu' Consequentially cost 16 needs 4 seconds, and 18 needs 15, 19 needs 30. I'd say that 16 would be bearable in this python contraption. So >>> bcrypt.using(rounds=16).hash("ElmerFudpecker") '$2b$16$0UGXpt5volf7U/U5pXXGs.fS/X6HSw.9QCzTfRGFOP/qmNvcExGDK' would yield the 31 character password fS/X6HSw.9QCzTfRGFOP/qmNvcExGDK to be transmitted to the remote service. Of course, "ElmerFudpecker" would not be hardcoded in the python program but rather be input from the keyboard. And as said, it should be much more hard to guess that a celebrity name. Four 3.5GHz-Xeon seconds per try would be a pain for any enumerator, even with a GPU array. Not unsurpassable, but also not without due heat dissipation. Let him sweat. Now how would i get this on real Debian 8 iron without running "pip" ? Best would be an implementation in plain C without a cuddly snake around it. apt-file search bcrypt produces enough output to hide three such packages from my eyes. Have a nice day :) Thomas
