From f752214db776a52a0e6ba635c7c50d869807fafb Mon Sep 17 00:00:00 2001
From: Daniel Gustafsson <dgustafsson@postgresql.org>
Date: Tue, 5 Mar 2024 11:28:31 +0100
Subject: [PATCH v3 1/2] pgcrypto: Remove hash speed comparison table

The table comparing relative hash speed is at best misleading, and
at worst misinforming.  The benchmarks are old and do not reflect
the current state of the art.  The table also imply security due to
brute-force protection, which is no longer true for many algorithms
which have published vulnerabilities which avoid the need for brute
force.
---
 doc/src/sgml/pgcrypto.sgml | 134 -------------------------------------
 1 file changed, 134 deletions(-)

diff --git a/doc/src/sgml/pgcrypto.sgml b/doc/src/sgml/pgcrypto.sgml
index 2db159be71..e66d60878f 100644
--- a/doc/src/sgml/pgcrypto.sgml
+++ b/doc/src/sgml/pgcrypto.sgml
@@ -300,140 +300,6 @@ gen_salt(type text [, iter_count integer ]) returns text
     Slower than 4 hashes per second would probably dampen usability.
     Faster than 100 hashes per second is probably too fast.
    </para>
-
-   <para>
-    <xref linkend="pgcrypto-hash-speed-table"/> gives an overview of the relative slowness
-    of different hashing algorithms.
-    The table shows how much time it would take to try all
-    combinations of characters in an 8-character password, assuming
-    that the password contains either only lower case letters, or
-    upper- and lower-case letters and numbers.
-    In the <literal>crypt-bf</literal> entries, the number after a slash is
-    the <parameter>iter_count</parameter> parameter of
-    <function>gen_salt</function>.
-   </para>
-
-   <table id="pgcrypto-hash-speed-table">
-    <title>Hash Algorithm Speeds</title>
-    <tgroup cols="5">
-     <thead>
-      <row>
-       <entry>Algorithm</entry>
-       <entry>Hashes/sec</entry>
-       <entry>For <literal>[a-z]</literal></entry>
-       <entry>For <literal>[A-Za-z0-9]</literal></entry>
-       <entry>Duration relative to <literal>md5 hash</literal></entry>
-      </row>
-     </thead>
-     <tbody>
-      <row>
-       <entry><literal>crypt-bf/8</literal></entry>
-       <entry>1792</entry>
-       <entry>4 years</entry>
-       <entry>3927 years</entry>
-       <entry>100k</entry>
-      </row>
-      <row>
-       <entry><literal>crypt-bf/7</literal></entry>
-       <entry>3648</entry>
-       <entry>2 years</entry>
-       <entry>1929 years</entry>
-       <entry>50k</entry>
-      </row>
-      <row>
-       <entry><literal>crypt-bf/6</literal></entry>
-       <entry>7168</entry>
-       <entry>1 year</entry>
-       <entry>982 years</entry>
-       <entry>25k</entry>
-      </row>
-      <row>
-       <entry><literal>crypt-bf/5</literal></entry>
-       <entry>13504</entry>
-       <entry>188 days</entry>
-       <entry>521 years</entry>
-       <entry>12.5k</entry>
-      </row>
-      <row>
-       <entry><literal>crypt-md5</literal></entry>
-       <entry>171584</entry>
-       <entry>15 days</entry>
-       <entry>41 years</entry>
-       <entry>1k</entry>
-      </row>
-      <row>
-       <entry><literal>crypt-des</literal></entry>
-       <entry>23221568</entry>
-       <entry>157.5 minutes</entry>
-       <entry>108 days</entry>
-       <entry>7</entry>
-      </row>
-      <row>
-       <entry><literal>sha1</literal></entry>
-       <entry>37774272</entry>
-       <entry>90 minutes</entry>
-       <entry>68 days</entry>
-       <entry>4</entry>
-      </row>
-      <row>
-       <entry><literal>md5</literal> (hash)</entry>
-       <entry>150085504</entry>
-       <entry>22.5 minutes</entry>
-       <entry>17 days</entry>
-       <entry>1</entry>
-      </row>
-     </tbody>
-    </tgroup>
-   </table>
-
-   <para>
-    Notes:
-   </para>
-
-   <itemizedlist>
-    <listitem>
-     <para>
-     The machine used is an Intel Mobile Core i3.
-     </para>
-    </listitem>
-    <listitem>
-     <para>
-      <literal>crypt-des</literal> and <literal>crypt-md5</literal> algorithm numbers are
-      taken from John the Ripper v1.6.38 <literal>-test</literal> output.
-     </para>
-    </listitem>
-    <listitem>
-     <para>
-      <literal>md5 hash</literal> numbers are from mdcrack 1.2.
-     </para>
-    </listitem>
-    <listitem>
-     <para>
-      <literal>sha1</literal> numbers are from lcrack-20031130-beta.
-     </para>
-    </listitem>
-    <listitem>
-     <para>
-      <literal>crypt-bf</literal> numbers are taken using a simple program that
-      loops over 1000 8-character passwords.  That way the speed
-      with different numbers of iterations can be shown.  For reference: <literal>john
-      -test</literal> shows 13506 loops/sec for <literal>crypt-bf/5</literal>.
-      (The very small
-      difference in results is in accordance with the fact that the
-      <literal>crypt-bf</literal> implementation in <filename>pgcrypto</filename>
-      is the same one used in John the Ripper.)
-     </para>
-    </listitem>
-   </itemizedlist>
-
-   <para>
-    Note that <quote>try all combinations</quote> is not a realistic exercise.
-    Usually password cracking is done with the help of dictionaries, which
-    contain both regular words and various mutations of them.  So, even
-    somewhat word-like passwords could be cracked much faster than the above
-    numbers suggest, while a 6-character non-word-like password may escape
-    cracking.  Or not.
-   </para>
   </sect3>
  </sect2>
 
-- 
2.32.1 (Apple Git-133)