We have implemented a new web based service and the passwords are stored as SHA512. My machine is a 2x Xeon E5620 and 16gb RAM. My video card is a ATI 5870.
Just thought I would share how this machine fairs when crunching this hash type.
02-15-2012, 12:39 AM (This post was last modified: 02-15-2012, 12:40 AM by chort.)
So it's just straight SHA512 with no salt? I don't think you realize how bad that is. If an attacker steals your entire database, they can attack all the passwords simultaneously because they aren't salted (calculate the hash of a plaintext once, compare it to every stored hash). Also if you're using the hashing algorithm with just a single round, that's intended for file integrity or message integrity, not resistance to cracking. You need to add thousands of rounds of the algorithm to force an attacker to do lots of work. Look at techniques like PBKDF.
I understand the benefits of Salting passwords. Unfortunately this is a vendor provided system, and honestly if the database was stolen the passwords are the least of our concern (we would just take our web servers offline and disable any access and make the database local until we have resolved the issue). There is much more important (and confidential information) is hosted.
I have already asked our vendor to include the ability to salt passwords.
Besides the obvious risk of not using salted passwords, how does the performance of this machine compare?
(02-24-2012, 04:23 PM)atom Wrote: raw-sha512 has been added to latest oclHashcat-lite v0.10 beta and oclHashcat-plus v0.08 beta.
Great news, thanks atom!
Any chance sha512(unix) is coming to plus as well? I realize that the speedup may not be mindblowing because of the lack of real 64-bit integers, but even a 2x improvement is huge for those of us who need to do this regularly!