[w8rbt]

It depends on the hash type. Cryptographic hashes (MD4, SHA1, SHA256, etc.) are made to be efficient and fast to compute while password hashes (bcrypt, scrypt, etc.) are much more difficult to compute. The difference is staggering.

  john --test --format=nt

  Benchmarking: NT [MD4 128/128 X2 SSE2-16]... DONE

  Raw:	29037K c/s real, 29037K c/s virtual



  john --test --format=bcrypt

  Will run 16 OpenMP threads

  Benchmarking: bcrypt ("$2a$05", 32 iterations) [Blowfish 32/64 X3]... (16xOMP) DONE

  Raw:	5472 c/s real, 490 c/s virtual

Edit: NT hashes are one round of MD4. These are Microsoft Active Directory hashes. OpenBSD uses Blowfish hashes by default.

[LinuxBender]

What numbers does your rig give using hashcat and your video card?

[tobyjsullivan]

Password "hashes" are generally just cryptographic hashes run multiple times (known as key stretching). Cryptographic hashes are also designed to be slow. A key stretching algorithm will only be slow if the underlying cryptographic hashes are sufficiently slow.

[dsacco]

> Password "hashes" are generally just cryptographic hashes run multiple times (known as key stretching)

1. Password hashing functions are not regular hash functions run multiple times. This is not only false at a macro level (i.e. we don't just run SHA-2 several times to get something resembling PBKDF2), it's false in terms of core construction. Password hashing functions rely on fundamentally different mathematical properties than regular hash functions. It's not like 3DES and DES: a secure password hashing function requires more than just a higher iteration count.

2. "Key stretching" does not refer to running cryptographic hash functions multiple times. Key stretching refers to the act of generating a secret key from an otherwise weak passphrase or input, generally supplied by a user. You use the user's passphrase to (in effect) seed a function that outputs something much more resistant to brute-forcing. Key stretching is used in key derivation functions, but what you described is not key stretching.

3. General purpose (as opposed to password) hashing functions are designed to be fast, not slow. Take a look at BLAKE2's homepage for speed comparisons - speed is a selling point: https://blake2.net/. In addition you can read the following from the handy FAQ:

You want your hash function to be fast if you are using it to compute the secure hash of a large amount of data, such as in distributed filesystems (e.g. Tahoe-LAFS), cloud storage systems (e.g. OpenStack Swift), intrusion detection systems (e.g. Samhain), integrity-checking local filesystems (e.g. ZFS), peer-to-peer file-sharing tools (e.g. BitTorrent), or version control systems (e.g. git). You only want your hash function to be slow if you're using it to "stretch" user-supplied passwords, in which case see the next question.

[tobyjsullivan]

Well that was embarrassing. Thanks for the corrections!

There's a Wikipedia line that could use your input (unless I'm missing why this would still be accurate).

> Key stretching functions, such as PBKDF2, Bcrypt or Scrypt, typically use repeated invocations of a cryptographic hash to increase the time required to perform brute force attacks on stored password digests.

https://en.wikipedia.org/wiki/Cryptographic_hash_function#Pa...

[snakeanus]

> > Key stretching functions, such as PBKDF2, Bcrypt or Scrypt, typically use repeated invocations of a cryptographic hash to increase the time required to perform brute force attacks on stored password digests.

This is not false, it is indeed one of the techniques that they use.

[bogomipz]

I'm not familiar with this term "key stretching" is this the same thing as "work factor" in bcrypt/blowfish?

[dsacco]

No, "work factor" is a term that (roughly) describes how computationally expensive brute-forcing the digest will be. They're associated terms, but it would be more accurate to think of the work factor as the final result of the key stretching process.

[bogomipz]

Ah I see, it's concerned with low entropy.

I believe this paper might be the origin of the term(correct me if I'm wrong.)

I thought it was a good read if anyone else is interested:

https://www.schneier.com/academic/paperfiles/paper-low-entro...