OpenBSD Journal

Energy-efficient bcrypt cracking

Contributed by jj on from the kiss-blowfish-get-free-lip-piercing dept.

Solar Designer posted on the openwall announce list about the recent status on using FPGAs to crack bcrypt passwords.
From: Solar Designer <solar [a/t]>
Subject: Energy-efficient bcrypt cracking (Passwords^14, Skytalks, WOOT '14 slides and paper); crypt_blowfish 1.3
Katja Malvoni has given 3 talks at conferences in the US earlier in August at PasswordsCon Las Vegas, Skytalks, and USENIX WOOT '14. We've also submitted an academic paper to WOOT.
All of these reflect progress we made at the "Energy-efficient bcrypt cracking" project since last year. Here are the new slides, download links, and YouTube video link:

The talk video includes a live demo of bcrypt hash cracking with modified John the Ripper on several of the energy-efficient boards. For reference, here's last year's announcement:

New since last year are much improved results for FPGAs, in particular for Xilinx Zynq 7020 and 7045. The latter achieves what's probably the highest bcrypt cracking speed per chip that has been actually demonstrated so far (for any kind of chip, including CPUs and GPUs), as well as the highest energy-efficiency, although indeed even higher speeds are currently possible (e.g. on FPGAs that are bigger yet).

In particular, for bcrypt cost 5 the speed on Zynq 7045 is 20538 c/s, and for cost 12 it is 226 c/s (higher efficiency than for cost 5). Similarly expensive Xeon E5-2670 is 2.4x to 3.3x slower than Zynq 7045 on this test, yet consumes ~20x more power; GPUs are way behind.

The inexpensive Zynq 7020 now achieves speeds that are on par with CPUs and GPUs, but at much greater energy efficiency. We're going to continue the project, targeting other FPGAs and multi-FPGA boards.

We continue to recommend use of bcrypt for now. The crypt cracking speedups and energy efficiency improvements achieved so far are very important, but are not fatal to its continued use for a while longer. This is a short-term recommendation.

2. I released crypt_blowfish 1.3 back in July:

Version 1.3 adds support for the $2b$ prefix introduced in OpenBSD 5.5+, which behaves exactly the same as crypt_blowfish's $2y$ did and still does. This way, full compatibility with OpenBSD's bcrypt is achieved at the new $2b$ prefix. crypt_blowfish 1.3 is already included in Owl-current builds (including the ISO images) made in July.

I'd like to thank the OpenBSD project for providing this avenue for us to achieve full compatibility between the implementations despite of the mistakes made previously. To be more confident there is indeed full compatibility, I wrote and ran a test suite cross-testing the two implementations, including on weird and invalid inputs. For the curious, it can now be found as bcrypt-tester-1.0.tar.gz under:

although there should be no need to run it (again).
As usual, any feedback is welcome.

(Comments are closed)

  1. By Anonymous Coward ( on

    So… when do we get scrypt password hashing?


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]