Iteration Counts and Hash Algorithm Speeds for Password Hashing

<parameter>iter_count</parameter> parameter is omitted, the default iteration count is used. Allowed values for <parameter>iter_count</parameter> depend on the algorithm and are shown in <xref linkend="pgcrypto-icfc-table"/>. </para> <table id="pgcrypto-icfc-table"> <title>Iteration Counts for <function>crypt()</function></title> <tgroup cols="4"> <thead> <row> <entry>Algorithm</entry> <entry>Default</entry> <entry>Min</entry> <entry>Max</entry> </row> </thead> <tbody> <row> <entry><literal>xdes</literal></entry> <entry>725</entry> <entry>1</entry> <entry>16777215</entry> </row> <row> <entry><literal>bf</literal></entry> <entry>6</entry> <entry>4</entry> <entry>31</entry> </row> <row> <entry><literal>sha256crypt, sha512crypt</literal></entry> <entry>5000</entry> <entry>1000</entry> <entry>999999999</entry> </row> </tbody> </tgroup> </table> <para> For <literal>xdes</literal> there is an additional limitation that the iteration count must be an odd number. </para> <para> To pick an appropriate iteration count, consider that the original DES crypt was designed to have the speed of 4 hashes per second on the hardware of that time. Slower than 4 hashes per second would probably dampen usability. Faster than 100 hashes per second is probably too fast. </para> <para> <xref linkend="pgcrypto-hash-speed-table"/> gives an overview of the relative slowness of different hashing algorithms. The table shows how much time it would take to try all combinations of characters in an 8-character password, assuming that the password contains either only lower case letters, or upper- and lower-case letters and numbers. In the <literal>crypt-bf</literal> entries, the number after a slash is the <parameter>iter_count</parameter> parameter of <function>gen_salt</function>. </para> <para> The default <parameter>iter_count</parameter> for <literal>sha256crypt</literal> and <literal>sha512crypt</literal> of <literal>5000</literal> is considered too low for modern hardware, but can be adjusted to generate stronger password hashes. Otherwise both hashes, <literal>sha256crypt</literal> and <literal>sha512crypt</literal> are considered safe. </para> <table id="pgcrypto-hash-speed-table"> <title>Hash Algorithm Speeds</title> <tgroup cols="5"> <thead> <row> <entry>Algorithm</entry> <entry>Hashes/sec</entry> <entry>For <literal>[a-z]</literal></entry> <entry>For <literal>[A-Za-z0-9]</literal></entry> <entry>Duration relative to <literal>md5 hash</literal></entry> </row> </thead> <tbody> <row> <entry><literal>crypt-bf/8</literal></entry> <entry>1792</entry> <entry>4 years</entry> <entry>3927 years</entry> <entry>100k</entry> </row> <row> <entry><literal>crypt-bf/7</literal></entry> <entry>3648</entry> <entry>2 years</entry> <entry>1929 years</entry> <entry>50k</entry> </row> <row> <entry><literal>crypt-bf/6</literal></entry> <entry>7168</entry> <entry>1 year</entry> <entry>982 years</entry> <entry>25k</entry> </row> <row> <entry><literal>crypt-bf/5</literal></entry> <entry>13504</entry> <entry>188 days</entry> <entry>521 years</entry> <entry>12.5k</entry> </row> <row> <entry><literal>crypt-md5</literal></entry> <entry>171584</entry> <entry>15 days</entry> <entry>41 years</entry> <entry>1k</entry> </row> <row> <entry><literal>crypt-des</literal></entry> <entry>23221568</entry> <entry>157.5 minutes</entry> <entry>108

The iteration count for password hashing algorithms can be adjusted to balance security and usability, with considerations including the speed of the hardware and the potential for brute-force attacks, and tables are provided to compare the speeds of different algorithms, including Blowfish, MD5, and SHA-256/512, to help choose an appropriate iteration count and algorithm for password hashing.