Password Hashes, Again

Daniel Berlin dberlin at
Mon Apr 16 12:43:39 UTC 2012

On Mon, Apr 16, 2012 at 8:12 AM, Vlad Dascalu <vladd at> wrote:
>> Of course, this will change as effects/etc GPU's are used for become
>> ever more complex.
>> I wouldn't expect this particular limitation to last for very long.
>> It was only a short time ago that GPU's basically had *no* local ram.
> Due to paralelization, it's much more expensive for them to match our
> RAM requirements: There's nothing which prevents us from implementing
> a hash computation algorithm requiring 20 MB of addressable RAM for
> each login procedure, and this would be a show-stopper for most
> attackers as they cannot afford that much RAM per individual worker.
It would be a mistake to assume someone "cannot afford" that much ram
within the reasonable lifetime of your program

DRAM cost/bit drops by about 30-40% a year (according to ITRS).
Their reports/numbers have been consistent over the years.
(ITRS reports are not always available to the public without paying,
but i can get you this one page/table if you want to see it)

Here's how many bits you could afford per dollar, rounded out:

2009 -  200000000 - cost 0.48 microcents per bit
2010 - 294000000 - cost 0.34 microcents per bit
2011 - 417000000 - cost 0.24 microcents per bit
2012 - 588000000 - cost 0.17 microcents per bit
2013 - 833000000 - cost 0.12 microcents per bit - cost would be 100
bucks to add 20 meg to 500 cores

in 2017, the number of bits per dollar will be 3330000000 - cost would
be 25 bucks to add 20 meg to 500 cores

Note that even if you update your hash method every 5 years to account
for technology, plenty of folks will be vulnerable for a while until
they upgrade.

More information about the developers mailing list