new algorithm: yescrypt

[roycewilliams]

Yescrypt is a notable algorithm:

• Publicly known, modern algorithm, by Solar Designer (@solardiz)
• PHC finalist: https://www.password-hashing.net/
• Interest appears to be increasing in this algorithm - starting to appear in the wild and reported in StackExchange questions, etc.
• Demonstrating that the hash is hard/slow in hashcat could actually encourage adoption :D
• Discovering shortcuts/weaknesses could serve to drive improvement in the hash

Where used:

• Supported by libxcrypt, a drop-in replacement for libcrypt.so.1: https://github.com/besser82/libxcrypt/ (this is how John the Ripper supports it)
• Will soon be an option for Fedora: https://fedoraproject.org/wiki/Changes/yescrypt_as_default_hashing_method_for_shadow
• Some discussion of using it in Debian, not yet clear: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978553 [Edit: now default in Debian 11, scheduled to be default in Ubuntu 22.04]

Tool coverage:

• No direct support in john-jumbo (but supported using passthrough --format=crypt)
• Not supported by MDXfind

Limitations:

• Maximum plaintext length: none
• Max salt size: 512 bits
• GPU- and FPGA/ASIC unfriendly, by design

Tech details:

• Pseudocode: https://openwall.info/wiki/yescrypt
• PHC full documentation: https://www.password-hashing.net/submissions/specs/yescrypt-v2.pdf
• Source code: https://github.com/openwall/yescrypt
• Official doc (yescrypt): https://www.openwall.com/yescrypt/
• Official doc (john-jumbo): https://github.com/openwall/john/tree/bleeding-jumbo/src/yescrypt
• More details from Debian manpage (https://manpages.debian.org/experimental/libcrypt1-dev/crypt.5.en.html):

• Hashed passphrase format: \$y\$[./A-Za-z0-9]+\$[./A-Za-z0-9]{,86}\$[./A-Za-z0-9]{43}
• Maximum passphrase length: unlimited
• Hash size: 256 bits
• Salt size: up to 512 bits
• CPU time cost parameter: 1 to 11 (logarithmic)

[solardiz]

I second this request - would be great to have Argon2 and yescrypt in hashcat, ideally optimized roughly to the same extent so that performance comparisons would make sense. There is already a reasonably optimized implementation of Argon2 in OpenCL (although more work on it is needed - flavors, tuning). For yescrypt, the closest to being optimized are probably mining implementations of the older yescrypt 0.5, which I referenced on the PHC list in 2018 (see also my "reply" on the next day with some corrections). I think more revisions of those appeared since. A more complete implementation updated to 1.0+ would be needed for hashcat.

• Not yet supported by john-jumbo(!)

This is partially correct. While there's no native support for yescrypt in john-jumbo, there is via --format=crypt when running on a system that has such support in its libcrypt (e.g., Ubuntu 20.04+, Fedora 29+). Of course, native support should be added soon (and will provide better performance through moving memory (de)allocations out of the loop).

[roycewilliams]

@solardiz, thanks - I didn't even know about --format=crypt! Description updated.

[gustavi]

It's now the default hashing method on Debian 11 (https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#pam-default-password).

[konstruktoid]

used as default hashing in Ubuntu 22.04 (https://manpages.ubuntu.com/manpages/jammy/en/man5/crypt.5.html, https://manpages.ubuntu.com/manpages/jammy/man8/pam_unix.8.html)

[mator]

kore logic used yescrypt hashes in 2022 contest as one of high cost solving tasks...

[q2dg]

Nowadays Fedora uses this hashing algorithm as default, too After more than a year from the opening of this issue, this is not "so new"

[Sad-theFaceless]

This is indeed not new anymore and most recent distros use this hashing format now.

[q2dg]

Two years have passed...

[theHammi01]

Hi will this feature be added anytime in this decade? yescrypt is now the default hashing for many popular distros lol

[PenguinKeeper7]

For those wondering why yescrypt hasn't been implemented yet - it's not dev laziness, it's just that yescrypt is by design extremely slow and inefficient to run on GPUs but faster on CPUs and given Hashcat is a GPU-oriented program, this is a little awkward. yescrypt is a very complex algorithm and Solar Designer is a major contributor to John the Ripper so he certainly knows how to make a difficult-to-crack algorithm. As Royce said, you can use John for now but also doesn't have GPU code so it'll be run on CPU (if you have the libraries for it)

[noahclements]

any update on this being implemented soon?