13337

A few months ago I read this excellent article on password hashing schemes and I found some things out that I hadn't previously thought about. For instance, this sounds like a pretty novel thing, but speed in a hashing algorithm is not what you're looking for, and some hashing algorithms are much slower than others by design. Well, the other day someone on IRC didn't believe that crypt() would take a significant time more than md5(). Well, of course, I had to test it. So here's what I came up with to benchmark the two:

$t = microtime(true);
for($i=0;$i<5000;$i++){
	$m = md5('password');
}
$diff = microtime(true) - $t;

$t2 = microtime(true);
for($i=0;$i<5000;$i++){
	$m = crypt('password');
}
$diff2 = microtime(true) - $t2;
echo("MD5: " . $diff . "\\n");
echo("crypt (DES): " . $diff2 . "\\n");
echo("MD5 was " . $diff2/$diff . " times faster than crypt");

My average results with this say that md5() is something close to 125 times faster than crypt(). If you were just hashing one password, the difference would be negligible to the user. However, if someone is trying to brute one versus the other, the time will definitely make a difference. The moral of the story? Sometimes slower is better.

I apologize to any cryptographers who were hurt while reading this post; it's not very scientific, but it is the simplest way I can think of to demonstrate the time difference between these two algorithms. I'm sure you could do it better, and I encourage anyone who knows more than I do to let me know in the comments.