Are Your Passwords Safe: Energy-Efficient Bcrypt Cracking with Low-Cost
Parallel Hardware
Katja Malvoni Solar Designer
[email protected]
[email protected]
[email protected]
University of Zagreb, Croatia Openwall
Abstract
Bcrypt is a password hashing scheme based on the
Blowfish block cipher. It was designed to be resistant to
brute force attacks and to remain secure despite of hard-
ware improvements [13]. Expensive key setup with user-
defined cost setting makes this hash slow while rapid ran-
dom 32-bit lookups using Blowfish’s variable S-boxes
require 4 KB of local memory per instance. This mem-
ory access pattern makes bcrypt moderately unfriendly to
parallel implementation on modern CPUs, where on one
hand gather addressing is required in order to exploit the
CPUs’ SIMD capabilities, and on the other even when
gather addressing is in fact available the L1 data cache
size becomes the limiting factor. Despite of this (and
due to it), it is possible to achieve much better perfor-
mance per Watt with bcrypt implementations on homo-
geneous and heterogeneous multiprocessing platforms:
Parallella board with 16- or 64-core Epiphany accelera-
tor and ZedBoard with Zynq reconfigurable logic [16, 2].
Proposed implementations were integrated into John the
Ripper password cracker resulting in improved energy
efficiency by a factor of 35+ compared to heavily opti-
mized implementations on modern CPUs.
1 Introduction
Password hashing was introduced in the 1970s to
avoid storing passwords in plaintext. Instead, passwords
are hashed and only the hashes are stored, which prevents
attackers from directly obtaining the actual passwords.
However, in many cases passwords may nevertheless be
inferred by probing likely (and even not so likely) can-
didate passwords against the hashes. To mitigate these
attacks, specialized password hashing schemes were de-
signed, and bcrypt is one of them [13, 4]. It was designed
to remain secure despite hardware improvements and to
be resistant to brute-force attacks. The original goal is
mostly achieved (so far) as it relates to bcrypt hash crack-
Josip Knezovic
University of Zagreb, Croatia
ing on general-purpose CPUs and even on GPUs. On
general-purpose CPUs, cracking-optimized implementa-
tions achieve a speedup of roughly a factor of 2 com-
pared to optimal defensive implementations running on
the same CPU cores, and GPUs achieve CPU-like at-
tack performance only (although this might be chang-
ing). This work shows that certain other hardware plat-
forms available today make it possible to optimize bcrypt
hash cracking much further, especially in terms of energy
efficiency. Although optimizing for specific platforms
reduces portability, it does not affect scalability within
the same hardware platform family.
The rest of the paper is organized as follows. Sec-
tion 2 gives background details needed to understand
energy-efficient bcrypt implementations. Section 3
gives an overview of various bcrypt implementations
including underlying hardware architecture details and
architecture-specific optimizations. In Section 4, energy-
efficient bcrypt implementations are compared to exist-
ing CPU and GPU implementations in terms of perfor-
mance and energy efficiency. Section 5 presents our
equation for estimating theoretical bcrypt peak perfor-
mance on a specific platform. Related work is discussed
in Section 6. Finally, Section 7 contains the conclusion.
2 Background
Bcrypt is a password hashing scheme based on the
Blowfish block cipher, which is structured as a 16-round
Feistel network [13]. Blowfish encryption uses a 64-bit
input and a P-box (in bcrypt, it initially holds the pass-
word being hashed) to calculate addresses used to ac-
cess four 1 KB large S-boxes. These memory accesses
are pseudorandom and 32-bit wide. Blowfish encryption
is used by the EksBlowfish algorithm (Algorithm 1) in
function ExpandKey() to derive state determined by val-
ues stored in S-boxes and P-box. This algorithm has
three inputs: cost, salt and encryption key (password
being hashed). Cost determines how expensive the key
setup process is, salt is a 128-bit random value used so
that the same password does not always have the same
hash value and encryption key is the user chosen pass-
word (after trivial pre-processing) [13]. Although this is
how EksBlowfish is defined in [13], the order of lines 4
and 5 in Algorithm 1 is swapped in actual implementa-
tions, including in OpenBSD’s original that pre-dates the
USENIX 1999 paper by two years.
Algorithm 1 EksBlowfishSetup(cost, salt, key) [13]
1: state ← InitState()
2: state ← ExpandKey(state, salt, key)
3: repeat(2cost )
4: state ← ExpandKey(state, 0, salt)
5: state ← ExpandKey(state, 0, key)
6: return state
Bcrypt (Algorithm 2) runs in two phases. The first
phase uses the expensive key schedule Blowfish algo-
rithm (Algorithm 1) to initialize Blowfish state. In the
second phase, the obtained state is used with Blowfish in
electronic codebook (ECB) mode to encrypt the 192-bit
string “OrpheanBeholderScryDoubt” 64 times. Returned
value is bcrypt hash [13].
Algorithm 2 bcrypt(cost, salt, pwd) [13]
1: state ← EksBlow f ishSetup(cost, salt, key)
2: ctext ← “OrpheanBeholderScryDoubt”
3: repeat(64)
4: ctext ← EncryptECB(state, ctext)
5: return Concatenate(cost, salt, ctext)
3 Energy-Efficient Implementations
This section gives details of bcrypt implementation
on different energy-efficient platforms: Parallella board
with 16- or 64-core Epiphany manycore accelerator [2, 3]
and ZedBoard with Zynq 7020 reconfigurable logic [16,
17]. In these implementations, most resources are spent
to optimize the most time consuming part of bcrypt,
which is loop executed 2cost times (Algorithm 1, Lines
3 to 5).
3.1 Parallella/Epiphany
Parallella board consists of ARM Cortex-A9 CPU, 16
or 64-core Epiphany manycore accelerator and Zynq re-
configurable logic. Each Epiphany core has 32 KB of
local memory, 64 registers, integer ALU unit with sin-
gle cycle latency and floating point unit (FPU), which
can also be used in integer mode [1]. Limitations of
the described architecture include missing support for
2
complex addressing modes and incapability of floating
point unit to issue logic instructions. One cycle instruc-
tion latency (including load instructions from local mem-
ory) and 32 KB of local memory overcome bcrypt’s ran-
dom memory access pattern while floating point unit
used in integer mode can further exploit some of avail-
able instruction level parallelism. Atypically high num-
ber of registers allows to preload the P-box, which fur-
ther improves performance. Performance improvement
is constrained by missing support for complex address-
ing modes (causes register waste during S-box lookups)
and floating point unit without support for logic instruc-
tions (prevents additional exploitation of instruction level
parallelism). However, advantages of this architecture
surpass limitations to a great extent, which results in
performance efficient and energy-efficient bcrypt imple-
mentations. To exploit all advantages of underlying hard-
ware architecture, bcrypt was implemented on Epiphany
manycore accelerator where each core computes bcrypt
hashes while ARM CPU is used by John the Ripper [9] to
generate candidate passwords and send them to Epiphany
cores for hash computations. In order to hide the four
cycle latency of FPU configured in integer mode and
FPU’s inability to issue logic instructions, it was nec-
essary to introduce more instruction level parallelism.
Computation of a single bcrypt hash per core could not
exploit available resources. Therefore, we overlapped
two bcrypt computations on each core. Instruction level
parallelism was further exploited by partial interleav-
ing computations of two Blowfish encryption rounds for
each instance, which sums up to four Blowfish encryp-
tion rounds being interleaved. These optimizations al-
low some instructions to be calculated for free, i.e. one
instruction is executed on ALU while another one is ex-
ecuted on FPU. Apart from additional instruction level
parallelism, P-box for both instances was preloaded in 36
registers to avoid additional load instructions. Described
optimizations were implemented with portions of code in
assembly, namely for lines 3 to 5 of Algorithm 1. With
this approach we managed to achieve 3/4th of the per-
MHz per-core speed of a full integer dual-issue architec-
ture.
3.2 ZedBoard/Zynq 7020
ZedBoard is a heterogeneous platform, which consists
of Zynq–7020 all-programmable device featuring dual
ARM Cortex-A9 CPU and reconfigurable logic [16, 17].
Given the heterogeneous nature of the Zynq–7020 de-
vice, we implemented time consuming parts of bcrypt in
reconfigurable logic while leaving less demanding tasks
on ARM cores. Figure 1 illustrates our approach to par-
titioning the algorithm: candidate passwords are com-
puted on ARM CPU and sent to arbiter module using
AXI4 bus. Arbiter receives data and stores it in cor-
responding block RAMs. After receiving data, arbiter
starts bcrypt instances running in parallel and waits for
them to finish computation. When computation is fin-
ished, data is sent back to ARM CPU. Bcrypt implemen-
Figure 1: bcrypt implementation on ZedBoard
tation in reconfigurable logic is fast and uses small por-
tion of available resources, which allows for high num-
ber of bcrypt instances running in parallel. For exam-
ple, in a Zynq 7020 device, if four BRAMs are used to
store S-boxes for four bcrypt instances and one BRAM
is used to store other data (P-box, expanded key, salt and
cost) for four bcrypt instances this equals to a maximum
of 112 bcrypt instances running in parallel. This mem-
ory layout fully utilizes the available BRAM resources
(140 BRAMs) because all available ports of true dual-
port BRAMs are used on every clock cycle of Blowfish
encryption round: eight lookups from BRAMs holding
S-boxes and two lookups from BRAM holding P-boxes
and other data for both instances.
However, this design was initially unreliable because
of a combination of Zynq PS core voltage drop and in-
sufficient decoupling from PL main voltage supply. On
ZedBoard and on Parallella board, both of these are pro-
vided by the same 1.0V voltage regulator output. Our
ZedBoard was rebooting right away, and on Parallella (its
revision with Zynq 7020) we measured (via Zynq’s own
ADC) a voltage drop from 960 mV (somewhat low) to
890 mV (unacceptable). To overcome this limitation, we
modified ZedBoard adding a wire going from C357 on
the back of the board (near the relevant voltage regula-
tor) to C217 near Zynq (C217 is a capacitor among those
decoupling VCCPINT, the PS core voltage), thereby re-
ducing the resistance of this specific path. We also added
a 10 nF capacitor (which might or might not have mat-
tered) and a couple of 470 uF electrolytic capacitors (one
wasn’t quite enough per our testing, albeit possibly in
terms of ESR rather than capacitance) in parallel with
C217. With these changes, the 112 bcrypt instances de-
sign could finally work long enough for us to take voltage
measurements, and the lowest we could capture with a
multimeter was over 970 mV on C217 (of course, this
would have been more appropriately measured with a
3
high frequency oscilloscope). The next hurdle was heat,
which we solved by adding a 12V 0.08A 40x40mm cool-
ing fan onto the Zynq heatsink (the fan looks huge com-
pared to the heatsink!) and powering it from one of the
pins of J21 ”current sense” connector and a ground pin
in one of the Pmod connectors. With these modifications
in place, the 112 bcrypt instances design became stable
and can be used reliably (on this specific board). Discon-
necting the fan temporarily so that we could use J21 for
its intended purpose, we measured (via J21) that Zed-
Board’s power consumption increases by around 1.5W
when we load and start to use this bitstream on bcrypt
cost 12 hashes (thus, deliberately achieving the maxi-
mum power consumption by keeping communication de-
lays to a minimum). Another 1W is consumed by the fan.
The described 112 instances design artificially splits
computation across two cycles because only two lookups
from S-boxes can be done in a single clock cycle. But
if S-boxes for a single bcrypt instance are stored in two
BRAMs instead of in one, it is possible to fetch all four
32-bit values in a single clock cycle by performing eight
S-box lookups from four BRAMs. This results in reduc-
tion of maximum number of instances running in paral-
lel to 56, limited by available BRAM. However, these
two designs have the same performance because halv-
ing the number of parallel instances is compensated by
twice faster computation. Limitation of both designs is
communication overhead, which impacts performance at
lower cost settings, but becomes negligible at higher cost
settings. Communication overhead comes in part from
transferring 56 (or 112) 4KB large sets of S-boxes filled
with initial values from ARM cores to reconfigurable
logic and it can be avoided by storing those initial val-
ues in unused portions of available BRAM. Since each
BRAM block on Zynq can hold 4 KB of data, the BRAM
blocks used to hold other than S-box data (whose size is
164 B) are mostly empty and can be used to store ini-
tial values of S-boxes. However, this design is unstable
at more than 28 bcrypt instances (in our testing) because
of physical limitations of ZedBoard (presumably, insuf-
ficient decoupling between PS and PL power despite of
our modifications so far).
To overcome these limitations, experiments were con-
ducted on a bigger device from the Zynq family, ZC706
board with Zynq 7045 reconfigurable logic [15]. Un-
fortunately, this device was not much more reliable at
high instance counts than ZedBoard without modifica-
tion was. However, it was possible to port 56 instances
design, which was not working on ZedBoard to ZC706.
Maximum number of concurrent instances is 216 (lim-
ited by the available BRAM), but it is not reliable. The
highest instance count working reliably is 196. Apart
from this, we used Zynq 7045 device and tested our un-
stable ZedBoard design to obtain performance figures for
 Performance (c/s) Energy-effciency (c/s/W)
25,000

20,583
20,000

15,000

10,000
7,044 6,596
6,246
4,812 5,347
5,000 4,571 4,116 4,556
3,522
2,285 2,400
1,207
600 47 43 49 79
0
Epiphany 16 Zynq 7020 Epiphany 64 Zynq 7020 Zynq 7045 HD 7970 FX−8120 Xeon Phi 5110P i7−4770K
(emulated with 7045)

Figure 2: Performance and Energy-Efficiency of various platforms

Performance (c/s) Energy-efficiency (c/s/W)

design that should have worked on ZedBoard if it were 6,000
more reliable. To overcome limitations of Zynq boards,
work is underway on porting the design to ZTEX quad
5,000 4,812 4,876
Spartan-6 LX150 boards [18].

4,000
4 Experimental Results
3,000
Figure 2 gives the comparison of performance and
2,400
energy efficiency of bcrypt implementations for differ-
ent platforms including our energy-efficient implementa- 2,000
tions: Epiphany 16, Epiphany 64 and ZedBoard. In addi-
1,207 1,200
tion we implemented and measured the performance and 1,000
energy efficiency on commodity multicore CPUs repre- 600

sented by the four–core i7-4770K and eight–core FX- 35 51

8120. Finally we also performed experiments with the
GPU implementation on the HD 7970 graphic card and
many integrated core architecture with Intel’s Xeon Phi
5110P processor. Dark–gray bars represent mere perfor-
mance in cracks per second, while light–gray bars give
performance per energy consumption, i.e. efficiency in
cracks per seconds per Watt. Our low–cost parallel plat-
forms are comparable to or outperform multicores and
GPUs in terms of performance in cracks per second and
their energy efficiency is far better. ZedBoard outper-
forms all devices in terms of performance and energy
efficiency. Figure 4 compares Epiphany manycore with
x86 CPUs fabricated in same (or nearly the same) tech-
nology. The performance of Epiphany chips is com-
parable to x86 CPUs while energy-efficiency is tens of
times higher due to its low power consumption of only
2 Watts. Results for Epiphany show linear scalability in
performance with the increasing number of cores (from
16 to 64). Energy–efficiency scales linearly due to fab-
rication process upgrade from 65nm to 28nm (Epiphany
16 to Epiphany 64). Although most of the communica-
tion overhead on Zynq 7020 was eliminated by storing
initial S-box values in reconfigurable logic, some data
0
Epiphany 16 T7200 Epiphany 64 i7−2600K
Figure 4: Epiphany vs x86
needs to be transferred. This has impact on Zynq 7020’s
performance at lower cost settings. To see how it com-
pares to other platforms when communication overhead
becomes negligible, benchmarks were run for higher cost
settings (8, 10 and 12). Results are summarized in Ta-
ble 1. At higher cost settings, Zynq 7020 performance is
comparable to performance achieved on high end multi-
core CPUs.
Except from direct performance comparison at higher
cost setting, it is possible to compare theoretical perfor-
mance for cost 5 derived from measured performance for
cost 12. Calculation is done based on difference in the
number of Blowfish encryptions for different cost set-
tings (Equation 1):
(212 ∗ 1024 + 585)
c/s = ∗ per f ormance12 (1)
(25 ∗ 1024 + 585)
Blowfish encryption is executed 9 + 512 times before

4
 Performance for cost 12 (c/s) Theoretical performance for cost 5 (c/s) Measured performance for cost 5 (c/s)
35,000

30,000 28,462

25,000

20,538
20,000

15,000

10,000
8,112
6,313 6,246 6,753 6,596
4,571 5,408 5,347
5,000 4,490 4,556

1,207 1,207
9.6 64.5 226.3 35.7 43 50.2 53.7
0
Epiphany 16 Zynq 7020 Zynq 7045 HD 7970 FX−8120 Xeon Phi 5110P i7−4770K

Figure 3: Theoretical performance for cost 5 derived from performance for cost 12

Cost / Device 12 10 8 5
Epiphany 16 9.64 c/s 38.7 c/s 151.3 c/s 1207 c/s
Zynq-7020 64.83 c/s 253.1 c/s 932.6 c/s 4571 c/s
Zynq-7045 226.3 c/s 888.6 c/s 3371 c/s 20538 c/s
HD 7970 35.76 c/s 142.9 c/s 569.2 c/s 4556 c/s
FX-8120 42.93 c/s 171.2 c/s 680.2 c/s 5275 c/s
Xeon Phi 5110P 50.18 c/s 200.7 c/s 800.8 c/s 6285 c/s
i7-4770K 53.67 c/s 214.2 c/s 852.8 c/s 6615 c/s

Table 1: Performance across different platforms for higher cost settings

most costly loop (Algorithm 1, line 2) and 64 or 192
times after it (Algorithm 2, lines 3, 4). We use num-
ber 64 because during attacks, only first 64 bits of hash
are computed most of the time, which gives 585 Blow-
fish encryptions done outside most costly loop. In the
single iteration of the most costly loop 1024 Blowfish
encryptions are done. This ratio is multiplied with mea-
sured performance for cost 12 to derive theoretical per-
formance for cost 5. Figure 3 shows results of this deriva-
tion. Zynq 7020 on ZedBoard is not only comparable
to high end desktop CPUs and GPUs but it outperforms
them in terms of performance.
Another important aspect of platform comparison is
platform cost. Figure 5 shows how different platforms
compare to each other in cracks per second per dollar
metrics. We use the various platforms’ prices at intro-
duction for our comparison. System prices include board
prices for Epiphany 161 , Epiphany 642 and ZedBoard3 ,
estimated system price of $300 for system needed to run
a CPU including motherboard, RAM and PSU. Chip and
device prices are prices of devices themselves, not in-
cluding any other components. As to PCIe cards, on one
hand it is possible to install up to 8 per system, but on the
1 Current
price is $119
2 Intended
price, it is not available on the market
3 Academic price is either $299 or $319
other hand system prices are typically way higher than
our estimate of $300 for a bare-bones CPU-only system.
Due to variance in possible GPU and Xeon Phi whole
system prices, we use device prices only. Our energy-
efficient platforms are in the same price category as the
CPUs we compare them against, and are a lot cheaper
than Xeon Phi and some of the GPUs. When looking
at c/s/$ performance considering system price, energy-
efficient platforms outperform desktop CPUs. How-
ever, when considering chip and device prices, CPUs
outperform Epiphany 16 while Zynq 7020 has the best
performance. Even though CPUs perform comparable
to Epiphany manycore, when attacking bcrypt hashes
energy-efficiency plays a role. It is not just cost of the
hardware that is important but also cost of the power con-
sumption as well as cooling equipment because attack-
ing thousands of bcrypt hashes can take days, months, or
years even with focused wordlists.
5 Theoretical Peak Performance Analysis
Apart from measured performance in c/s and energy-
efficiency in c/s/W it is possible to compare various hard-
ware platforms using theoretical c/s figure derived from
the platform characteristics. This figure can be calculated

5
 System price (c/s/$) Chip or device price (c/s/$)
50
40 38.41
30
24.18
20
16.09
12.19 11.57
10
-0
0
$99 $75 $199 - $395 $119
Epiphany 16 Epiphany 64 Zynq 7020
Figure 5: Performance in cracks per second per dollar of various platforms
using Equation 2:
N ports ∗ f
c/s =
(2cost ∗ 1024 + 585) ∗ Nreads ∗ 16
where N ports denotes number of available read ports to
local memory or L1 cache (depending on the underly-
ing hardware platform) and Nreads denotes the number
of reads per Blowfish round (either 4 or 5 depending on
whether reads from P-boxes go from one of those read
ports we’ve counted or from separate storage such as reg-
isters). Expression 2cost ∗ 1024 + 585 is the number of
Blowfish block encryptions in bcrypt hash computation
and 16 is the number of Blowfish rounds per encryption.
Clock rate ( f in Hz) is used instead of Blowfish block en-
cryption rate because the encryptions can be interleaved,
after which point the speed is limited by the local mem-
ory read rate. In some cases, the speed is limited by the
local memory latency if local memory size is not suf-
ficient for optimal interleaving to hide the latency. For
example, modern x86 CPUs do up to two reads and one
write to/from L1 cache per cycle per core. On Sandy
Bridge and Ivy Bridge, these reads are up to 128-bit each.
On Haswell, they’re up to 256-bit each. However, in
bcrypt, they are used as 32-bit either way. This is why
Haswell’s AVX2 gather loads do not improve bcrypt per-
formance: they are limited to using these same two read
ports.
6 Related Work
Related work in terms of optimizing hash algorithms
is mostly focused on heavily optimized CPU implemen-
tations. This holds true for bcrypt algorithm which has
been implemented on desktop CPUs [10]. Apart from
CPU implementations, there are OpenCL and OpenMP
implementations supporting GPUs and many-core de-
vices [9]. As to hardware bcrypt implementations, an-
26.08
18.85
10.59 10.15
8.299
-0 - 2.358
0
- $549 $505 $205 - $2649 $650 $350
HD 7970 FX−8120 Xeon Phi 5110P i7−4770K
other team has been working independently to improve
our initial results for ZedBoard [8], and succeeded at
(2) that [5]. However, results presented in this work improve
our initial results by a factor of 9 and results presented
in [5] by a factor of 2.25. Work presented in [5] shows
that there is much potential for improving the clock rate,
which will likely result in speeds that are much higher
yet.
Apart from bcrypt, there exist implementations of
other hash algorithms in hardware such as UNIX Crypt
hardware password cracker [12]. Encryption algorithms
including Blowfish on which bcrypt is based and DES
targeting different hardware platforms have been re-
ported in [7, 14, 6, 11]. Rather than pure performance,
our work focuses on energy efficiency and cost of under-
lying platforms as well.
7 Conclusion
In this paper, we have shown that there are low-power
parallel platforms capable of exploiting bcrypt peculiar-
ities to achieve decent performance and much better
energy efficiency when compared to multicore desktop
CPUs and GPUs. Higher energy efficiency also enables
higher density. Higher density means more chips per
board and more boards per system, which gives an at-
tacker more cracking power for the same cost when us-
ing energy-efficient low cost hardware instead of more
commonly used CPUs and GPUs.
Future work includes optimizations on Zynq 7020
and Zynq 7045, using Parallella board with multiple
Epiphany 64 chips and porting implementation to ZTEX
boards with four Spartan 6 FPGAs [18]. Future opti-
mizations on Zynq 7020 and Zynq 7045 include reduc-
ing communication overhead, which limits performance
at lower cost settings, and increasing clock rate. Once
optimized, performance for bcrypt implementation on
6
Zynq 7020 should be comparable to high end CPUs for [14] S IMMLER , H., K UGEL , A., M ANNER , R., V IEIRA , A.,
both low and high cost settings. Parallella board sup- G ALVEZ -D URAND , DE A LCANTARA , F., J.M.S., AND A LVES ,
V. Implementation of cryptographic applications on the reconfig-
ports up to 64 Epiphany chips. If using 64 Epiphany urable FPGA coprocessor microEnable.
64 chips this sums up to 4096 cores. Based on scala-
[15] X ILINX. Xilinx Zynq-7000 All Programmable SoC ZC706
bility of implementation between E16 and E64, theoreti- Evaluation Kit. http://www.xilinx.com/products/
cal performance of Parallella boards with 64 E64 chips is boards-and-kits/EK-Z7-ZC706-G.htm.
∼ 300000 c/s. Apart from this, future work on Parallella [16] X ILINX. XUP ZedBoard. http://www.xilinx.com/
includes using both Epiphany and Zynq 7020 at once. support/university/boards-portfolio/xup-boards/
With four Spartan 6 FPGAs, estimated performance for XUPZedBoard.html.
bcrypt implementation on ZTEX board is tens of thou- [17] X ILINX. Zynq–7000 All Programmable SoC Family of Recon-
sands of c/s, which will outperform currently available figurable Devices.
CPUs and GPUs. [18] ZTEX. USB-FPGA Module 1.15. http://www.ztex.de/
usb-fpga-1/usb-fpga-1.15.e.html.
Existing energy-efficient bcrypt implementations and
future work with very promising performance estimates
have shown that it is possible to achieve decent perfor-
mance in executing bcrypt on hardware. What is worry-
ing is the fact it can be achieved with low cost hardware,
which outperforms multicore CPUs and GPUs in terms
of performance and energy efficiency. This shows that
bcrypt will not remain secure forever and new, more ad-
vanced and attack resistant password hashing algorithms
have to be devised.

References
[1] A DAPTEVA. Epiphany Architecture Reference. http://
adapteva.com/docs/epiphany_arch_ref.pdf, 2013.
[2] A DAPTEVA. Parallella Computer Specifications. http://www.
parallella.org/board/, 2013.
[3] A DAPTEVA. Parallella Reference Manual. http://www.
parallella.org/docs/parallella_manual.pdf, 2013.
[4] D ESIGNER , S., AND M ARECHAL , S. Pass-
word security: past, present, future. http:
//www.openwall.com/presentations/
Passwords12-The-Future-Of-Hashing/, 2012.
[5] F. W IEMER , R. Z. Speed and Area-Optimized Password Search
of bcrypt on FPGAs.
[6] F OUNDATION , E. F. EFF DES cracker. http://en.
wikipedia.org/wiki/EFF_DES_cracker, 1998.
[7] K IRAN , L. K., A BHILASH , J. E. N., AND K UMAR , P. S. FPGA
Implementation of Blowfish Cryptosystem Using VHDL.
[8] M ALVONI , K., AND D ESIGNER , S. Energy-efficient bcrypt
cracking. http://www.openwall.com/presentations/
Passwords13-Energy-Efficient-Cracking/, 2013.
[9] O PENWALL. John the Ripper password cracker. http://www.
openwall.com/john/.
[10] O PENWALL. Modern password hashing for your software and
your servers. http://www.openwall.com/crypt/.
[11] PATEL , M. C. R., G OHIL , P. N. B., AND S HAH , P. V. FPGA -
hardware based DES and Blowfish symmetric cipher algorithms
for encryption and decryption of secured wireless data communi-
cation.
[12] P OPPITZ , M. FPGA Based UNIX Crypt Hardware Password
Cracker. http://www.sump.org/projects/password/,
2006.
[13] P ROVOS , N., AND M AZI ÈRES , D. A Future-Adaptable Pass-
word Scheme. Proceedings of the FREENIX Track:1999 USENIX
Annual Technical Conference (1999).