用於 Mac FileVault 加密的雜湊有多慢？

某些密碼強度估計器（例如zxcvbn）給出的估計值會隨著散列的速度和攻擊者的假定資源而變化。我很好奇 MacBook 上的 MacOS FileVault 加密使用什麼散列，以及為了估計對其進行攻擊的速度，它是否應該被視為“快速”或“慢速”散列。

更具體地說，為了破解保護 FileVault 驅動器的密碼，一個好的現代 GPU 每秒可以執行多少雜湊？

現代 FileVault 是一個相對較慢的雜湊。hashcat 支持以 mode 攻擊 FileVault 2 雜湊16700。

作為現實世界攻擊能力的一個例子，如果一個七個字元的密碼是真正隨機生成的，那麼在具有六個相當快的 GPU 的裝備上完全耗盡需要七年多的時間：

$ hashcat -a 3 -m 16700 -w 4 filevault.hash ?a?a?a?a?a?a?a
hashcat (v5.1.0-1685-gf946e321) starting...

CUDA API (CUDA 10.1)
====================
* Device #1: GeForce GTX 1080, 7006/8119 MB, 20MCU
* Device #2: GeForce GTX 1080, 7027/8119 MB, 20MCU
* Device #3: GeForce GTX 1080, 7037/8119 MB, 20MCU
* Device #4: GeForce GTX 1080, 7027/8119 MB, 20MCU
* Device #5: GeForce GTX 1080, 7037/8119 MB, 20MCU
* Device #6: GeForce GTX 1080, 7027/8119 MB, 20MCU

[...]


Session..........: hashcat
Status...........: Quit
Hash.Name........: FileVault 2
Hash.Target......: $fvde$1$16$84286044060108438487434858307513$20000$f...704191
Time.Started.....: Wed Mar  4 20:23:59 2020 (11 secs)
Time.Estimated...: Tue May 12 22:42:02 2026 (6 years, 69 days)
Guess.Mask.......: ?a?a?a?a?a?a?a [7]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:    59646 H/s (273.90ms) @ Accel:16 Loops:1024 Thr:1024 Vec:1
Speed.#2.........:    59243 H/s (275.66ms) @ Accel:16 Loops:1024 Thr:1024 Vec:1
Speed.#3.........:    59351 H/s (275.32ms) @ Accel:16 Loops:1024 Thr:1024 Vec:1
Speed.#4.........:    59343 H/s (275.15ms) @ Accel:16 Loops:1024 Thr:1024 Vec:1
Speed.#5.........:    60227 H/s (271.48ms) @ Accel:16 Loops:1024 Thr:1024 Vec:1
Speed.#6.........:    59819 H/s (273.29ms) @ Accel:16 Loops:1024 Thr:1024 Vec:1
Speed.#*.........:   357.6 kH/s
Recovered........: 0/1 (0.00%) Digests
Progress.........: 3932160/69833729609375 (0.00%)
Rejected.........: 0/3932160 (0.00%)
Restore.Point....: 0/735091890625 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:2-3 Iteration:0-1024
Restore.Sub.#2...: Salt:0 Amplifier:2-3 Iteration:0-1024
Restore.Sub.#3...: Salt:0 Amplifier:2-3 Iteration:0-1024
Restore.Sub.#4...: Salt:0 Amplifier:2-3 Iteration:0-1024
Restore.Sub.#5...: Salt:0 Amplifier:2-3 Iteration:1024-2048
Restore.Sub.#6...: Salt:0 Amplifier:2-3 Iteration:1024-2048
Candidates.#1....: 1arieri -> 1p8xana
Candidates.#2....: 1(ZDERI -> 1uxMONA
Candidates.#3....: 1w9zana -> 1YiQUS1
Candidates.#4....: 1TdWERI -> 1#UDERI
Candidates.#5....: 1r0qwon -> 1kF~~~1
Candidates.#6....: 1O_ !!! -> 1@[1199
Hardware.Mon.#1..: Temp: 44c Fan: 80% Util:  0% Core:1784MHz Mem:4513MHz Bus:8
Hardware.Mon.#2..: Temp: 36c Fan: 81% Util: 19% Core:1759MHz Mem:4513MHz Bus:4
Hardware.Mon.#3..: Temp: 47c Fan: 80% Util: 42% Core:1860MHz Mem:4513MHz Bus:16
Hardware.Mon.#4..: Temp: 45c Fan: 80% Util: 33% Core:1759MHz Mem:4513MHz Bus:4
Hardware.Mon.#5..: Temp: 37c Fan: 80% Util: 52% Core:1898MHz Mem:4513MHz Bus:1
Hardware.Mon.#6..: Temp: 43c Fan: 80% Util:100% Core:1784MHz Mem:4513MHz Bus:1

Started: Wed Mar  4 20:23:47 2020
Stopped: Wed Mar  4 20:24:12 2020

當然，由於大多數密碼不是隨機生成的，因此攻擊者會先用盡其他方法，然後再訴諸暴力。

引用自：https://crypto.stackexchange.com/questions/78005