Interesting

11 readers

1 users here now

Be respectful to other members Treat others with kindness and courtesy, even if you disagree with their opinions.
Stay on topic Keep your discussions relevant to the purpose of the forum. Avoid going off-topic or derailing conversations.
No spamming Avoid posting irrelevant or unnecessary content, advertisements, or links to unrelated websites.
Use proper language and tone Choose your words carefully when commenting or replying to others. Avoid using profanity or engaging in offensive language and personal attacks.
Do not share personal information Protect your privacy by refraining from sharing personal details such as addresses, phone numbers, or email addresses on the forum.
Report any issues If you come across any inappropriate behavior or content, report it to the forum moderators or administrators.
Have fun and contribute positively Participate actively and add value to the discussions. Engage in meaningful and constructive conversations with fellow members.

founded 1 year ago

MODERATORS

atheist@feddit.de

Time it takes to brute force your password (feddit.de)

submitted 1 year ago* (last edited 1 year ago) by atheist@feddit.de to c/interesting@feddit.de

13 comments fedilink hide all child comments

top 13 comments

sorted by: hot top controversial new old

[–] Inductor@feddit.de 8 points 1 year ago* (last edited 1 year ago) (6 children)

~~Unfortunately, this chart is already out of date, the 2023 version looks like this:~~ It is now the up to date chart.

This uses 12 RTX 4090 GPUs and MD5.

For the old chart you would need 40 billion guesses per second, and that is what the RTX 2080 was at five years ago. With a RTX 4090 you can guess 164 billion hashes per second.

Using 8 AWS A100 GPUs at $32.77/h you can guess over 520 billion times a second and then the chart looks like this:

All the charts and benchmark numbers are from here. There is way more on that page that I'm just going to leave out here, but I recommend you read through it.

Of course this isn't quite accurate, this assumes the hashing algorithm MD5 which is no longer recommended, because it's so fast. It also ignores salting. But it assumes the worst case, a complete brute force with no dictionary/rainbow table, so I think it's not a bad estimate.

Edit: spelling

Edit again: The comment I was referring to is gone, so I removed the refrence. The numbers are still correct though.

[–] SitD@feddit.de 3 points 1 year ago (1 children)

thanks for this, OP forgot to mention that it's MD5 and i think that's absolutely crucial

[–] Inductor@feddit.de 5 points 1 year ago

Yes, this is what it looks like using bcrypt, and the same AWS GPUs:

But they also mention that most low priority logins that people don't care about like forums, restaurants, etc. still use MD5, and password reuse becomes a huge problem here.

[–] atheist@feddit.de 1 points 1 year ago

Ohh, thanks. I updated it.

load more comments (4 replies)

[–] rauls4@lemm.ee 6 points 1 year ago (1 children)

Don’t most systems lock out accounts after a few failed attempts?

[–] ChaoticNeutralCzech@feddit.de 11 points 1 year ago (1 children)

This assumes you can obtain the hashed & salted version of the password from the server, or it's a local PDF/ZIP/etc file password. Still, you have 2FA to go through once you guess the plaintext password.

[–] rauls4@lemm.ee 1 points 1 year ago (1 children)

So it becomes a concern when someone steals a bunch of passwords from a server?

[–] ChaoticNeutralCzech@feddit.de 5 points 1 year ago* (last edited 1 year ago) (1 children)

No legitimate websites will store passwords as plaintext, instead their salted (mathematically modified) hashes. They do not have your plaintext password but there is a mechanism of checking your password attempt. If the hacker interrupts this mechanism, they can steal plaintext passwords every time they are used. However, most of the time they "just" gain access to the database and get the hashed & salted versions, and can often find out what the hash & salt algorithm is by reverse-engineering their own entries. Then, they obtain a list of top 1B+ common passwords (includes all 4-digit numbers, "password" and curse words in all languages, pretty much every English word imaginable, most given names in the world, every date from the last 100 years in various formats, correct horse battery staple and entries from previous breaches) and for every hash & salt they compute, they check if it matches any known hash & salt of any user they're interested in (could be just a few or all) matches. This dictionary attack will match the weakest passwords, and any matches give the hacker confidence that their method is correct. After that, they either start extending the dictionary (combining words with other words, letters and numbers), or brute forcing every combination of numbers, letters and symbols (with some heuristics: most passwords use way fewer symbols than letters).

So "password breaches" are concerning because the hacker gets any number of retries for anyone's password if they have the time and computing power. Therefore, it is very advisable to change your password after such a breach is discovered. This takes anywhere between 1 day to a month so if your password cannot be cracked in that time, you should be reasonably safe.

[–] rauls4@lemm.ee 1 points 1 year ago

Very good explanation. I think this kind of clarification is important when we see charts like these.

[–] Quetzacoatl@feddit.de 2 points 1 year ago* (last edited 1 year ago) (1 children)

neat, what I take from this and the discussion below is that with a pw containing upper- and lowercase letters, numbers as well as symbols that 12 characters is just long enough.

[–] MystikIncarnate@lemmy.ca 1 points 1 year ago

The objective for password cracking is to obtain the hash of the users password. Obviously, if the intruder can get the raw password, that's better for them and doesn't require cracking.

If there hash can be obtained, then the objective becomes to match it. Since most passwords are stored in a one-way hash, you basically take a known value, run it though the hash, and compare the result with the hash. If they match, then the known value is the password (or at least one that has a hash overlap with the correct password (which is good enough).

Brute forcing the password prompt generally doesn't work because of lockouts on password attempts at the page, and you're correct on that, so it's not a valid way to attack the system for the password.