Time to crack a password

in #cryptocurrency7 years ago (edited)


First 2 little notes:

  1. The tables in this article will probably not read well on a smartphone, so it's recommended to read on a desktop computer
  2. Although I took much care when calculating, please correct me wherever wrong.

Now to the real story:
I saw this picture and read a story that any 8 character password could be cracked in less than 4 hours, also when special characters are used. So I was confused. What's true? I wanted to get to the bottom of it and found that it it all comes down to the variables. In this article I’ll walk you through my findings.

First, password cracking can be done through several methods and one is more sophisticated than the other.

If you don’t know about Guessing (with a smart list), Phishing, Malware or Social engineering, then have a look at this article where it is all explained. It all comes down to don’t use simple passwords, don’t re-use passwords, don’t expose them to anyone and use good anti-virus programs.

The one that I fear (and the article refers to) is the brute force attack, because there’s no way around it. In this method, you can make it harder for hackers, but never impossible to find out your password. I thought that websites would block access after several attempts, so it would be impossible to try so many passwords. But hackers seem to take the process offline and can try a gazillion passwords per second. Hashcat, for instance, claims to be world’s fastest and most advanced password recovery tool. Other examples are John the ripper and Brutus.

The amount of passwords that can be tried is dependent on the hash rate and I found an article that provides the maximum hash rate of a modern computer and a supercomputer with the power of a 100’000 computers. On the basis of this information, I made the below tables, where you can look up the strength of your password. Do note that it all depends on the variables. How quick is/are the computer(s)? When do we expect to find the password, when we tried 100% of them or an average of 50%? But however you look at it, the table show a clear indication, that passwords start to get hard to hack after 10 characters from the full set.

First I calculated the number of possible combinations of different sets of characters, combined with the length of the password. It's obvious that the larger the set and the longer the password, the more possibilities there are. I intentionally didn't cut off the zeros so that the numbers can be compared.
possibilities.jpg

Now I used the same assumptions as in this article
Assumptions.jpg

And have these results (in days) for a single computer
Single.jpg

And these results (in days) for a super computer
Super.jpg

So yes, with these assumptions, an 8 character password including the whole character set could be cracked in 0.165 days on a supercomputer and that corresponds to 3.96 hours. The 8 character password abcdefgh however, would only take 0.000021 days or 1.7 seconds to crack.

So this raised another few questions with me. What supercomputers are available? At what price? Is this accessible for anyone? Is password hashing any different than hashing for Bitcoin mining? Where does this go in the future? Is it not already too late?

First, the number of supercomputers is huge, this website lists the official top 500 by computing power and their location. Fortunately, most of these are used for other purposes than password cracking, a lot are used for research and development including research about climate change. Nevertheless, it is possible to hire computer power. According to this article, we can hire a supercomputer at a rate of 93 petaflops below GBP 100 per hour. According to this calculation, that corresponds to roughly 7 billion hashes per second. According to this article, a botnet with 400'000 computers is possible, so that would reduce the above mentioned times roughly by factor 4. So yes, it's available, albeit at a price.

In the future, the speed will only increase. The below picture shows the raate at which the processing speed increased in tthe last 20 years and this is not likely to slow down. Furthermore, Golem works on a decentralized supercomputer connecting the worlds fastest computer accessible to everyone. For people interested, see their website at https://golem.network/

Finally, is it not already too late? You can check on this website if your e-mail address appears in any available lists:
https://haveibeenpwned.com/

So conclusion, passwords start to get safe from 10 digits, but to protect yourself from advancing technologies, it's best to choose a 12 digit, random password from a 80 character set (including letters numbers other characters) and not to re-use it.

If you’d like to see a hacker who exposes the humor of it, have a look at this TED video (this was recorded already in 2012!)

#security #password #crack #hashrate
7 years ago in #cryptocurrency by
$0.25
  • Past Payouts $0.25, 0.00 TRX
  • - Author $0.23, 0.00 TRX
  • - Curators $0.02, 0.00 TRX
8 votes
Reply 1
Sort:  
  • Trending

    • Coin Marketplace

    STEEM 0.16
    TRX 0.13
    JST 0.027
    BTC 59159.54
    ETH 2599.32
    USDT 1.00
    SBD 2.42