Brute force time chart

Borg 386 · 05 Mar 2022

A chart with some info on how long it takes to brute force hack something nowadays.

TairikuOkami · 05 Mar 2022

OK, now try to use GPU instead.

Password Check | Kaspersky

Ghot · 05 Mar 2022

TairikuOkami said:

OK, now try to use GPU instead.

Password Check | Kaspersky

I just typed this into the password tester.... it said it would take 10000+ centuries to crack.

bner-vgf098134y-t7819u34h-gf98h3er480gj3r490t`gj=3954jgf`i980234njfi9023jm-fo

This is apparently, also a great password taking 10000+ centuries to crack...

supercalifragilisticexpialidocious

TairikuOkami · 05 Mar 2022

Ghot said:

This is apparently, also a great password taking 10000+ centuries to crack...

In the meantime, I use webpages names as the password (for one time use). Well it beats Password123

Code:

https://www.tenforums.com

Ghot · 05 Mar 2022

TairikuOkami said:

In the meantime, I use webpages names as the password. Well it beats Password123.

Code:

https://www.tenforums.com

Yes, but this all assumes straight cracking. They can help password crackers along, so they are much faster.
Something like...

IF the cracker finds two // in a row, or maybe htt
THEN start checking for common website addresses.

mngerhold · 05 Mar 2022

Ghot said:

IF the cracker finds two // in a row, or maybe htt

A question out of ignorance: how could a cracker find part of a password? Surely not if it had been hashed?

Ghot · 05 Mar 2022

mngerhold said:

A question out of ignorance: how could a cracker find part of a password? Surely not if it had been hashed?

I can't really explain it very well.

By way of analogy... let's say you wanted to find the fastest route between NY and SF, and you were starting in NY.
Already you know, you aren't gonna want roads that go North or South or East, so you just eliminated 75% of the possible roads.

The same with passwords. Let's just say that all passwords were required to have characters including...
uppercase, lower case, numbers, and symbols. Already you can eliminate any passwords that are ALL...
numbers, or lower case, or upper case or symbols, because the requirements were for some of each.

Then let's say all the possible passwords have to be created on a US English keyboard.
You can then eliminate all non-US English characters as well.

Then let's add in a requirement that all passwords have to be eight characters or more.
You can then eliminate all passwords that are less than eight characters.

The point is... a brute force tool by itself is fast. BUT, it's that much "faster", if humans can come along and say you don't have to "try" for... this and this and this and this... etc.

There will also be many hash formulae that can be eliminated as well.
And there won't be THAT many possible hash formulae to begin with.

Really short version...

Brute force with some human grey matter direction, will be much faster than "just" brute force.

Let's say you're a hacker and you want to brute force everyone's password at... Bank X.
When a person goes to make a password at Bank X, there will be certain password requirements.

So right there, you can instruct your brute force program to "skip" searching for all passwords that don't fit those password requirements. And I'm sure there are more "eliminations" that can be made.

WXC · 06 Mar 2022

Ghot said:

I can't really explain it very well.

By way of analogy... let's say you wanted to find the fastest route between NY and SF, and you were starting in NY.
Already you know, you aren't gonna want roads that go North or South or East, so you just eliminated 75% of the possible roads.

The same with passwords. Let's just say that all passwords were required to have characters including...
uppercase, lower case, numbers, and symbols. Already you can eliminate any passwords that are ALL...
numbers, or lower case, or upper case or symbols, because the requirements were for some of each.

Then let's say all the possible passwords have to be created on a US English keyboard.
You can then eliminate all non-US English characters as well.

Then let's add in a requirement that all passwords have to be eight characters or more.
You can then eliminate all passwords that are less than eight characters.

The point is... a brute force tool by itself is fast. BUT, it's that much "faster", if humans can come along and say you don't have to "try" for... this and this and this and this... etc.

There will also be many hash formulae that can be eliminated as well.
And there won't be THAT many possible hash formulae to begin with.

Really short version...

Brute force with some human grey matter direction, will be much faster than "just" brute force.

Let's say you're a hacker and you want to brute force everyone's password at... Bank X.
When a person goes to make a password at Bank X, there will be certain password requirements.

So right there, you can instruct your brute force program to "skip" searching for all passwords that don't fit those password requirements. And I'm sure there are more "eliminations" that can be made.

Don't sell yourself short, Ghot.

I think that is an excellent explanation.

Thank you.

mngerhold · 06 Mar 2022

OK - but I still don't get it - by what mechanism can a hacker find two // in a row?

Ghot · 06 Mar 2022

mngerhold said:

OK - but I still don't get it - by what mechanism can a hacker find two // in a row?

Last time I coded anything was 1984, but, an IF/THEN statement would do it.