hsimp icon indicating copy to clipboard operation
hsimp copied to clipboard

Published 20 hours ago verified publisher icon howsecureismypassword

More info about the kind of devices you're basing your password cracking time on

Open ghost opened this issue 7 years ago • 10 comments

If I visit https://howsecureismypassword.net and enter a password it says: It would take a computer about [enter amount of time here] to crack your password.

What kind of computer are you referring to? Are you referring to any cheap consumer laptop? Are you referring to high-end/gaming PCs? Are you referring to specialized hardware?

I think it would be very interesting if you were to add such information to your website.

Knowing that some computer I don't know the specs of could crack 78432538 in 10 milliseconds is interesting. Knowing that my $1000 laptop, or my friend's $400 tablet could do it in a similar amount of time brings the whole thing very much down to Earth, I think. It makes the threat real.

Regards.

ghost avatar Jan 30 '18 13:01 ghost

I'm planning on adding a bit more information about that side of things in the next version of the site.

Generally you'd use a graphics card for this sort thing. It's currently based on a mid-range graphics card - so well within reach of someone that wanted to try.

It is however based on the assumption that the person has a hashed version of your password - which would only be the case if they'd got a leaked database.

smallhadroncollider avatar Jan 30 '18 16:01 smallhadroncollider

Thank you for getting back to me so quickly. I'm happy to hear that you'll be adding info about that in your next release. Do you already have a time-frame for it?

...It's currently based on a mid-range graphics card...

Something like a GeForce 1030, or even an integrated GPU like the Intel ones?

...that the person has a hashed version of your password...

What kind of hashing are we talking about? Something along the lines of what Dropbox is doing? https://blogs.dropbox.com/tech/2016/09/how-dropbox-securely-stores-your-passwords

Regards.

ghost avatar Jan 30 '18 16:01 ghost

Not sure about time frames. I've been wanting to do it for a few years, but I haven't had the time - so I don't want to commit to anything. But I'd like to get it done sooner rather than later.

I'm not sure about specific graphics cards. I doubt integrated ones would be fast enough. But a GeForce would probably do it.

It's based on fairly basic hashing algorithms. If they're using bcrypt or newer hashing techniques then it's probably unrealistic to crack it. Dropbox look like they've given it a lot of thought.

smallhadroncollider avatar Jan 31 '18 11:01 smallhadroncollider

Hi.

It's based on fairly basic hashing algorithms.

Something like a non-salted SHA2 hash?

ghost avatar Jan 31 '18 12:01 ghost

Yeah. As the Dropbox article says:

A modern commodity CPU can generate millions of SHA256 hashes per second. Specialized GPU clusters allow for calculating hashes at a rate of billions per second

smallhadroncollider avatar Jan 31 '18 15:01 smallhadroncollider

Assuming that most (or at least a lot of) online services still use pretty basic hashing algorithms (if they use them at all) and knowing what I now know (because I asked you) has helped me realize how real this threat is.

I think the same information could help other people as well. I think that adding to your website the information you shared with me here on GitHub (without necessarily going into specifics) could help people better understand the information your website is already providing them.

Wouldn't you agree that knowing that anyone with access to some breached non-salted password hashes and a computer with a pretty inexpensive mid-range GPU (like a GeForce GPU) in it could crack "ygd7sa89" in 1 minute is better then just knowing that some computer could crack that password in 1 minute?

ghost avatar Jan 31 '18 17:01 ghost

Indeed. The site did used to specific a "desktop PC", then I added other options, but the UX got really messy, so I simplified it. But a bit more information would be useful for people.

smallhadroncollider avatar Feb 01 '18 17:02 smallhadroncollider

All right! I look forward to seeing that additional info being added to the site. Thank your for engaging in this conversation.

Bye 👋

ghost avatar Feb 01 '18 20:02 ghost

The current "calculationsPerSecond" that the web is using is 4e10 = 40e9 = 40.000MH/s Using a 2080ti MD5 = 50.500MH/s = 50.5e9 MD5 + Salt = 27.200MH/s = 27.2e9 SHA1 = 15.900MH/s = 15.9e9 SHA1 + Salt = 12.200MH/s = 12.2e9 SHA2-256 = 7.150MH/s = 7.15e9 SHA-256 + Salt = 7.075MH/s = 7.075e9 SHA2-512 = 2.320MH/s = 2.32e9 SHA-512 + Salt = 2.080MH/s = 2.08e9 bycrypt = 26500H/s = 26.5e3

dav1312 avatar Aug 19 '20 14:08 dav1312

@da19961 Thanks for that.

smallhadroncollider avatar Sep 14 '20 10:09 smallhadroncollider