lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 23 Dec 2014 09:46:58 +0800
From: Ben Harris <>
Subject: Re: [PHC] How important is salting really?

On 23/12/2014 8:49 am, "Jeremy Spilman" <> wrote:
> Another way to look at it, what is the minimum amount of entropy a
password would need under the hashing scheme to resist an offline attack
given some assumed resource and time constraint? E.g. For 2,048 MD5, lets
say I can target a single account with $10,000 of hardware and achieve 50
MH/s, or 30 trillion guesses in a week's time, that's going to successfully
crack what percentage of user-chosen passwords?

First question is what percentage of user-chosen passwords are on a
dictionary (probably a range depending on the community). For the remainder
you'd need to guess the percentages that are
guessable-by-candidate-generation and those that are
fully-randomly-generated. There might be an in between group.

Those on a dictionary will fall very quickly (time and money cost is very
low), the candidate generation ones are a little slower (I don't have the
data to guess with), and the random ones are the slowest with the highest
time and money cost.

Roughly, an 8 character randomly generated alphanumeric password (no
symbols) is about 48 bits of entropy. With your 50MH/s rate that is almost
26 bits per second, giving about 2 months to check all the options
gives about $100 in electricity). Each additional character is ~64 times
slower and more expensive.

N.B. did the calcs on my phone while typing so numbers may be off.

Content of type "text/html" skipped

Powered by blists - more mailing lists