lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 22 Dec 2014 22:37:45 -0800
From: epixoip <epixoip@...dshell.nl>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] How important is salting really?

On 12/22/2014 7:34 PM, Ben Harris wrote:
> On 23 December 2014 at 11:09, epixoip <epixoip@...dshell.nl
> <mailto:epixoip@...dshell.nl>> wrote:
>
>     To exhaust 62^8 keyspace with this
>     cluser would take ~50.5 days and cost ~ $1842.24 @ $0.20/kWh. Average
>     PUE in 2014 is 1.7 so actual electricity cost would be more like
>     $3684.48.
>
>     And that's just for a single hash. For 400k salts (which is what
>     Sc00bz
>     estimated in the comments) the effective rate with 16x 290X would only
>     be about 63 H/s.
>
>
>
> Awesome. I'm guessing you have the info to estimate the breakup
> between on-dictionary, near-dictionary (candidate gen), and random
> passwords? Any chance you can do some guesstimates on the other two
> categories for completeness.
>
> I guess at 63 H/s you can cover the top 20K passwords in 5 and a half
> minutes (for a cost of about 28c compared to the $3684.48). And hit
> 2^28 candidates in the same time/cost as the above example (for all
> the hashes instead of just 1).

Certainly. Though it's kind of hard to say, because Ars is a tech site
with fairly educated readers, and Ars frequently covers password
breaches, password cracking, and password security, so there are likely
more users using a password manager than we've seen in previous
breaches. There are likely a fair amount of people using "throwaway"
passwords, but even their throwaway passwords are likely better than
most people's passwords.

We've seen this in other breaches as well. For example, there's more of
an overlap between Rockyou and Gawker  (43%) and Rockyou and Battlefield
(29%) than there is between Rockyou and LinkedIn (10%) or Rockyou and
Stratfor (4%).

So knowing that Ars users are likely more on the Stratfor spectrum than
the Rockyou spectrum, let's split the difference between LinkedIn and
Stratfor. 0.08% of Stratfor users picked a top 20k password, and 0.27%
of LinkedIn picked a top 20k password. Rockyou.txt + best64.rule picked
up an additional 2.84% for Stratfor and 10.51% for LinkedIn over
rockyou.txt alone.

So let's assume that 0.17% of Ars readers picked a top 20k password, an
additional 7.5% picked a password from Rockyou (rockyou.txt is pretty
much the de facto base wordlist these days), and an additional 11.93%
can be cracked with rockyou.txt + best64.rule. This means...

680 salts eliminated after 5.3 minutes. Effective speed is roughly still
63 H/s.
30680 salts eliminated after 2.6 days. Effective speed increases to 68 H/s.
78400 salts eliminated after 156 days. Effective speed increases to 78 H/s.

So after 158 days we likely would only have ~ 19.6% of the list cracked.
Which seems to be a pretty accurate estimate. The Forbes breach, which
was also PHPass, is only 16.2% cracked after 10 months.


Powered by blists - more mailing lists