Follow

Does anyone know the rate at which password-cracking methods are improving? Specifically: what is the doubling time?

Also: the process is probably best expressed as keys cracked per second per $1,000 investment, or $1/(key-second). It's not a flat rate, it's a cost-dependent rate for a given point in time.

Quick maths suggests that if the rate-doubling time is 2 years, and a current key is rated at 1 trillion years, *ACTUAL* effective strength is less than 70 years.

@dredmorbius That depends entirely on the hashing function that you use. With a proper password hash function (which uses tons of memory and cant be parallelized for GPUs), even weak passwords would take a long time to crack. Of course if you use md5 without salt, you dont even need to crack anything as rainbow tables are publicly available.

@felix Best available / state-of-the-art, method-independent.

I'm looking for the best achieved rates, or keys/sec-dollar net.

I'm remembering the first DES/RSA brute force contests back in the 1990s.

tjscott.net/crypto/des.hack.ht

@felix Oh, the *ecrypted* hashing function. Fair point. My bad.

Standardising on something then ... 3DES, maybe?

@dredmorbius 3DES is an encryption function, not even a hashing function (and its very old). So if you use that for passwords, you already fucked up.

Check out this page, especially the section about key stretching: crackstation.net/hashing-secur

This one has some more info about hashing algorithms: security.blogoverflow.com/2013

@dredmorbius I've written UI code before (in keysafe) that estimates time to crack the user's password, and I used moore's law and AWS spot instance pricing.

@joeyh Oh, nice approach.

The thing with exponentials is that the crack time starts getting really fast, really fast, a few generations out. The doubling rate matters far more than the cracking rate.

You might alternately set a budget for cracking and compute how long before the password will be hackable at, say, $1m, $1k, $100, and $1.

My intuition is that those will not be separated by much time.

OK, maybe _some_ time -- about 20 years. 3.3 years per OoM.

How much trouble are you worth?

@joeyh If I've got this figured right, the key is crackable for about $1 in 53 years, assuming Moore holds up.

Is your spot pricing following Amazon's pricing trends?

@dredmorbius massively parallel hash chips aren't going to have the same gate size issues as CPUs either.
Sign in to participate in the conversation
mastodon.cloud

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!