Time it takes to Brute Force passwords in 2023
45 views
Skip to first unread message
Michael L
Apr 19, 2023, 3:32:29 AM4/19/23
to nlug...@googlegroups.com
I'm interested in learning more about this:
Thomas Bartkus
May 2, 2023, 1:43:57 PM5/2/23
to NLUG
I have quibbles with their methodology. Their computer already has the password they submit and a separate program has to guess what it is. By brute force. Try something then try the next.
The problem is that in the real world they don't know what the password is. They have to test the trials against a remote or a website. Common practice is to make the verification deliberately slow. Enforcing a one second turnaround time means it takes a full second to know if they got a hit. This lengthens the time to crack it enormously. A 2 second delay doubles the time again. An enormous time overhead over which the attacking computer has no control.
To get a true picture they need to test against a real (slow!) verification process outside their control. Even the simplest passwords would take days to crack no matter how fast their computers were. I think their chart is wildly inaccurate.
What am I missing here?
Csaba Toth
May 2, 2023, 2:36:34 PM5/2/23
to nlug...@googlegroups.com
Well, some of the data breaches may get hold of the password hash. Like the master passwords in case of the LastPass breach, and in this case you don't have to deal with the delay what it takes for a bot to properly go through the login process (entering username and password in a GUI and click a button) like I see they constantly try on an exposed RDP endpoint. So in that case they can brute force closer to the "source", however as you mentioned even the LastPass master password was hashed I think 100,100 times - or something - by default (and they are raising it to 600,000), which is deliberately to make a brute force ~100k times slower.
I don't know if that hash algorithm is in alignment in any way with the hashes the crypto currencies use. In that case a hacker might utilize ASICs specifically developed for crunching hashes, those miner rigs are insanely fast compared to even a GPU, Bard gave me this figure:
| Device | Hash Rate |
|---|---|
| CPU | 1-10 MH/s |
| GPU | 100-600 MH/s |
| ASIC Miner | 1-10 TH/s |
As you see an ASIC miner could be 1,000-10,000 X faster than a GPU. So with a 10TH miner you can try 10^13 / 10^5 = 10^8 passwords per second for a LastPass master password. Then comes the question how big is your dictionary, and there are techniques like https://en.wikipedia.org/wiki/Rainbow_table which cut down the crack time.
So it really depends on the hacker's budget and definitely about the complexity of the password. Quantum computers might change the picture, but that's still a few decades (fortunately).
--
--
You received this message because you are subscribed to the Google Groups "NLUG" group.
To post to this group, send email to nlug...@googlegroups.com
To unsubscribe from this group, send email to nlug-talk+...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en
---
You received this message because you are subscribed to the Google Groups "NLUG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nlug-talk+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nlug-talk/6ec21391-b2e6-473e-9721-a2ebae1e5567n%40googlegroups.com.
Csaba Toth
May 2, 2023, 2:53:46 PM5/2/23
to nlug...@googlegroups.com
BTW the source of the table is there under the table https://www.hivesystems.io/blog/are-your-passwords-in-the-green?utm_source=tabletext and it's a very interesting read! They talk about the actual hash schemes used (LastPass is PBKDF2 SHA-256 which is better than some services using bcrypt).
Seemingly they were only thinking in the GPU space (and I have a feeling there's a reason they haven't considered ASIC miners). They scaled it up to a cloud provider having more than a dozen Tesla A100 though.
ChatGPT used ~10.000 GPU cluster on Azure for training and for fun they even considered that. If it was up to me I'd try to abuse an ASIC miner for cracking instead of crypto (in case the goal is to crack a password).
Let's think outside of the box, just like GPGPU computing was such a thought when GPU were only developed for 3D games in the beginning.
THOMAS BARTKUS
May 2, 2023, 3:33:40 PM5/2/23
to nlug...@googlegroups.com, Csaba Toth
>> So with a 10TH miner you can try 10^13 / 10^5 = 10^8 passwords per second ...'
This ignores the intolerable overhead created by the computer you are trying to hack!
If the remote is deliberately imposing a 1 second turnaround to verify. Using your 10^8 password attempts. The situation is thus:
10^8/seconds/minutes/hours/days/365
10^8/60/60/24/365 = 3.17 years of overhead that the attacking computer has no control over. Your computer speed is of no consequence.
Assuming that your quantum magic computer might chew 10^8 permutations in one second. That still means 3.2 years + one second to do the job.
Of course, you might get lucky and strike gold after the first 8 months.
Or you can attack 100 different computers at once improving the chances of a single successful hit in a shorter period of time.
But the fact remains I think the "Hive Systems" chart is a fantasy designed to scare you into using their services.
Did I forget to mention that any good password verification will lock you at after 3 or 5 failed attempts? Now we're talking centuries to crack any good password.
To view this discussion on the web visit https://groups.google.com/d/msgid/nlug-talk/CA%2BKhHxL7O%3DWxmx8FDGviVW_EZSZ_10OgHrSrcAbMit-qv0F3dw%40mail.gmail.com.
Paul Boniol
May 3, 2023, 3:50:24 PM5/3/23
to NLUG, Csaba Toth
What Csaba is saying is that, in some cases, the hashed password has been exposed and copied to a local computer, and the encryption method is known. This eliminates any delay that may be imposed on trying to crack it, as you aren't contacting the website until you know what the password is (was).
To view this discussion on the web visit https://groups.google.com/d/msgid/nlug-talk/234822080.3368667.1683055997100%40connect.xfinity.com.
Michael L
May 3, 2023, 8:18:38 PM5/3/23
to nlug...@googlegroups.com
I'm humbled by all the expertise on this email thread. I have a CentOS 7 website server needing fail2ban, but it's
failing on install, so I'll post another question in a separate thread.
To view this discussion on the web visit https://groups.google.com/d/msgid/nlug-talk/CAL9PgS23oo79jrFFiyHB_nq5Yo--XNk9tpajHTM5Tah4c6JSRg%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages