this post was submitted on 02 Aug 2023
88 points (94.9% liked)
Interesting
555 readers
1 users here now
- Be respectful to other members Treat others with kindness and courtesy, even if you disagree with their opinions.
- Stay on topic Keep your discussions relevant to the purpose of the forum. Avoid going off-topic or derailing conversations.
- No spamming Avoid posting irrelevant or unnecessary content, advertisements, or links to unrelated websites.
- Use proper language and tone Choose your words carefully when commenting or replying to others. Avoid using profanity or engaging in offensive language and personal attacks.
- Do not share personal information Protect your privacy by refraining from sharing personal details such as addresses, phone numbers, or email addresses on the forum.
- Report any issues If you come across any inappropriate behavior or content, report it to the forum moderators or administrators.
- Have fun and contribute positively Participate actively and add value to the discussions. Engage in meaningful and constructive conversations with fellow members.
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
~~Unfortunately, this chart is already out of date, the 2023 version looks like this:~~ It is now the up to date chart.
For the old chart you would need 40 billion guesses per second, and that is what the RTX 2080 was at five years ago. With a RTX 4090 you can guess 164 billion hashes per second.
Using 8 AWS A100 GPUs at $32.77/h you can guess over 520 billion times a second and then the chart looks like this:
All the charts and benchmark numbers are from here. There is way more on that page that I'm just going to leave out here, but I recommend you read through it.
Of course this isn't quite accurate, this assumes the hashing algorithm MD5 which is no longer recommended, because it's so fast. It also ignores salting. But it assumes the worst case, a complete brute force with no dictionary/rainbow table, so I think it's not a bad estimate.
Edit: spelling
Edit again: The comment I was referring to is gone, so I removed the refrence. The numbers are still correct though.
thanks for this, OP forgot to mention that it's MD5 and i think that's absolutely crucial
Yes, this is what it looks like using bcrypt, and the same AWS GPUs:
But they also mention that most low priority logins that people don't care about like forums, restaurants, etc. still use MD5, and password reuse becomes a huge problem here.
Keypasss hashing is a lot better than default MD5 though.
They use SHA-256, salt and key derivation to increase security.
But a better password and checking your settings is a never a bad idea.
The hashing algoritm is important though. I recently had to design some password hashing system and associated parameters. My work laptop can do a couple dozen million md5 attempts a second no problem. It's like a factor of 100 - 1000 slower than this sheet. Not bad overall.
However, using the right hashing algorithms with good tuning such as key derivation rounds and hashing rounds and such can slow that thing down to 2 or 3 attempts per second. Even if you had some system a million times faster than my CPU (at which point the NSA will make you offers and you should take them, or else), you won't break those passwords given their hash. You wouldn't even break them if they were simple random lower + upper case sequences of low length.
Ohh, thanks. I updated it.