Well, some of the data breaches may get hold of the password hash. Like the master passwords in case of the LastPass breach, and in this case you don't have to deal with the delay what it takes for a bot to properly go through the login process (entering username and password in a GUI and click a button) like I see they constantly try on an exposed RDP endpoint. So in that case they can brute force closer to the "source", however as you mentioned even the LastPass master password was hashed I think 100,100 times - or something - by default (and they are raising it to 600,000), which is deliberately to make a brute force ~100k times slower. I don't know if that hash algorithm is in alignment in any way with the hashes the crypto currencies use. In that case a hacker might utilize ASICs specifically developed for crunching hashes, those miner rigs are insanely fast compared to even a GPU, Bard gave me this figure: DeviceHash Rate CPU 1-10 MH/s GPU 100-600 MH/s ASIC Miner 1-10 TH/s
As you see an ASIC miner could be 1,000-10,000 X faster than a GPU. So with a 10TH miner you can try 10^13 / 10^5 = 10^8 passwords per second for a LastPass master password. Then comes the question how big is your dictionary, and there are techniques like https://en.wikipedia.org/wiki/Rainbow_table which cut down the crack time. So it really depends on the hacker's budget and definitely about the complexity of the password. Quantum computers might change the picture, but that's still a few decades (fortunately). On Tue, May 2, 2023 at 10:44 AM Thomas Bartkus <[email protected]> wrote: > I have quibbles with their methodology. Their computer already has the > password they submit and a separate program has to guess what it is. By > brute force. Try something then try the next. > > The problem is that in the real world they don't know what the password > is. They have to test the trials against a remote or a website. Common > practice is to make the verification deliberately slow. Enforcing a one > second turnaround time means it takes a full second to know if they got a > hit. This lengthens the time to crack it enormously. A 2 second delay > doubles the time again. An enormous time overhead over which the attacking > computer has no control. > > To get a true picture they need to test against a real (slow!) > verification process outside their control. Even the simplest passwords > would take days to crack no matter how fast their computers were. I think > their chart is wildly inaccurate. > > What am I missing here? > On Wednesday, April 19, 2023 at 2:32:29 AM UTC-5 [email protected] > wrote: > >> I'm interested in learning more about this: >> >> >> >> https://www.reddit.com/r/coolguides/comments/12qmk1r/i_updated_our_famous_password_table_for_2023/ >> >> > -- > -- > You received this message because you are subscribed to the Google Groups > "NLUG" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nlug-talk?hl=en > > --- > You received this message because you are subscribed to the Google Groups > "NLUG" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/nlug-talk/6ec21391-b2e6-473e-9721-a2ebae1e5567n%40googlegroups.com > <https://groups.google.com/d/msgid/nlug-talk/6ec21391-b2e6-473e-9721-a2ebae1e5567n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- -- You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en --- You received this message because you are subscribed to the Google Groups "NLUG" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/nlug-talk/CA%2BKhHxL7O%3DWxmx8FDGviVW_EZSZ_10OgHrSrcAbMit-qv0F3dw%40mail.gmail.com.
