Is it possible to brute force all 8 character passwords in an offline attack?

  • This article states:

    Brute-force techniques trying every possible combination of letters, numbers, and special characters had also succeeded at cracking all passwords of eight or fewer characters.

    There are 6.63 quadrillion possible 8 character passwords that could be generated using the 94 numbers, letters, and symbols that can be typed on my keyboard. I'm skeptical that that many password combinations could actually be tested. Is it really possible to test that many possibilities in a less than a year in this day and age?

  • Jor-el

    Jor-el Correct answer

    7 years ago

    As per this link, with speed of 1,000,000,000 Passwords/sec, cracking a 8 character password composed using 96 characters takes 83.5 days. Research presented at Password^12 in Norway shows that 8 character NTLM passwords are no longer safe. They can be cracked in 6 hours on machine which cost ~$8000 in 2012.

    One important thing to consider is which algorithm is used to create these hashes (assuming you are talking about hashed passwords). If some computationally intensive algorithm is used, then the rate of password cracking can be reduced significantly. In the link above, author highlights that "the new cluster, even with its four-fold increase in speed, can make only 71,000 guesses against Bcrypt and 364,000 guesses against SHA512crypt."

    My core i3 laptop makes **1500** guesses per second on WPA handshake.

    For single iteration MD5, small GPU arrays (<20 cards) are now pushing into the 100Billion/second area. Large (intelligence agency) arrays will be several orders of magnitude faster.

    One thing to keep in mind is that NTLMv1 passwords are particularly easy and so should not be extrapolated from. Because of how NTLM hashes passwords a 16 character password is takes only twice the amount of time to crack as an 8 character one.

    Don't forget about salts. If an encryption algorithm uses arbitrary-length salts, it's effectively impossible to create all possible hashes with all possible salts (you'd need a new rainbow table for every possible salt).

    Nobody is talking about rainbow tables here. This answer is talking about an attack on a stolen password database which probably contains a plaintext salt for each user account. Without a salt, any accounts with duplicate passwords don't require any additional work, but even with a salt the attack will proceed one account at a time without any rainbow tables required. Rainbow tables became outdated as soon as it became more efficient to just process all hashes in parallel every time, often using GPUs.

    My AMD A8-4500M APU cracks **1600** guesses per seconds. Now I am going to try cracking using my integrated GPU

    Tried a AWS EC2 g3.16xlarge? 64 Cores, 488GiB memory?

    "*They can be cracked in 6 hours.*" I feel like such statements should always be accompanied by hardware estimates. Either go "commodity hardware" (e.g. pooling a few common desktops like those your mom might use), "gaming hardware" in case you happened to use a gamer desktop for the GPUs (up to €2k or so), or a real cost estimate if it's more than that. Exception: if you used Apple hardware, divide by two.

    @Luc Actually gaming hardware is often slower since Nvidia is the usual choice for gamers. Unlike AMD, Nvidia focuses on having fewer but more sophisticated cores. For something as simple and parallelizable as hashing, AMD's large number of comparatively simpler cores tends to be more effective. In the scale of core complexity from CPU on one end to ASIC on the other, AMD GPGPUs tend to be closer to the latter.

    @Vorac Each WPA handshake is protected by 4096 SHA-256 iterations, if I recall correctly.

License under CC-BY-SA with attribution

Content dated before 6/26/2020 9:53 AM