n
/
koehr.ing
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
zine
main
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'ba7e35a641'
${ noResults }
koehr.ing/dist/blog/2016-12-04-the-price-to-cra...

384 lines
16 KiB
HTML
Raw Blame History Unescape Escape

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

<!DOCTYPE html>
<html lang=en>
<head>
<meta charset="utf-8">
<base href="https://koehr.in/">
<title>Weblog aka Blog // the codeartist — programmer and engineer based in Berlin</title>
<meta name="description" content="Homepage, Portfolio and CV of Norman Köhring" />
<meta content="The personal page and weblog of Norman Köhring" name=description>
<meta content="Norman Köhring" name=author>
<meta content="the codeartist — programmer and engineer based in Berlin" name=DC.title>
<meta content="52.4595, 13.5335" name=ICBM>
<meta content="52.4595; 13.5335" name=geo.position>
<meta content=DE-BE name=geo.region>
<meta content=Berlin name=geo.placename>
<meta content="width=device-width,initial-scale=1.0" name=viewport>
<link href=https://koehr.in rel=author>
<link href=https://koehr.in rel=canonical>
<link href=https://k0r.in rel=alternate>
<link href=https://koehr.ing rel=me>
<link href=@Koehr@mstdn.io rel=me>
<link href=https://sr.ht/~koehr/ rel=me>
<link href=https://git.k0r.in rel=me>
<link href=https://threads.net/@coffee_n_code rel=me>
<link href=https://instagram.com/@coffee_n_code rel=me>
<link href=https://ko-fi.com/koehr rel=me>
<link href=https://reddit.com/user/koehr rel=me>
<link href=https://koehr.in/rss.xml rel=alternate title=RSS type=application/rss+xml>
<link href=/favicon.png rel=icon type=image/x-icon>
<link href=/style.css rel=stylesheet>
</head>
<body>
<main id="til" class="posts">
<header>
<h1>Weblog</h1>
</header>
<h1>The price to crack your password</h1>
<p><em>Written 2016-12-04</em></p>
<p>Nearly six years ago, I wrote about password complexity and showed how long it takes to crack passwords per length. You can find that <a href="https://github.com/nkoehring/hexo-blog/blob/master/source/_posts/spas-mit-passwortern.md">article on github</a> (in German).</p>
<!-- more -->
<p>So, times changed and I thought about a reiteration of that topic, but instead focussing on the amount of money you need to crack the password using Amazons biggest GPU computing instances <a href="https://aws.amazon.com/ec2/instance-types/">p2.16xlarge</a>, which at the time of writing this - costs 14.4 USD per hour. I will also compare this with the much faster <a href="https://sagitta.pw/hardware/gpu-compute-nodes/brutalis/">Sagitta Brutalis</a> (nice name, eh?), a 18500 USD computer optimised for GPU calculation.</p>
<h2>Disclaimer</h2>
<p>The numbers on this article always assume brute-force attacks, that means the attacker uses a program that tries all possible combinations until it finds the password. The numbers indicate average time to compute <em>all</em> possible entries. If the program simply adds up, for example, from 000000 to 999999 and your password is 000001, it will be found much faster of course.</p>
<p>How long a single calculation needs also depends on the used hashing algorithm. I will compare some of the typically used algorithms. In case you have to implement a password security system, please use BCrypt which is in most cases the best choice but <em>NEVER</em> try to implement something on your own! It is never ever a good idea to create an own password hashing scheme, even if it is just assembled out of existing building blocks. Use the battle-tested standard solutions. They are peer-reviewed and the safest and most robust you can get.</p>
<h2>Password complexity basics</h2>
<p>Password complexity is calculated out of the possible number of combinations. So a 10-character password that only contains numbers is far less complex than a mix of letters and numbers of the same length. Usually an attacker has no idea if a specific password only contains numbers or letters, but a brute-force attack will try simpler combinations first.</p>
<p>To calculate the complexity of a password, find the amount of possible combinations first:</p>
<ul>
<li>Numbers: 10</li>
<li>ASCII Lowercase letters: 26</li>
<li>ASCII Uppercase letters: 26</li>
<li>ASCII Punctuation: 33</li>
<li>Other ASCII Characters: 128</li>
<li>Unicode: millions</li>
</ul>
<p>To get the complexity of your password, simply add up the numbers. A typical password contains numbers, lowercase and uppercase letters which results in 62 possible combinations per character. Add some punctuation to raise that number to 95.</p>
<p>Other ASCII Characters are the less typical ones like ÿ and Ø which add to the complexity but might be hard to type on foreign keyboards. Unicode is super hard (if not impossible) to type on some computers but would theoretically add millions of possible characters. Fancy some ਪੰਜਾਬੀ ਦੇ in your password?</p>
<p>A very important factor in the password complexity is of course also the length. And because random passwords with crazy combinations of numbers, letters and punctuation are hard to remember, <a href="https://xkcd.com/936/">some people suggest to use long combination of normal words instead</a>.</p>
<p>The password <code>ke1r$u@U</code> is considered a very secure password as the time of writing this article. Its complexity calculates like this:</p>
<p>8 characters with 95 possibilites:</p>
<p><code>95^8 = 6634204312890625 = ~6.6×10^15</code></p>
<p><code>log2(x)</code> calculates the complexity in bits:</p>
<p><code>log2(6634204312890625) = ~52.56 bits</code></p>
<h2>Data sources</h2>
<p>I didn't try the password cracking myself, and neither did I ask a friend (insert trollface here). Instead I used publicly available benchmark results:</p>
<ul>
<li><a href="https://medium.com/@iraklis/running-hashcat-in-amazons-aws-new-16-gpu-p2-16xlarge-instance-9963f607164c#.bzyi0ystz">hashcat benchmark for p2.16xlarge</a></li>
<li><a href="https://gist.github.com/epixoip/a83d38f412b4737e99bbef804a270c40">hashcat benchmark for sagitta brutalis</a></li>
</ul>
<h2>The results</h2>
<p>I will compare some widely used password hashing methods, programs and
protocols for four different password complexity categories:</p>
<ul>
<li>eight numeric digits (might be your birthday)</li>
<li>eight alphanumeric characters (eg 'pa55W0Rd')</li>
<li>eigth alphanumeric characters mixed with special character (eg 'pa$$W0Rd')</li>
<li>a long memorisable pass sentence ('correct horse battery staple')</li>
</ul>
<h3>eight numeric digits (might be your birthday)</h3>
<table>
<thead>
<tr>
<th>hash</th>
<th>Amazon</th>
<th>Brutalis</th>
<th>price to crack in less than a month</th>
</tr>
</thead>
<tbody>
<tr>
<td>MD5</td>
<td>0.0s</td>
<td>0.0s</td>
<td>$0.01 (1 EC2 instance)</td>
</tr>
<tr>
<td>Skype</td>
<td>0.0s</td>
<td>0.0s</td>
<td>$0.01 (1 EC2 instance)</td>
</tr>
<tr>
<td>WPA2</td>
<td>1.27m</td>
<td>31.47s</td>
<td>$0.30 (1 EC2 instance)</td>
</tr>
<tr>
<td>SHA256</td>
<td>0.01s</td>
<td>0.0s</td>
<td>$0.01 (1 EC2 instance)</td>
</tr>
<tr>
<td>BCrypt</td>
<td>49.1m</td>
<td>15.77m</td>
<td>$11.78 (1 EC2 instance)</td>
</tr>
<tr>
<td>AndroidPIN</td>
<td>4.65s</td>
<td>2.3s</td>
<td>$0.02 (1 EC2 instance)</td>
</tr>
<tr>
<td>MyWallet</td>
<td>0.34s</td>
<td>0.25s</td>
<td>$0.01 (1 EC2 instance)</td>
</tr>
<tr>
<td>BitcoinWallet</td>
<td>1.98h</td>
<td>46.26m</td>
<td>$28.53 (1 EC2 instance)</td>
</tr>
<tr>
<td>LastPass</td>
<td>11.07s</td>
<td>5.4s</td>
<td>$0.04 (1 EC2 instance)</td>
</tr>
<tr>
<td>TrueCrypt</td>
<td>9.06m</td>
<td>5.69m</td>
<td>$2.18 (1 EC2 instance)</td>
</tr>
<tr>
<td>VeraCrypt</td>
<td>4d</td>
<td>2d</td>
<td>$1120.45 (1 EC2 instance)</td>
</tr>
</tbody>
</table>
<p>Conclusion: Don't do this. Never ever do this.</p>
<h3>eight alphanumeric characters (eg 'pa55W0Rd')</h3>
<table>
<thead>
<tr>
<th>hash</th>
<th>Amazon</th>
<th>Brutalis</th>
<th>price to crack in less than a month</th>
</tr>
</thead>
<tbody>
<tr>
<td>MD5</td>
<td>49.65m</td>
<td>18.17m</td>
<td>$11.92 (1 EC2 instance)</td>
</tr>
<tr>
<td>Skype</td>
<td>1.3h</td>
<td>34.92m</td>
<td>$18.67 (1 EC2 instance)</td>
</tr>
<tr>
<td>WPA2</td>
<td>6y</td>
<td>3y</td>
<td>$499500 (27 Brutalis)</td>
</tr>
<tr>
<td>SHA256</td>
<td>4.94h</td>
<td>2.64h</td>
<td>$71.15 (1 EC2 instance)</td>
</tr>
<tr>
<td>BCrypt</td>
<td>204y</td>
<td>66y</td>
<td>$14.7M (797 Brutalis)</td>
</tr>
<tr>
<td>AndroidPIN</td>
<td>118d</td>
<td>59d</td>
<td>$37000 (2 Brutalis)</td>
</tr>
<tr>
<td>MyWallet</td>
<td>9d</td>
<td>7d</td>
<td>$3003.3 (1 EC2 instance)</td>
</tr>
<tr>
<td>BitcoinWallet</td>
<td>494y</td>
<td>193y</td>
<td>$43.25M (2338 Brutalis)</td>
</tr>
<tr>
<td>LastPass</td>
<td>280d</td>
<td>137d</td>
<td>$92,500 (5 Brutalis)</td>
</tr>
<tr>
<td>TrueCrypt</td>
<td>38y</td>
<td>24y</td>
<td>$5.3M (288 Brutalis)</td>
</tr>
<tr>
<td>VeraCrypt</td>
<td>19381y</td>
<td>11629y</td>
<td>$2.62B (141574 Brutalis)</td>
</tr>
</tbody>
</table>
<h3>eigth alphanumeric characters mixed with special character (eg 'pa$$W0Rd')</h3>
<table>
<thead>
<tr>
<th>hash</th>
<th>Amazon</th>
<th>Brutalis</th>
<th>price to crack in less than a month</th>
</tr>
</thead>
<tbody>
<tr>
<td>MD5</td>
<td>2d</td>
<td>9.2h</td>
<td>~$362 (1 EC2 instance)</td>
</tr>
<tr>
<td>Skype</td>
<td>2d</td>
<td>17.7h</td>
<td>~$567 (1 EC2 instance)</td>
</tr>
<tr>
<td>WPA2</td>
<td>160y</td>
<td>67y</td>
<td>~$14.9M (806 Brutalis)</td>
</tr>
<tr>
<td>SHA256</td>
<td>7d</td>
<td>4d</td>
<td>~$2162 (1 EC2 instance)</td>
</tr>
<tr>
<td>BCrypt</td>
<td>6194y</td>
<td>1989y</td>
<td>~$448M (24,215 Brutalis)</td>
</tr>
<tr>
<td>AndroidPIN</td>
<td>10y</td>
<td>5y</td>
<td>~$1.09M (59 Brutalis)</td>
</tr>
<tr>
<td>MyWallet³</td>
<td>265d</td>
<td>191d</td>
<td>~$129500 (7 Brutalis)</td>
</tr>
<tr>
<td>BitcoinWallet</td>
<td>14996y</td>
<td>5835y</td>
<td>~$1.3B (71,038 Brutalis)</td>
</tr>
<tr>
<td>LastPass</td>
<td>24y</td>
<td>12y</td>
<td>~$2.6M (139 Brutalis)</td>
</tr>
<tr>
<td>TrueCrypt²</td>
<td>1144y</td>
<td>718y</td>
<td>~$162M (8,742 Brutalis)</td>
</tr>
<tr>
<td>VeraCrypt¹</td>
<td>588867y</td>
<td>353320y</td>
<td>~$79.6B (4,301,668 Brutalis)</td>
</tr>
</tbody>
</table>
<ol>
<li>VeraCrypt PBKDF2-HMAC-Whirlpool + XTS 512bit (super duper paranoid settings)</li>
<li>TrueCrypt PBKDF2-HMAC-Whirlpool + XTS 512bit</li>
<li>Blockchain MyWallet: <a href="https://blockchain.info/wallet/">https://blockchain.info/wallet/</a></li>
</ol>
<h3>a long memorisable pass sentence ('correct horse battery staple')</h3>
<p>Okay, this doesn't need a table. It takes millions of billions of years to even
crack this in MD5.</p>
<p>As illustration: The solar system needs around 225 Million years to rotate
around the core of the Milkyway. This is the so called <a href="https://en.wikipedia.org/wiki/Galactic_year">galactic year</a>.
The sun exists since around 20 galactic years. To crack such a password, even
when hashed in MD5 takes 3 trillion (million million) galactic years.</p>
<p>Of course nobody would ever attempt to do this. There are many possibilities to
crack a password faster. Explaining some of them would easily fill another
article, so I leave you here. Sorry.</p>
<h2>Links</h2>
<p>To find your way into the topic, you might visit some of the following links:</p>
<ul>
<li><a href="http://hashcat.net/hashcat/">The fastest bruteforce password cracker</a></li>
<li><a href="https://www.praetorian.com/blog/statistics-will-crack-your-password-mask-structure">More about password cracking methods</a></li>
<li><a href="https://password-hashing.net/">Password hashing competition</a></li>
<li><a href="https://www.randomlists.com/random-words">Random word generator for long but memorisable passwords</a></li>
</ul>
</main>
<div id="spacer"></div>
<header id="header" class="small">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 832.4 143.1">
<path id="header-underscore"
d="M832.4 131.1q0 5.5-3.1 8.6-3 3.4-8.2 3.3h-75.5q-5.2 0-8.2-3.3-1.7-1.6-2.4-3.8-.7-2.3-.7-4.8 0-5.5 3.1-8.7 1.6-1.7 3.7-2.4 2.2-.8 4.5-.8h75.5q5.2 0 8.2 3.2 3 3.1 3 8.7z" />
<path id="header-bracket"
d="M731.9 81.4q0 6.7-6.5 10.7l-1 .6-74.3 39.2q-2.5 1.3-5.2 1.2-4.8 0-8.1-3.8-3.2-3.6-3.2-8.4 0-3.3 1.7-6 1.8-2.9 4.6-4.4l55.3-29.1-55.3-29q-2.8-1.6-4.6-4.3-1.7-2.7-1.7-6.2 0-4.7 3.2-8.4 3.3-4 8-3.7 2.7 0 5.3 1.2l74.4 39.2q3.3 1.7 5.3 4.7 2 2.8 2 6.5z" />
<path id="header-r"
d="M588.7 66.5q0 5-3.5 8.5-3.5 3.4-8.1 3.5-4.4 0-8.3-4.3-10-10.7-20.9-10.6-2.2 0-4.3.3-2.1.3-4 1-1.8.6-3.7 1.6-1.7 1-3.4 2.3-1.7 1.3-3.3 2.9-7.8 8.2-7.6 19.7V131q0 5.5-3.1 8.6-3 3.4-8.3 3.3l-2.2-.2q-1-.1-2.2-.5-1-.3-2-1-1-.6-1.8-1.6-1.7-1.6-2.4-3.8-.7-2.3-.7-4.8V51.6q0-5.4 3-8.6 3-3.4 8.3-3.3 2 0 3.7.6 1.8.6 3.3 1.8 1.4 1 2.2 2.7 1 1.5 1.6 3.3 11.8-8.4 27-8.4 10.6 0 21 5 11.3 5.4 17.2 14.5 2.5 3.7 2.5 7.3z" />
<path id="header-h"
d="M483.9 131.1q0 5.5-3.1 8.6-3 3.4-8.3 3.3-5.2 0-8.2-3.3-3.2-3.1-3.1-8.6V84.8q0-4.6-1.5-8.2-1.4-3.5-4.4-6.9-2.1-2-4.3-3.4-2.2-1.4-4.7-2-2.4-.7-5.3-.7-4.3 0-7.8 1.5-3.3 1.5-6.4 4.6-5.9 6.3-5.8 15v46.4q0 5.5-3 8.6-3.1 3.4-8.4 3.3l-2.2-.2q-1-.1-2.2-.5-1-.3-2-1-1-.6-1.8-1.6-1.7-1.6-2.4-3.8-.7-2.3-.7-4.8V11.9q0-5.5 3-8.6 3-3.4 8.3-3.3 5.2 0 8.2 3.3 3.2 3.1 3.2 8.6v33q1.5-1 3-1.6l3.2-1.2 3.4-1q1.6-.5 3.3-.8l3.5-.4 3.6-.2q4.4 0 8.5 1 4.1.7 7.9 2.4 3.8 1.6 7.3 4.1 3.5 2.5 6.6 5.8Q484 66 484 84.8z" />
<path id="header-e"
d="M387.5 111.1q0 1.2-.3 2.3-.1 1-.5 2l-.9 2q-6.6 12-19.4 19-12 6.6-25.4 6.6-20.8 0-35.8-14.6-15.9-15-15.9-37 0-22.1 15.9-37.1 15-14.6 35.8-14.6 3.9 0 7.8.7 4 .7 8 2.2 9.2 3.1 18.2 10 6 4.6 9.1 9.3 3.3 4.7 3.3 10 0 1.3-.3 2.5-.2 1.3-.7 2.4-1.5 3.4-5 5.3l-56.9 32.2q7.2 4.9 16.5 4.9 7.2 0 12.6-2.5 5.5-2.5 9.7-7.4l.7-1 .8-1 .9-1.3 1-1.5q3.3-4.2 7.4-5.1l1.8-.2q4.4 0 8 3.4 3.6 3.5 3.6 8.5zm-29.9-42.7q-7.2-4.8-16.6-4.8-6 0-11 2-4.9 1.8-9.3 6-4.5 4-6.7 9-2 4.8-2 10.8l.1 2.9z" />
<path id="header-o"
d="M286.8 91.4q0 4.2-.6 8.3-.6 4-1.8 7.7-1.1 3.8-2.9 7.4-1.7 3.5-4 6.9-2.4 3.3-5.2 6.1Q258 143 237.7 143T203 128q-14.3-15.2-14.3-36.6 0-21.5 14.3-36.6 14.4-15 34.7-15 4 0 7.8.5 3.9.7 7.5 1.9t7 3q3.3 1.9 6.4 4.3 3.2 2.4 5.9 5.4 14.4 15 14.5 36.5zm-22.6 0q0-2.4-.4-4.5-.2-2.2-.9-4.2-.6-2-1.5-3.9-1-2-2.2-3.7-1.2-1.7-2.8-3.4-4-4.2-8.6-6.1-4.5-2-10-2-11 0-18.7 8.2-7.8 8-7.8 19.6 0 11.4 7.8 19.7 7.8 8 18.6 8 5.6 0 10.1-1.9 4.6-2 8.6-6.1 4-4.3 5.8-9 2-4.9 2-10.7z" />
<path id="header-k"
d="M186.3 131q0 4.7-3.3 8.3-1.5 1.8-3.7 2.7-2 1.1-4.3 1.1-3.5 0-6.6-2L119.2 105v26q0 5.5-3 8.6-3.1 3.4-8.4 3.3l-2.2-.2q-1-.1-2.2-.5-1-.3-2-1-1-.6-1.8-1.6-1.7-1.6-2.4-3.8-.7-2.3-.7-4.8V11.9q0-5.5 3-8.6 3-3.4 8.3-3.3 5.2 0 8.2 3.3 3.2 3.1 3.2 8.6v65.9l49.2-36.1q3.2-2 6.6-2 4.7 0 8 3.7t3.3 8.4q-.2 6-5 9.6l-41 30 41 29.9q2.3 1.7 3.6 4.2 1.4 2.5 1.4 5.4z" />
<path id="header-tilde"
d="M73.1 91q0 2-.6 3.9T71 98.6q-3.2 5.7-8.9 8.5-5.6 2.8-12.9 2.8-8.8 0-18-7.8-2.4-2.3-4.5-3.7-2.1-1.5-3-1.7-1.5 0-2.1.3l-.8 1.3q-.3.7-.8 1.2l-1 1-.9.8q-2.7 2-6.4 2-1.7 0-3.2-.3-1.4-.3-3-1.1-1.5-.8-2.6-2.1-2.8-3.1-2.8-8v-1.3q0-.7.2-1.2l.2-1 .4-1 .4-1q.1-.6.5-1.1l.5-1q3.2-5.7 8.8-8.5 5.7-2.9 13-2.9 3.2 0 6.2 1 3 .9 6 2.7 2.9 1.6 5.7 4.2 5.2 4.6 7.6 5.4 1 0 1.6-.2l.7-.4q.3-.1.5-.4 3.6-5.6 9.2-5.6 5.7 0 8.8 3.5 2.8 3 2.8 8z" />
</svg>
Homepage of
<div class=p-name>
<span class=first-name>Norman</span>
<span class=last-name>Köhring</span>
</div>
Code Artist
</header>
<menu id="main-menu">
<li><a href="/">home</a></li>
<li><a title="What I do these days" href="/now">/now</a></li>
<li><a title="Today I Learned" href="/til">/til</a></li>
<li><a title="My projects" href="/projects">/projects</a></li>
<li class="active"><a title="Weblog" href="/blog">/blog</a></li>
<li><a title="CV / Resume" href="/cv">/cv</a></li>
<li><a title="Tools I use" href="/stack">/stack</a></li>
<li><a title="Hardware I use" href="/setup">/setup</a></li>
</menu>
<link href=/extended.css rel=stylesheet>
<link href=/posts.css rel=stylesheet>
<script async data-goatcounter=https://koehr.goatcounter.com/count src=//gc.zgo.at/count.js></script>
</body>
Reference in New Issue View Git Blame Copy Permalink