undefined | Better HN

0 pointsbcoates7y ago0 comments

Minutes to days to reverse almost the whole list, depending on budget. It's not a real obstruction except to casual snooping.

0 comments

krageon7y ago

Could you walk me through how you come to that conclusion? I admit my estimate was very ballpark, but "minutes" seems so wildly out of line with what I think I must be making a mistake somewhere.

bcoatesOP7y ago

A single AWS GPU server can hash trial passwords on the order of 100 GH/s, which puts a pretty low ceiling on "hashcat as a service" rental costs.

I'm assuming 10^12 tries per second is economical for any business.

there are about a million words, including all likely spellings of all but the rarest first and last names, so all 1 or 2 word addresses, firstname.lastnames, etc. addresses are about 10^12. try those, plus short alphanumerics, for the 1000 most common email domains -> 10^15 addresses

Throw in every name in public leak databases that doesn't meet those patterns as well.

There's on the order of 1 million domains that are likely to be serving mail at all; try the billion most likely names for each of those for another 10^15.

This should capture almost every email address that isn't an intentionally obfuscated one-off and adds up to less than an hour at 10^12/sec. There's a modest overhead to matching against a larger list but it shouldn't matter in practice

jacquesm7y ago

A couple of hundred bucks spent on renting GPU instances can speed things up considerably.

j / k navigate · click thread line to collapse