undefined | Better HN

0 pointsmaccard4y ago0 comments

It is! I guess using a password from Google isn't the best idea, and kind of defeated the point of what I wanted to ask (if your password isn't already hashed online how long does it actually take to break a sha1 hash), but definitely proves the point.

Can I try again? Sha1 e7b7cdf949007abe7e8a190ba8eae56c60018c1f

0 comments

Behemoth664y ago

Couldn’t find it in 1.4 Trillion combinations. Used rockyou.txt with dive.rule.

Took me 6 minutes to try all 1.4 trillion passwords. So either you have a strong password or I messed something up. What is it?

In theory if your password was weak enough to be on this list it would take on average 3 minutes to break it on a GTX 1080.

maccardOP4y ago

Thanks for trying! This somewhat supports what I'm suggesting - because that password hasn't been leaked by being posted in plaintext as a verified password, it's not available as a lookup, therefore it doesn't matter whether they used bcrypt, sha1 or md5, or even just pgp encrypted it, the password is likely "secure".

Behemoth664y ago

It depends. It doesn’t have to strictly be a leaked password. If it’s similar to a leaked password then the permutation rule-set will catch it.

Anything under 9 characters I can brute force in minutes. 9 character passwords would take me 9 hours.

Obviously if someone has a nest of the latest GPUs then they could go a lot faster.

But yes if your password is uwv&6qu_brusb618_$@618jg then it doesn’t really matter how you hash it.

1 more reply

ghostway-chess4y ago

Well. Sha1 is not _that_ hard to break. It's a solved algorithm

1 more reply

shkkmo4y ago

The point of the salt isn't that it makes it take longer to break any one password. What it does is prevent you from re-using the rainbow table you generate breaking one password when you break the next one.

Sha1 is not a very secure/expensive hashing algorithm and thus does make it significantly cheaper to break even with a unique salt.

thaumasiotes4y ago

> What [a password salt] does is prevent you from re-using the rainbow table you generate breaking one password when you break the next one.

Your idea of what a rainbow table is appears to be unrelated to what a rainbow table actually is. A rainbow table is prepared in advance, not generated in the process of cracking an individual password.

maccardOP4y ago

> Sha1 is not a very secure/expensive hashing algorithm and thus does make it significantly cheaper to break even with a unique salt.

Ok, so how long does it take to break the hash I've provided if it's not very secure?

shkkmo4y ago

It's not so much "how long does it take" as it is "how much does it cost" and the answer to that really depends on what sort of compute infrastructure you have access to. Using a more appropriate hashing algorithm with a sufficient cost factor can massively increase the amount of compute needed. Preventing the re-use of that computational effort on additional users is why unique salts are important.

1 more reply

j / k navigate · click thread line to collapse

0 comments

Behemoth664y ago

Couldn’t find it in 1.4 Trillion combinations. Used rockyou.txt with dive.rule.

Took me 6 minutes to try all 1.4 trillion passwords. So either you have a strong password or I messed something up. What is it?

In theory if your password was weak enough to be on this list it would take on average 3 minutes to break it on a GTX 1080.

maccardOP4y ago

Behemoth664y ago

It depends. It doesn’t have to strictly be a leaked password. If it’s similar to a leaked password then the permutation rule-set will catch it.

Anything under 9 characters I can brute force in minutes. 9 character passwords would take me 9 hours.

Obviously if someone has a nest of the latest GPUs then they could go a lot faster.

But yes if your password is uwv&6qu_brusb618_$@618jg then it doesn’t really matter how you hash it.

1 more reply

ghostway-chess4y ago

Well. Sha1 is not _that_ hard to break. It's a solved algorithm

1 more reply

shkkmo4y ago

Sha1 is not a very secure/expensive hashing algorithm and thus does make it significantly cheaper to break even with a unique salt.

thaumasiotes4y ago

> What [a password salt] does is prevent you from re-using the rainbow table you generate breaking one password when you break the next one.

maccardOP4y ago

> Sha1 is not a very secure/expensive hashing algorithm and thus does make it significantly cheaper to break even with a unique salt.

Ok, so how long does it take to break the hash I've provided if it's not very secure?

shkkmo4y ago

1 more reply

j / k navigate · click thread line to collapse