undefined | Better HN

0 pointssigmoid103y ago0 comments

>It's a demonstration that a laptop can reach `2,000,000+ H/s`.

No, the author says their laptop only reaches ~1kH/s. That 2 million number is a pure guess for a multi-gpu setup and that is still pretty weak, unless you have a very good dictionary for a specific target. Brute forcing remotely long alphanumeric passwords is out of the question. So if you have a 8+ character password with upper+lowercase characters and digits that is not close to a real word and was never used anywhere else, you should be perfectly fine after this breach. Only if you have a really shitty password or if you reused it you should probably do something.

0 comments

t0mas883y ago

With 8 characters, which is way below all recommendations and using only alphanumeric + the simple special chars on the keyboard you're looking at over 7 * 10^14 possibilities.

If you could do 100 million hashes per second (that seems to be possible with hardware looking at crypto stuff), the way I understand the setup you're still up against the 100100 iterations in the key derivation algorithm. So that's 7 * 10^19 hash calculations.

Even with the hardware to do 100 million hashes per second you're looking at nearly 23,000 years.

Let's hope you get a hit at 50% of the space (the expected average case). That's 11500 machine years with beefy GPU accelerated machine. So to bring this to a usable 5 years (and that's already pushing the expiration date of any creditcard you may find in the stolen vault) you'd need 2300 gpu accelerated machines running 24x7.

In AWS terms, with reserved discounts and everything you're going to spend roughly 60 million dollars cracking one vault.

phillipseamore3y ago

Most accounts created before sometime in 2018 likely have just 5000 iterations and not 100100. Since the iteration count is kept in the clear an attacker would likely begin with them (with the added benefit of an older account might have more data in it). So the likely steps an attacker in possession of the vaults would take:

1) Find all vaults with the lowest iterations

2) Order by some criteria (known money sources: URLs for banks and crypto, known URLs that would have PII information: utilities, telcos, governmental URLs)

3) Start cracking...

Or they could skip all that for some quick money. There's no need to crack anything if the URLs can get you money. How much would a dictatorship pay for the identities of everyone with an account at a URL that posts negative information on the regime? A domain.com/wp-admin account could certainly get you killed.

erros3y ago

Just out of curiosity I booted up a box with 10x RTX A6000 @ 451.6 TFLOPS

    Speed.#1.........:    38789 H/s (11.17ms) @ Accel:128 Loops:64 Thr:64 Vec:1
    Speed.#2.........:    39017 H/s (11.17ms) @ Accel:128 Loops:64 Thr:64 Vec:1
    Speed.#3.........:    38894 H/s (11.16ms) @ Accel:128 Loops:64 Thr:64 Vec:1
    Speed.#4.........:    39254 H/s (11.02ms) @ Accel:128 Loops:64 Thr:64 Vec:1
    Speed.#5.........:    38626 H/s (11.17ms) @ Accel:128 Loops:64 Thr:64 Vec:1
    Speed.#6.........:    39448 H/s (10.94ms) @ Accel:128 Loops:64 Thr:64 Vec:1
    Speed.#7.........:    39256 H/s (11.06ms) @ Accel:128 Loops:64 Thr:64 Vec:1
    Speed.#8.........:    38966 H/s (11.14ms) @ Accel:128 Loops:64 Thr:64 Vec:1
    Speed.#9.........:    38870 H/s (11.17ms) @ Accel:128 Loops:64 Thr:64 Vec:1
    Speed.#10.........:    39259 H/s (11.01ms) @ Accel:128 Loops:64 Thr:64 Vec:1
    Speed.#\*.........:   390.0 kH/s

Used the same example as the author with 100500 iterations. I think with some good wordlists, I'd wager a ton of low hanging fruits will be wiped within a reasonable time. If we're talking a threat actor with $$, they'd do some serious damage on this dump.

*edit: just wanted to clarify that I think bruteforcing this dump wouldn't be as useful. It would still take a crapload of resources to be effective or useful in that scenario.

t0mas883y ago

So you're doing 4e10 hashes per second or 390k password guesses per second. At what price per hour?

2 more replies

latchkey3y ago

I have access to 34,000+ GPUs, right now.

All that I need to do is pay for power, which is at lowest rates.

Who wants to crack some hashes?

eli3y ago

Where are you where power is at its lowest rates?

j / k navigate · click thread line to collapse

0 comments

t0mas883y ago

With 8 characters, which is way below all recommendations and using only alphanumeric + the simple special chars on the keyboard you're looking at over 7 * 10^14 possibilities.

Even with the hardware to do 100 million hashes per second you're looking at nearly 23,000 years.

In AWS terms, with reserved discounts and everything you're going to spend roughly 60 million dollars cracking one vault.

phillipseamore3y ago

1) Find all vaults with the lowest iterations

2) Order by some criteria (known money sources: URLs for banks and crypto, known URLs that would have PII information: utilities, telcos, governmental URLs)

3) Start cracking...

erros3y ago

Just out of curiosity I booted up a box with 10x RTX A6000 @ 451.6 TFLOPS

    Speed.#1.........:    38789 H/s (11.17ms) @ Accel:128 Loops:64 Thr:64 Vec:1
    Speed.#2.........:    39017 H/s (11.17ms) @ Accel:128 Loops:64 Thr:64 Vec:1
    Speed.#3.........:    38894 H/s (11.16ms) @ Accel:128 Loops:64 Thr:64 Vec:1
    Speed.#4.........:    39254 H/s (11.02ms) @ Accel:128 Loops:64 Thr:64 Vec:1
    Speed.#5.........:    38626 H/s (11.17ms) @ Accel:128 Loops:64 Thr:64 Vec:1
    Speed.#6.........:    39448 H/s (10.94ms) @ Accel:128 Loops:64 Thr:64 Vec:1
    Speed.#7.........:    39256 H/s (11.06ms) @ Accel:128 Loops:64 Thr:64 Vec:1
    Speed.#8.........:    38966 H/s (11.14ms) @ Accel:128 Loops:64 Thr:64 Vec:1
    Speed.#9.........:    38870 H/s (11.17ms) @ Accel:128 Loops:64 Thr:64 Vec:1
    Speed.#10.........:    39259 H/s (11.01ms) @ Accel:128 Loops:64 Thr:64 Vec:1
    Speed.#\*.........:   390.0 kH/s

*edit: just wanted to clarify that I think bruteforcing this dump wouldn't be as useful. It would still take a crapload of resources to be effective or useful in that scenario.

t0mas883y ago

So you're doing 4e10 hashes per second or 390k password guesses per second. At what price per hour?

2 more replies

latchkey3y ago

I have access to 34,000+ GPUs, right now.

All that I need to do is pay for power, which is at lowest rates.

Who wants to crack some hashes?

eli3y ago

Where are you where power is at its lowest rates?

j / k navigate · click thread line to collapse