Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> a breached password is unrelated to its strength

But most of them were weak. And most of them have been cracked by hobbyists.

https://blog.cynosureprime.com/2017/08/320-million-hashes-ex...

512 MILLION is not a large number of passwords to check. What do you think the hash rate of modern GPUs/ASICs is?

https://www.troyhunt.com/86-of-passwords-are-terrible-and-ot...



You're forgetting the salt added. Compared to the original post I commented on, 512 mil is way larger than 10k. So it's 512 mil known passwords, times however large the salt is...it's not trivial -- and their 10k list was expected at 6hours...

Extrapolating, 10k:6hrs == 512m:35 years


A GTX1080 gets 25GH/s on MD5, that is 1.5x10^16 per week. The salt is known -- makes rainbow attacks impractical, but doesn't reduce the hashing rate.

Martin Kleppman explained the problem back in 2013: https://martin.kleppmann.com/2013/05/24/improving-security-o...


I conveniently forgot the salt is public ::facepalm::

I also was using the OP numbers, verses trying to do any math or research myself first ::second facepalm::


It alright, that's why we have HN - not to be always right first and fastest, but to go deeper.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: