BTW the source of the table is there under the table https://www.hivesystems.io/blog/are-your-passwords-in-the-green?utm_source=tabletext and it's a very interesting read! They talk about the actual hash schemes used (LastPass is PBKDF2 SHA-256 which is better than some services using bcrypt). Seemingly they were only thinking in the GPU space (and I have a feeling there's a reason they haven't considered ASIC miners). They scaled it up to a cloud provider having more than a dozen Tesla A100 though. ChatGPT used ~10.000 GPU cluster on Azure for training and for fun they even considered that. If it was up to me I'd try to abuse an ASIC miner for cracking instead of crypto (in case the goal is to crack a password). Let's think outside of the box, just like GPGPU computing was such a thought when GPU were only developed for 3D games in the beginning.
On Tue, May 2, 2023 at 11:36 AM Csaba Toth <[email protected]> wrote: > Well, some of the data breaches may get hold of the password hash. Like > the master passwords in case of the LastPass breach, and in this case you > don't have to deal with the delay what it takes for a bot to properly go > through the login process (entering username and password in a GUI and > click a button) like I see they constantly try on an exposed RDP endpoint. > So in that case they can brute force closer to the "source", however as you > mentioned even the LastPass master password was hashed I think 100,100 > times - or something - by default (and they are raising it to 600,000), > which is deliberately to make a brute force ~100k times slower. > I don't know if that hash algorithm is in alignment in any way with the > hashes the crypto currencies use. In that case a hacker might utilize ASICs > specifically developed for crunching hashes, those miner rigs are insanely > fast compared to even a GPU, Bard gave me this figure: > DeviceHash Rate > CPU 1-10 MH/s > GPU 100-600 MH/s > ASIC Miner 1-10 TH/s > > As you see an ASIC miner could be 1,000-10,000 X faster than a GPU. So > with a 10TH miner you can try 10^13 / 10^5 = 10^8 passwords per second for > a LastPass master password. Then comes the question how big is your > dictionary, and there are techniques like > https://en.wikipedia.org/wiki/Rainbow_table which cut down the crack time. > > So it really depends on the hacker's budget and definitely about the > complexity of the password. Quantum computers might change the picture, but > that's still a few decades (fortunately). > > > On Tue, May 2, 2023 at 10:44 AM Thomas Bartkus <[email protected]> > wrote: > >> I have quibbles with their methodology. Their computer already has the >> password they submit and a separate program has to guess what it is. By >> brute force. Try something then try the next. >> >> The problem is that in the real world they don't know what the password >> is. They have to test the trials against a remote or a website. Common >> practice is to make the verification deliberately slow. Enforcing a one >> second turnaround time means it takes a full second to know if they got a >> hit. This lengthens the time to crack it enormously. A 2 second delay >> doubles the time again. An enormous time overhead over which the attacking >> computer has no control. >> >> To get a true picture they need to test against a real (slow!) >> verification process outside their control. Even the simplest passwords >> would take days to crack no matter how fast their computers were. I think >> their chart is wildly inaccurate. >> >> What am I missing here? >> On Wednesday, April 19, 2023 at 2:32:29 AM UTC-5 [email protected] >> wrote: >> >>> I'm interested in learning more about this: >>> >>> >>> >>> https://www.reddit.com/r/coolguides/comments/12qmk1r/i_updated_our_famous_password_table_for_2023/ >>> >>> >> -- >> -- >> You received this message because you are subscribed to the Google Groups >> "NLUG" group. >> To post to this group, send email to [email protected] >> To unsubscribe from this group, send email to >> [email protected] >> For more options, visit this group at >> http://groups.google.com/group/nlug-talk?hl=en >> >> --- >> You received this message because you are subscribed to the Google Groups >> "NLUG" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/nlug-talk/6ec21391-b2e6-473e-9721-a2ebae1e5567n%40googlegroups.com >> <https://groups.google.com/d/msgid/nlug-talk/6ec21391-b2e6-473e-9721-a2ebae1e5567n%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- -- You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en --- You received this message because you are subscribed to the Google Groups "NLUG" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/nlug-talk/CA%2BKhHx%2BjueVH2i818F4um6be%2BOxiJ8Shao76HjQNAsyik8%3D2MA%40mail.gmail.com.
