What Csaba is saying is that, in some cases, the hashed password has been exposed and copied to a local computer, and the encryption method is known. This eliminates any delay that may be imposed on trying to crack it, as you aren't contacting the website until you know what the password is (was).
On Tue, May 2, 2023, 2:33 PM THOMAS BARTKUS <[email protected]> wrote: > >> So with a 10TH miner you can try 10^13 / 10^5 = 10^8 passwords per > second ...' > > This ignores the intolerable overhead created by the computer you are > trying to hack! > If the remote is deliberately imposing a 1 second turnaround to verify. > Using your 10^8 password attempts. The situation is thus: > > 10^8/seconds/minutes/hours/days/365 > 10^8/60/60/24/365 = 3.17 years of overhead that the attacking computer has > no control over. Your computer speed is of no consequence. > > Assuming that your quantum magic computer might chew 10^8 permutations in > one second. That still means 3.2 years + one second to do the job. > > Of course, you might get lucky and strike gold after the first 8 months. > Or you can attack 100 different computers at once improving the chances of > a single successful hit in a shorter period of time. > > But the fact remains I think the "Hive Systems" chart is a fantasy > designed to scare you into using their services. > > Did I forget to mention that any good password verification will lock you > at after 3 or 5 failed attempts? Now we're talking centuries to crack any > good password. > > > On 05/02/2023 1:36 PM Csaba Toth <[email protected]> wrote: > > > Well, some of the data breaches may get hold of the password hash. Like > the master passwords in case of the LastPass breach, and in this case you > don't have to deal with the delay what it takes for a bot to properly go > through the login process (entering username and password in a GUI and > click a button) like I see they constantly try on an exposed RDP endpoint. > So in that case they can brute force closer to the "source", however as you > mentioned even the LastPass master password was hashed I think 100,100 > times - or something - by default (and they are raising it to 600,000), > which is deliberately to make a brute force ~100k times slower. > I don't know if that hash algorithm is in alignment in any way with the > hashes the crypto currencies use. In that case a hacker might utilize ASICs > specifically developed for crunching hashes, those miner rigs are insanely > fast compared to even a GPU, Bard gave me this figure: > Device Hash Rate > CPU 1-10 MH/s > GPU 100-600 MH/s > ASIC Miner 1-10 TH/s > > As you see an ASIC miner could be 1,000-10,000 X faster than a GPU. So > with a 10TH miner you can try 10^13 / 10^5 = 10^8 passwords per second for > a LastPass master password. Then comes the question how big is your > dictionary, and there are techniques like > https://en.wikipedia.org/wiki/Rainbow_table which cut down the crack > time. > > So it really depends on the hacker's budget and definitely about the > complexity of the password. Quantum computers might change the picture, but > that's still a few decades (fortunately). > > > On Tue, May 2, 2023 at 10:44 AM Thomas Bartkus <[email protected]> > wrote: > > I have quibbles with their methodology. Their computer already has the > password they submit and a separate program has to guess what it is. By > brute force. Try something then try the next. > > The problem is that in the real world they don't know what the password > is. They have to test the trials against a remote or a website. Common > practice is to make the verification deliberately slow. Enforcing a one > second turnaround time means it takes a full second to know if they got a > hit. This lengthens the time to crack it enormously. A 2 second delay > doubles the time again. An enormous time overhead over which the attacking > computer has no control. > > To get a true picture they need to test against a real (slow!) > verification process outside their control. Even the simplest passwords > would take days to crack no matter how fast their computers were. I think > their chart is wildly inaccurate. > > > What am I missing here? > On Wednesday, April 19, 2023 at 2:32:29 AM UTC-5 [email protected] > wrote: > > I'm interested in learning more about this: > > > > https://www.reddit.com/r/coolguides/comments/12qmk1r/i_updated_our_famous_password_table_for_2023/ > > > > -- > -- > You received this message because you are subscribed to the Google Groups > "NLUG" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nlug-talk?hl=en > > --- > You received this message because you are subscribed to the Google Groups > "NLUG" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/nlug-talk/6ec21391-b2e6-473e-9721-a2ebae1e5567n%40googlegroups.com > <https://groups.google.com/d/msgid/nlug-talk/6ec21391-b2e6-473e-9721-a2ebae1e5567n%40googlegroups.com?utm_medium=email&utm_source=footer>. > > > > -- > -- > You received this message because you are subscribed to the Google Groups > "NLUG" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nlug-talk?hl=en > > --- > You received this message because you are subscribed to the Google Groups > "NLUG" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/nlug-talk/CA%2BKhHxL7O%3DWxmx8FDGviVW_EZSZ_10OgHrSrcAbMit-qv0F3dw%40mail.gmail.com > <https://groups.google.com/d/msgid/nlug-talk/CA%2BKhHxL7O%3DWxmx8FDGviVW_EZSZ_10OgHrSrcAbMit-qv0F3dw%40mail.gmail.com?utm_medium=email&utm_source=footer>. > > > -- > -- > You received this message because you are subscribed to the Google Groups > "NLUG" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nlug-talk?hl=en > > --- > You received this message because you are subscribed to the Google Groups > "NLUG" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/nlug-talk/234822080.3368667.1683055997100%40connect.xfinity.com > <https://groups.google.com/d/msgid/nlug-talk/234822080.3368667.1683055997100%40connect.xfinity.com?utm_medium=email&utm_source=footer> > . > -- -- You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en --- You received this message because you are subscribed to the Google Groups "NLUG" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/nlug-talk/CAL9PgS23oo79jrFFiyHB_nq5Yo--XNk9tpajHTM5Tah4c6JSRg%40mail.gmail.com.
