Legal disclaimer >>> The information on this site is intended to be used for legal and ethical purposes like research, education, journalism and educating the public. Our intention is to comply with any and all applicable laws. If you can provide legal advice, please let us know.

Contribute >>> Have new or missing information? See something wrong? Use the comment section at the bottom of all pages, email or Twitter.

Stay up to date >>> Follow us on Twitter.

oclHashcat 1.00 was released 2013-12-06, and it has some some great new features since last time I used it. I recently got some new graphics cards, so it seemed like a great opportunity to use the new benchmarking feature in oclHashcat. With updated password recovery software and updated hardware I wanted to not only see how fast oclHashcat 1.00 is, but also to take a look at how long and complex our passwords should be these days.

The new benchmarking feature in oclHashcat 1.00 means that we don't have to create our own benchmarking scripts anymore, like we did in the old days. In my tests I used 2x Gigabyte GeForce GTX 780Ti 3GB on stock speeds. Here are the results:

The first thing to note is that, when it comes to recovering passwords, my new GTX 780 Tis are performing worse than my older HD 6990s. In general, of course, it's the other way around. Why is this? Two main reasons according to the creator of Hashcat:

  • The AMD GPU has more raw integer power (the 780 Ti has 2880 shader processing units, the HD 6990 has 3072)
  • The AMD GPU instruction set is better suited for the kinds of calculations important in password recovery

In the spreadsheet above, you can also see how long it would take for me to find all passwords given a specific password length and hashing algorithm. In this case I'm looking at all passwords that contain combinations of lowercase letters (a-z), uppercase letters (A-Z) and digits (0-9). As an example, I can recover any and all passwords 8 characters long, in less than 4 hours, provided the passwords are hashed in an insecure way using the MD5 algorithm (which sadly is more normal than it should be).

What if we also add symbols ( !”#$%&'()*+,-./:;⇔?@[\]^_`{|}~) in our passwords?

It would take me almost 123 hours to find any and all 8 character MD5 hashed passwords that uses lowercase letters, uppercase letters, digits and symbols.

If your password is a random 10 character combination of lowercase letters (a-z), uppercase letters (A-Z) and digits (0-9), you are pretty safe from the average script kiddie. He or she probably won't spend a year trying to crack your specific password. However, if you are targeted by big fish that have serious computing power, 10 characters is obviously not sufficient. If we are really concerned, we might also take into consideration the long-term growth in computing power and possible undiscovered flaws in existing hashing algorithms, but that's a different article.