Legal disclaimer >>> The information on this site is intended to be used for legal and ethical purposes like research, education, journalism and educating the public. Our intention is to comply with any and all applicable laws. If you can provide legal advice, please let us know.

Contribute >>> Have new or missing information? See something wrong? Use the comment section at the bottom of all pages, email or Twitter.

Stay up to date >>> Follow us on Twitter.

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

2013-12-22_an_update_on_oclhashcat [2013/12/22 14:45]
T. Alexander Lystad
2013-12-22_an_update_on_oclhashcat [2013/12/22 14:47] (current)
T. Alexander Lystad
Line 10: Line 10:
  
 In the spreadsheet above, you can also see how long it would take for me to find all passwords given a specific password length and hashing algorithm. In this case I'm looking at all passwords that contain combinations of lowercase letters (a-z), uppercase letters (A-Z) and digits (0-9). As an example, I can recover any and all passwords 8 characters long, in less than 4 hours, provided the passwords are hashed in an insecure way using the MD5 algorithm (which sadly is [[leaked_password_lists_and_dictionaries|more normal than it should be]]). In the spreadsheet above, you can also see how long it would take for me to find all passwords given a specific password length and hashing algorithm. In this case I'm looking at all passwords that contain combinations of lowercase letters (a-z), uppercase letters (A-Z) and digits (0-9). As an example, I can recover any and all passwords 8 characters long, in less than 4 hours, provided the passwords are hashed in an insecure way using the MD5 algorithm (which sadly is [[leaked_password_lists_and_dictionaries|more normal than it should be]]).
- 
-If your password is a random 10 character combination of lowercase letters (a-z), uppercase letters (A-Z) and digits (0-9), you are pretty safe from the average [[http://en.wikipedia.org/wiki/Script_kiddie|script kiddie]]. He or she probably won't spend a year trying to crack your specific password. However, if you are targeted by [[http://en.wikipedia.org/wiki/National_Security_Agency|big]] [[http://en.wikipedia.org/wiki/Botnet|fish]] that have [[http://www.informationweek.com/storm-worm-botnet-more-powerful-than-top-supercomputers/d/d-id/1058883?|serious computing power]], 10 characters is obviously not sufficient. If we are really concerned, we might also take into consideration the long-term growth in computing power and possible undiscovered flaws in existing hashing algorithms. 
  
 What if we also add symbols ( !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~) in our passwords? What if we also add symbols ( !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~) in our passwords?
Line 18: Line 16:
  
 It would take me almost 123 hours to find any and all 8 character MD5 hashed passwords that uses lowercase letters, uppercase letters, digits and symbols. It would take me almost 123 hours to find any and all 8 character MD5 hashed passwords that uses lowercase letters, uppercase letters, digits and symbols.
 +
 +If your password is a random 10 character combination of lowercase letters (a-z), uppercase letters (A-Z) and digits (0-9), you are pretty safe from the average [[http://en.wikipedia.org/wiki/Script_kiddie|script kiddie]]. He or she probably won't spend a year trying to crack your specific password. However, if you are targeted by [[http://en.wikipedia.org/wiki/National_Security_Agency|big]] [[http://en.wikipedia.org/wiki/Botnet|fish]] that have [[http://www.informationweek.com/storm-worm-botnet-more-powerful-than-top-supercomputers/d/d-id/1058883?|serious computing power]], 10 characters is obviously not sufficient. If we are really concerned, we might also take into consideration the long-term growth in computing power and possible undiscovered flaws in existing hashing algorithms, but that's a different article.
  
  
Print/export