How long would it take to crack an 8 digit password?

wasn't there a thread on here before about using graphics cards to brute force passwords?
it is supposed to be way way faster then using a cpu

but i may be wrong

edit.
found the thread
http://forums.overclockers.co.uk/showthread.php?t=18282776&highlight=passwords+gpu

and from the link in above thread.

"Take a cheap GPU (like the Radeon HD 5770) and the free GPU-powered password busting tool called ’ighashgpu‘ and you have yourself a lean, mean password busting machine. How lean and mean? Very:

The results are startling. Working against NTLM login passwords, a password of “fjR8n” can be broken on the CPU in 24 seconds, at a rate of 9.8 million password guesses per second. On the GPU, it takes less than a second at a rate of 3.3 billion passwords per second.

Increase the password to 6 characters (pYDbL6), and the CPU takes 1 hour 30 minutes versus only four seconds on the GPU. Go further to 7 characters (fh0GH5h), and the CPU would grind along for 4 days, versus a frankly worrying 17 minutes 30 seconds for the GPU.

It gets worse. Throw in a nine-character, mixed-case random password, and while a CPU would take a mind-numbing 43 years to crack this, the GPU would be done in 48 days.

Surely throwing symbols in there keeps you safe, right? Wrong! Take a password consisting of seven characters, mixed-case/symbols random password like ‘F6&B is’ (note the space), that’s gotta be tough for a bruteforce attack. Right? A CPU will take some 75 days to churn through the possibilities, while a GPU is done with it in 7 hours."
 
Last edited:
benneh said:
I don't understand how people are reaching the conclusions that they're reaching (timewise).
So a file encrypted using adobe professional will take the same amount of time it would to crack a file encrypted with truecrypt (aes/twofish/serpent encryption, ripemd-160 hash alg for instance), assuming they're using the same passphrase/number of chars?.
Surely people need details of the method of encryption used by adobe professional?.

I'm rocking 24 char pw's in truecrypt atm, and now I'm slightly worried lol. Not that I have much to hide, but I would at least like it to work..
Click to expand...

A password is a password no matter what kind of encryption it unlocks. Cracking it is the same regardless, it just takes brute force as it's the PW you are cracking not the encryption. A 24 character password would take even a supercomputer thousands of years if not more to crack. So long as there is no other ways in, for example you can basically disable MS Word encryption easily by modifying the file (or you used to be able to) then you're fine!
 
Haha apparently my most secure password would take "About 89 quintillion years" to crack (assuming you don't use the drug and wrench method).
 
dbmzk1 said:
A password is a password no matter what kind of encryption it unlocks. Cracking it is the same regardless, it just takes brute force as it's the PW you are cracking not the encryption. A 24 character password would take even a supercomputer thousands of years if not more to crack. So long as there is no other ways in, for example you can basically disable MS Word encryption easily by modifying the file (or you used to be able to) then you're fine!
Click to expand...

So from the 9 mixed characters in the post a few up from j.col, cracked using a single GPU in 48 days, with a 24 character pw we experience a massive leap in time. But then I suppose the combinations increase exponentially. Could the amount/quality of equipment not increase exponentially also?, 200 gpu's or something silly, would they not make short work of even the most complex password?.

I haven't looked at the maths btw so excuse my naivety.

I can't find any quick info on the password combinations involved :(, but assuming you could get 100 cards running and order them in such a way that they aren't replicating combinations, that's 330bn combinations per second. That seems like a hell of a lot. But then I have no idea how combinations/permutations evolve with each character.
 
Last edited:
Chris. “Haha cool my PC password would take 19,558 hours “
Not unless you have boot from CD, network and USB disabled then also set a decent BIOS password. Then you still have the problem of someone resetting the bios booting then booting to a CD and wiping the windows password. Then booting into windows.

It’s kind of scary how easy it is to get around PC passwords.
 
Saytan said:
bruteforcing a password of the same length, with the same character set will always have the same theoretical maximum time
Click to expand...

Er... multiplied by the time taken to check the password for correctness. I'm assuming that TrueCrypt's decrypting the first block will take significantly longer than md5/sha hashing a short key.

The time complexity may be equal, but the actual time taken is not.

benneh said:
I can't find any quick info on the password combinations involved :(, but assuming you could get 100 cards running and order them in such a way that they aren't replicating combinations, that's 330bn combinations per second. That seems like a hell of a lot. But then I have no idea how combinations/permutations evolve with each character.
Click to expand...

Each additional character increases the number of possible passwords by a factor of the character set - I think it's around 170 on a standard keyboard, so 170^length. When brute-forcing passwords, it's fairly interesting to look at collision statistics as well. Your 20-something character password won't help you much if it hashes to the same value as 'a' - unlikely, but possible (and much more likely than you think - if you want proof, check out the Birthday problem).
 
Last edited:
Saytan said:
bruteforcing a password of the same length, with the same character set will always have the same theoretical maximum time
Click to expand...

You could hardly be more wrong. Although the sheer amount of wrong in this thread in general is pretty staggering. Why do people offer up information as fact when they don't actually know, the first thing you get back from google isn't always appropriate or correct.
 
wilko49 said:
Each additional character increases the number of possible passwords by a factor of the character set - I think it's around 170 on a standard keyboard, so 170^length. When brute-forcing passwords, it's fairly interesting to look at collision statistics as well. Your 20-something character password won't help you much if it hashes to the same value as 'a' - unlikely, but possible (and much more likely than you think - if you want proof, check out the Birthday problem).
Click to expand...



Very interesting ty :), I shall have a good read later on. I am now aware of how utterly weak most of my passwords are. :eek:
 
benneh said:
So a file encrypted using adobe professional will take the same amount of time it would to crack a file encrypted with truecrypt (aes/twofish/serpent encryption, ripemd-160 hash alg for instance), assuming they're using the same passphrase/number of chars?.
Click to expand...

Yes because it's a brute force attack, the only thing that matters is the complexity of the hashing algorithms used to turn the password into a key which are standardised these days anyway, the more complex the algorithm the slower the brute force.

When the entropy of the password reaches that of the key itself then it is much faster to brute force encryption using keys rather than passwords because the hashing algorithm is bypassed.

So a 128-bit key would need a 22 character alpha numeric password to offer the best security, 256-bit would require 43 characters. If your using 3 different 256-bit keys then you need 44 characters.
 
Last edited:
Oh my new password:

Online Attack Scenario:
(Assuming one thousand guesses per second) 93.70 trillion centuries
Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second) 9.37 hundred thousand centuries
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second) 9.37 hundred centuries

Pretty good I guess..

Memorable to me too :)
 
There was an interesting post on hacker news a while ago that showed using words with spaces was more difficult to crack than an unmemorable random character password.
 
Energize said:
Yes because it's a brute force attack, the only thing that matters is the complexity of the hashing algorithms used to turn the password into a key which are standardised these days anyway, the more complex the algorithm the slower the brute force.

When the entropy of the password reaches that of the key itself then it is much faster to brute force encryption using keys rather than passwords because the hashing algorithm is bypassed.

So a 128-bit key would need a 22 character alpha numeric password to offer the best security, 256-bit would require 43 characters. If your using 3 different 256-bit keys then you need 44 characters.
Click to expand...

That would be 22 chars with maximum entropy though and humans fail at remembering entropy. Anything remotely memorable would need significantly more characters to hash to a decent 128 bits.
 
tntcoder said:
That would be 22 chars with maximum entropy though and humans fail at remembering entropy. Anything remotely memorable would need significantly more characters to hash to a decent 128 bits.
Click to expand...

I actually have a 64-char random password I use for encryption. Creating lots of small random passwords and then concatenating them together works very well in my experience. As does using non random passwords and randomly changing digits every so often to produce a random password.

mufc802 said:
This. How would the cracker know if it was correct or not without testing each one and surely the server wouldn't allow it to test that many passwords?
Click to expand...

Well in the op's scenario it's a local file not on a server so you have unlimited guesses.
 
You must log in or register to reply here.
Back
Top Bottom