Scribd
Upload
147 views2 pages

Time Needed For Password Searches: Password Strength Information Entropy

The time required to crack a password depends on its bit strength, which measures entropy. Higher bit strength exponentially increases the number of possible passwords that must be checked. Ordinary desktop computers can test over 100 million passwords per second using CPU-based tools or billions of passwords per second using GPU-based tools. A typical 8-character password containing numbers and symbols could be cracked in around 16 minutes by a desktop computer. When many computers are combined in a network, as with botnets, password cracking capabilities are significantly increased.

Uploaded by

Hendra Daniswara Immanuel
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
147 views2 pages

Time Needed For Password Searches: Password Strength Information Entropy

The time required to crack a password depends on its bit strength, which measures entropy. Higher bit strength exponentially increases the number of possible passwords that must be checked. Ordinary desktop computers can test over 100 million passwords per second using CPU-based tools or billions of passwords per second using GPU-based tools. A typical 8-character password containing numbers and symbols could be cracked in around 16 minutes by a desktop computer. When many computers are combined in a network, as with botnets, password cracking capabilities are significantly increased.

Uploaded by

Hendra Daniswara Immanuel
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 2

Time needed for password searches[edit]

The time to crack a password is related to bit strength (see password strength); which is a
measure of the password's information entropy. Most methods of password cracking require the
computer to produce many candidate passwords, each of which is checked. One example
is brute-force cracking, in which a computer tries every possible key or password until it
succeeds. More common methods of password cracking, such as dictionary attacks, pattern
checking, word list substitution, etc., attempt to reduce the number of trials required and will
usually be attempted before brute force. Higher password bit strength increases exponentially
the number of candidate passwords that must be checked, on average, to recover the password
and reduces the likelihood that the password will be found in any cracking dictionary.
[2]

The ability to crack passwords using computer programs is also a function of the number of
possible passwords per second which can be checked. If a hash of the target password is
available to the attacker, this number can be quite large. If not, the rate depends on whether the
authentication software limits how often a password can be tried, either by time
delays, CAPTCHAs, or forced lockouts after some number of failed attempts. Another situation
where quick guessing is possible is when the password is used to form acryptographic key. In
such cases, an attacker can quickly check to see if a guessed password successfully decodes
encrypted data. For example, one commercial product claims to test 103,000 WPA PSK
passwords per second.
[3]

Ordinary desktop computers can test over a hundred million passwords per second using
password cracking tools that run on a general purpose CPU and billions of passwords per
second using GPU-based password cracking tools.
[4][5][6]
See: John the Ripper benchmarks.
[7]
A
user-selected eight-character password with numbers, mixed case, and symbols, reaches an
estimated 30-bit strength, according to NIST. 2
30
is only one billion permutations and would take
an average of 16 minutes to crack.
[8]
When ordinary desktop computers are combined in a
cracking effort, as can be done with botnets, the capabilities of password cracking are
considerably extended. In 2002, distributed.net successfully found a 64-bitRC5 key in four years,
in an effort which included over 300,000 different computers at various times, and which
generated an average of over 12 billion keys per second.
[9]
Graphics processors can speed up
password cracking by a factor of 50 to 100 over general purpose computers. As of 2011,
available commercial products claim the ability to test up to 2,800,000,000 passwords a second
on a standard desktop computer using a high-end graphics processor.
[10]
Such a device can
crack a 10 letter single-case password in one day. Note that the work can be distributed over
many computers for an additional speedup proportional to the number of available computers
with comparable GPUs.
Despite their capabilities, desktop CPUs are slower at cracking passwords than purpose-built
password breaking machines. In 1998, the Electronic Frontier Foundation (EFF) built a dedicated
password cracker using ASICs, as opposed to general purpose CPUs. Their machine, Deep
Crack, broke a DES 56-bit key in 56 hours, testing over 90 billion keys per second.
[11]
In 2010,
the Georgia Tech Research Institute developed a method of using GPGPU to crack passwords,
coming up with a minimum secure password length of 12 characters.
[12][13][14]

You might also like