Password Crackability

What’s make a password crackable ?

First and foremost, if the password is used for authentication there most likely exists somewhere validation-elements stored in the cloud or on the devices that allows to authenticate the user. It can be a hash, it can be a clear text in a piece of offuscated code, or just in plain memory etc. and this is what’s make an attack possible.

An this is the main reason password are “blamed” to be insecured, I’d object this with the statement: this is not the password but more the way we store credential data which is at fault;
immagine a system where there exists no hash to compare to: well this will render dictionnary attacks infeasible. So you could very much use “I love my password <3” and no one will know as its hash “SHA1:24329a97772743fac01c44c5894f97b7fb69a3a3” is nowhere to be found. (even it this is a very guessable password, the PassGAN and alike tools will fail to find it, there will be no “trace” available on the network to validate the password beside the original login page at which you can have a very strict retry policy or identify unauthentic users).

Lentgh matters

A password strengh is proportional to it’s length :

H = L x log(N) / log(2)

We use a password character space which has between 13 and 20 bit-per-character and generate password with 340bits minimum.

And my translating password we make every mom-n-dad password secure.

• My Password (11c,entropy: 77b, 8d10h53m1.4s), sha1:93325… (pwned 12 times)
• mon&dad pass (12c,entropy: 84b, 143d14h2m40.4s), sha1:49d6b… 👍
• I love you! (11c,entropy: 77b, 4d20h24m45.1s), sha1:01a84… (pwned 13 times)
• 123 soleil (10c,entropy: 70b, 3h28m36.3s), sha1:017cd… (pwned 182 times)
• 123456 (6c,entropy: 42b, 0.005s), sha1:7c4a8… (pwned 42542807 times)
• DS333(!g (8c,entropy: 56b, 4.831s), sha1:13aa2… 👍
• NJ71fY51 (8c,entropy: 56b, 5.410s), sha1:a242e… (pwned 14 times)
• 3BK!45g2 (8c,entropy: 56b, 1.289s), sha1:a4e6e… 👍
• 482KU]!g (8c,entropy: 56b, 4.829s), sha1:472a9… 👍
• 652gfK2[ (8c,entropy: 56b, 15.402s), sha1:6375a… 👍

AI based cracking tools are getting better at guessing human passwords

PassGAN is an artificial intelligence tool designed for password cracking that utilizes a Generative Adversarial Network (GAN) approach 1. Here are some key points about PassGAN:

How it Works

PassGAN uses machine learning algorithms to autonomously learn the distribution of real passwords from actual password leaks 2. It then generates password guesses based on the patterns it has learned, without relying on predefined rules or human-generated password structures 1.

Development and Performance

• PassGAN was introduced in 2017, with the most recent GitHub update occurring six years ago 1.
• In a study by Home Security Heroes, PassGAN demonstrated the ability to crack any seven-character password in approximately six minutes or less, regardless of complexity 1.
• However, its performance is comparable to conventional password-cracking tools. It doesn’t necessarily crack passwords faster than non-AI methods 1.

Limitations and Practical Implications

• PassGAN’s effectiveness diminishes significantly with longer, more complex passwords:
  • 11-character passwords combining uppercase, lowercase, numbers, and symbols could take PassGAN 365 years to crack 1.
  • 15-character passwords using just lowercase letters would take PassGAN an average of 890 years to solve 1.
• The tool’s performance can vary depending on the dataset it’s trained on. Smaller or less common password sets may pose challenges for PassGAN 3.

Security Implications

While PassGAN demonstrates the potential of AI in password cracking, it doesn’t fundamentally change the landscape of password security. The key takeaways for users remain consistent with long-standing password best practices:

• Use long passwords (12 characters or more)
• Combine uppercase and lowercase letters, numbers, and symbols
• Consider using passphrases
• Avoid common or easily guessable passwords

In essence, PassGAN serves as a reminder of the importance of strong password practices rather than introducing a revolutionary threat to password security 1 5.

SHA1 hashrates:

1. Modern hardware capabilities:
   • High-end consumer GPUs like the RTX 4090 can perform about 1.9 billion SHA256 hashes per second 1.
   • Some specialized password cracking rigs can attempt over 100 trillion password hash guesses per second 1.
2. Cloud computing power:
   • For about $25 per hour, an AWS p3.16xlarge instance can achieve 632 billion hash attempts per second for NTLM hashes 1.
3. Relative speed compared to SHA256:
   • SHA1 is slightly faster than SHA256 on modern processors, though the difference is often marginal for most applications 3.
   • An FPGA reprogrammed to do SHA1 hashes can perform around 1.4 times as many SHA1 hashes as its SHA256 rating 5.
4. Historical attack costs:
   • In 2012, an estimated cost of $2.77M to break a single SHA1 hash value by renting CPU power from cloud servers 1.
   • In 2017, researchers demonstrated a practical SHA1 collision attack requiring just 2^63 operations 3.
5. Current security status:
   • SHA1 is considered cryptographically broken and not secure against well-funded opponents since 2005 1.
   • It’s recommended to replace SHA1 with SHA2 or SHA3 as soon as possible, especially for digital signatures and security-critical applications 1.

While exact current hashrates can vary depending on specific hardware configurations, these figures give a general sense of SHA1’s performance and security status. The key takeaway is that SHA1 is no longer considered secure for cryptographic purposes due to its vulnerability to collision attacks, despite its slightly faster performance compared to newer hash functions.