Hacker News new | ask | show | jobs
by Behemoth66 1711 days ago
Couldn’t find it in 1.4 Trillion combinations. Used rockyou.txt with dive.rule.

Took me 6 minutes to try all 1.4 trillion passwords. So either you have a strong password or I messed something up. What is it?

In theory if your password was weak enough to be on this list it would take on average 3 minutes to break it on a GTX 1080.
1 comments
maccard 1711 days ago
Thanks for trying! This somewhat supports what I'm suggesting - because that password hasn't been leaked by being posted in plaintext as a verified password, it's not available as a lookup, therefore it doesn't matter whether they used bcrypt, sha1 or md5, or even just pgp encrypted it, the password is likely "secure".
link
Behemoth66 1711 days ago
It depends. It doesn’t have to strictly be a leaked password. If it’s similar to a leaked password then the permutation rule-set will catch it.

Anything under 9 characters I can brute force in minutes. 9 character passwords would take me 9 hours.

Obviously if someone has a nest of the latest GPUs then they could go a lot faster.

But yes if your password is uwv&6qu_brusb618_$@618jg then it doesn’t really matter how you hash it.

link
maccard 1711 days ago
The reason I didn't give any more information on the password above is because you don't have any extra information on a dump of hashes from a twitch database either. If a password is only feasibly brute forceable for a specific algorithm by reducing the search space by many orders of magnitude, it kind of shows that there's not really any risk even if the passwords are unsalted for a person who hasn't reused a password.
link
thaumasiotes 1711 days ago
> it kind of shows that there's not really any risk even if the passwords are unsalted for a person who hasn't reused a password.

No, it doesn't. You could reuse uwv&6qu_brusb618_$@618jg everywhere and it wouldn't get cracked. If the plaintext password leaked, then you'd be in more trouble.

What matters is whether your password is easy to guess, not whether you've reused it. If you have all unique passwords, they can still all be trivial to crack.

link
ghostway-chess 1711 days ago
Well. Sha1 is not _that_ hard to break. It's a solved algorithm
link
astrange 1711 days ago
That's for generating collisions, not preimage resistance. It's not particularly easy to reverse.
link