[mlyle]

If they were dictionary words, or a similarly constrained search space, fed through SHA, this is exactly how it works. The information given after one guess excludes a whole lot of guesses as being possible solutions.

Here, there's 91.7 bits of entropy in what goes into the hash function. Each guess shaves off more than 10 bits of entropy. After 9 guesses, only one password conforming to the generation format will be possible... yes, it will be very (impractically) hard to find this password, but the rest could be done offline to find the 10th value and solve it in 10 guesses.

e.g. Make 9 random guesses.

Then, for each of the 2^92 possible input strings:

1. Hash it.

2. See if the hash matches the things we know about the hash from the previous guesses.

[acchow]

Right, it's a random password tho not a dictionary word

[mlyle]

Even so, I just edited my comment and elaborated.

You can do this in 9 online guesses with feedback + a very large number of offline guesses, and have the solution for the 10th.

The information is there-- just the best search strategies known are very expensive.

[acchow]

> a very large number of offline guesses

Right, the entire search space of random passwords.

The matching hash characters are tongue-in-cheek. They don't help you. They could've just given you the entire hash up front and you would still have to search the entire random password space. Sure, you could do it "offline", but it would still take forever to compute

[gitgud]

This is the best description of why it's completely infeasible to make a system to guess it.

It would be only be possible if the password length was below a certain threshold (maybe 30 characters) beyond that limit, there wouldn't be enough atoms in the known universe in order to store every hash/password combination.... making it physically impossible....

[mlyle]

In passwordle, the input is a 14 character password made up of letters, numbers, and punctuation, chosen with some bias. There's less than 92 bits of entropy (the bias shaves off a few bits of effective entropy but I'm too lazy to calculate it).

That is-- out of the range of current brute force, but if it were just a few characters shorter, it could be attacked with this oracle technique no problem.

[selestify]

How would the oracle technique help at all? Like the other commenter said, they could just give you the hash upfront, and you'd still be stuck with bruteforcing the entire space of characters.