Hacker News new | ask | show | jobs
by acchow 1587 days ago
> a very large number of offline guesses

Right, the entire search space of random passwords.

The matching hash characters are tongue-in-cheek. They don't help you. They could've just given you the entire hash up front and you would still have to search the entire random password space. Sure, you could do it "offline", but it would still take forever to compute
1 comments
gitgud 1587 days ago
This is the best description of why it's completely infeasible to make a system to guess it.

It would be only be possible if the password length was below a certain threshold (maybe 30 characters) beyond that limit, there wouldn't be enough atoms in the known universe in order to store every hash/password combination.... making it physically impossible....

link
mlyle 1587 days ago
In passwordle, the input is a 14 character password made up of letters, numbers, and punctuation, chosen with some bias. There's less than 92 bits of entropy (the bias shaves off a few bits of effective entropy but I'm too lazy to calculate it).

That is-- out of the range of current brute force, but if it were just a few characters shorter, it could be attacked with this oracle technique no problem.

link
selestify 1587 days ago
How would the oracle technique help at all? Like the other commenter said, they could just give you the hash upfront, and you'd still be stuck with bruteforcing the entire space of characters.
link
mlyle 1587 days ago
> How would the oracle technique help at all?

If they give you the hash upfront (or this oracle), you can test passwords offline without using up a limited number of guesses. It may be very computationally expensive to brute force the space, but the information is there.

If they don't, you get 10 guesses, and you have effectively no chance of guessing the password.

link
selestify 1587 days ago
Ah, I see what you mean. Yes, if you don't even have the entire hash, you're kind of out of luck.

> It may be very computationally expensive to brute force the space, but the information is there.

If the password is long enough, it will take longer than the heat death of the universe to brute force the space. So in practice, brute forcing secure passwords might as well be impossible.

link
mlyle 1587 days ago
> Yes, if you don't even have the entire hash, you're kind of out of luck.

Well, no-- I'm saying that if you have 9 guesses, you can get enough of the hash that you can eliminate all of the passwords but 1.

> If the password is long enough, it will take longer than the heat death of the universe to brute force the space. So in practice, brute forcing secure passwords might as well be impossible.

Here, the password has 88-90 bits of entropy. Out of reach to brute force, but just a few characters shorter and it wouldn't be. And, of course, if there's weaknesses in the hash function ever found, it may be able to elide some or all of this search process.

link