|
|
|
|
|
|
by ircmaxell
4099 days ago
|
|
|
Well, let's look at it realistically: http://arstechnica.com/security/2015/01/yes-123456-is-the-mo... The #1 password out of 3.3 million was 123456, which was used 20,000 times. So extrapolating that for your 2 million hashes, we'd expect the top password to appear roughly 12,000 times. Running those numbers, we'd expect each guess to have a 1/12000 chance of matching. Or more specifically, a 1988000/2000000 of not matching. With some quick running of those numbers, we'd expect a 50% chance of finding a match after trying just 115 random usernames. I'm not saying it isn't an interesting approach, I just don't think it's nearly as effective as if you encrypt the hash directly (which has no attack vector unless you can get the key). |
|
|