Suppose that we have a process that generates passwords with entropy E . I\'d li

Question

Suppose that we have a process that generates passwords with entropy E.

I'd like to compute the average time it would take for a brute-force attack to crack an MD5-hashed instance of such a password.

From the entropy E (in bits), I can compute the total number N = 2E of candidate passwords in the universe from which a given password was chosen. On average, a brute-force attack would have to MD5-hash N/2 candidate passwords in order to crack a specific instance.

But this calculation does not give me the amount of time that this would take. For this I need some multiplier for computational performance, something of the form "x candidate passwords/second".

I imagine that computer security experts have some rule-of-thumb number to plug in for such multiplier x. If so, what is it?

(Of course, if the multiplier x does not take into account the possibility of multiple processors working in parallel, then whatever time one computes using such a multiplier would have to be divided by the number P of processors that the attacker can have running in parallel. If there's a standard rule-of-thumb-like value for P, I'd be interested in that too.)

Explanation / Answer

The term you're looking for is "hash rate", and a quick Google search indicates that a GPU-based password cracker can try on the order of 10^10 passwords per second when cracking MD5 hashes.

Generating hashes is an example of an "embarrassingly parallel" process, so doubling the available computing resources will double your hash rate.

Related Questions

Navigate

• Browse (All)
• Browse S
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.