• tal@lemmy.today
      link
      fedilink
      arrow-up
      11
      ·
      edit-2
      10 hours ago

      To be fair, that assumes complete exhaustion of the password space. If you assume that a given password is totally random, then it’d take half that time, 80 years, on average.

      Thing is, most people don’t choose totally random passwords, and there are utilities that will try to generate statistically-more-common passwords sooner in that sequence, well before 80 years.

      I’m probably very out-of-date here, but as an example, one elderly utility, John the Ripper, comes with “mangling rules” to append a “1” at the end of a given sequence fairly early, because that’s how a lot of people make their password pass a digits requirement. Using passwords containing dictionary words and replacing “e” with “3”, stuff like that.

      I’d guess that today, someone probably has software that has rules to order its attempts that are trained off leaked password databases to be statistically optimal to defeat them, rather than merely manually crafted with human guesswork.

    • SayCyberOnceMore@feddit.uk
      link
      fedilink
      arrow-up
      1
      ·
      10 hours ago

      Yeah, I tried cracking my own pass_phrase_ once… it was doing well until it got to (I think) digit #9 and showed it would take another year…

  • catloaf@lemm.ee
    link
    fedilink
    arrow-up
    6
    ·
    edit-2
    9 hours ago

    Specifically, a bcrypt hash with the cost set to 10, i.e. 32,768 iterations of hashing. If you are choosing an algorithm, consider Argon2id.