Password Hash Cracking Time Estimate

TL;DR

This guide shows you how to estimate the time it would take to crack password hashes using different methods, helping you understand the strength of your hashing setup. We’ll cover calculating time based on hash rate and rainbow tables.

Estimating Password Hash Cracking Time

1. Understand Hash Types: Different hash algorithms (like MD5, SHA-256, bcrypt) have different strengths. Newer algorithms like Argon2 are much more resistant to cracking than older ones.
   • MD5 is very weak and should not be used.
   • SHA-256 is better but still vulnerable with enough computing power.
   • bcrypt, scrypt, and Argon2 are designed to be slow, making brute-force attacks much harder.
2. Determine Your Hash Rate: This is how many password guesses your cracking tool can try per second. It depends on your hardware (CPU, GPU) and the algorithm.
   • You’ll need to run a test with your chosen cracking tool (like John the Ripper or Hashcat).
   • Example using john to estimate hash rate:

     john --format=md5 --show-progress | grep 'Cracking Speed'

3. Calculate Time for Brute-Force Attacks: If you have no salt, or a weak salt, brute force is possible.
   • Estimate the number of possible passwords. This depends on password complexity rules (length, character set). For example:
     • 8 characters, lowercase letters only: 26⁸ = 208,827,064,576
     • 8 characters, alphanumeric: 62⁸ = 218,340,105,584,896
   • Time (seconds) = Number of Possible Passwords / Hash Rate
   • Convert seconds to more readable units (minutes, hours, days).
     • Example: 218,340,105,584,896 passwords / 1,000,000 hashes/second = 218,340 seconds ≈ 73.5 hours
4. Calculate Time for Rainbow Table Attacks: If you have a salt and the rainbow tables exist.
   • Rainbow tables are pre-computed hashes that can significantly speed up cracking if they cover your hash type and salt.
   • Check if rainbow tables are available for your specific hash algorithm and salt length. Ophcrack is one tool to generate/use these.
   • If a suitable table exists, the time to crack can be very fast (seconds or minutes). If not, you’re back to brute-force.
     • Time depends on the size of the rainbow table and how well it covers your salt space.
5. Consider Salt Length: A longer, random salt makes brute-force attacks much harder.
   • Each unique salt requires a separate cracking attempt.
   • A 16-character random salt significantly increases the number of possible passwords to crack.
6. Account for Hardware Costs: Cracking is resource intensive.
   • Powerful GPUs are much faster than CPUs for cracking certain algorithms.
   • Cloud-based cracking services can provide significant computing power but come at a cost.

Example Scenario

Let’s say you have SHA-256 hashes with a 16-character random salt.

• Hash Rate: 5,000,000 hashes/second (using a GPU)
• Salt Space: 2¹²⁸ (approximately 3.4 x 10³⁸ possible salts)
• Password Complexity: 8 characters, alphanumeric (62⁸ = 218,340,105,584,896)

Total Possible Combinations: 3.4 x 10³⁸ salts * 218,340,105,584,896 passwords = approximately 7.4 x 10⁴⁵

Estimated Time: (7.4 x 10⁴⁵) / 5,000,000 hashes/second ≈ 1.48 x 10⁴⁰ seconds (This is an extremely long time – practically impossible with current technology).

Important Notes

• These are estimates. Actual cracking time can vary significantly.
• Using strong, unique passwords and a robust hashing algorithm (bcrypt, Argon2) with a long salt is crucial for cyber security.
• Regularly update your password policies and hashing algorithms to stay ahead of attackers.