I'm not sure I understand your question clearly, but I would just focus on the strength of the password and how it affects brute force attack.
But still it works at some speed, certainly enough to attack the dictionary and to sort through weak passwords, presumably shorter than six alphanumeric characters.
Introduction
For a moment, forget about the hash algorithm (md5, sha, pbkdf2 bcrypt, scrypt, etc.) and do not focus on Strength Password
Wiki Password Strength
This is an indicator of the effectiveness of the password in resisting guessing and brute force attacks. In his usual form, he calculates how many trials an attacker who does not have direct access to a password, on average, had to guess it correctly.
It can simply be calculated as:
Entropy is given by the symbol H=Llog2N , where L is the length of the password, and N is the size of the alphabet and is usually measured in bits.
Hash function
password_hash uses [bcrypt][4] by default, for which a password is enough, but there are better alternatives like PBKDF2 or scrypt for more information on what I mean, see How to keep a password safe
Using oclHashcat , let's evaluate the following
+--------+-----------+----------------+ | HASH | ESTIMATE | BITS/S | +--------+-----------+----------------+ | MD5 | 10742M | 90110427136 | | BCRYPT | 31M | 260046848 | +--------+-----------+----------------+
Please note that this is an estimate and may vary depending on the hardware capacity.
With the help of this information we can safely calculate how long it will take to iterate over with another password.
Calculate Entropy in PHP
$passwords = array( "1234", "F2A1CC", "password", "PaSSworD", "P4ssw0Rd97", "p#aSS*Word14", "Dance With Me Tonight" ); print("PASSWORD\tLENGTH\tENTROPY\tTIME MD5\tTIME BCRYPT\n"); foreach($passwords as $password ){ printf("%s\t%s\t%s\t%s\t%s\n", $password, strlen($password), $entropy = calculateEntropy($password), totalTime($entropy, "90110427136"), // Check with MD5 totalTime($entropy, "260046848") // Check with BCrypt ); }
Exit
+-----------------------+--------+---------+------------+----------------+ | PASSWORD | LENGTH | ENTROPY | TIME MD5 | TIME BCRYPT | +-----------------------+--------+---------+------------+----------------+ | 1234 | 4 | 13.29 | 1min | 1min | | F2A1CC | 6 | 24.00 | 1min | 1min | | password | 8 | 37.60 | 1min | 1min | | PaSSworD | 8 | 45.60 | 1min | 1day+ | | P4ssw0Rd97 | 10 | 59.54 | 2mo+ | 71yr+ | | p#aSS*Word14 | 12 | 75.86 | 13,479yr+ | 4yr+ | | Dance With Me Tonight | 21 | 120.29 | 474,250yr+ | 164,335,595yr+ | +-----------------------+--------+---------+------------+----------------+
Result converted using csv2table
CUDA / OpenCL password cracking capabilities can use the huge amount of parallelism available in GPUs, reaching billions of potential passwords per second .
Lets evaluate that we can do 921600M c/s in parallel on a very fast system
T = 966367641600 * 8 T = 7,730,941,132,800 // bits/sec
Using
foreach($passwords as $password ){ printf("%s\t%s\t%s\t%s\n", $password, strlen($password), $entropy = calculateEntropy($password), totalTime($entropy, "7730941132800") // Check with Hash ); }
Exit
+-----------------------+---------+---------+----------+ | PASSWORD | LENGTH | ENTROPY | TIME | +-----------------------+---------+---------+----------+ | 1234 | 4 | 13.29 | 1min | | F2A1CC | 6 | 24.00 | 1min | | password | 8 | 37.60 | 1min | | PaSSworD | 8 | 45.60 | 1min | | P4ssw0Rd97 | 10 | 59.54 | 20hr+ | | p#aSS*Word14 | 12 | 75.86 | 157yr+ | | Dance With Me Tonight | 21 | 120.29 | 5,527yr+ | +-----------------------+---------+---------+----------+
As you can see, it still takes some time to break a decent 12 digits.
Function used
// Calculate Password entropy // Uses H = L Log2 N // where L is the length of the password and // N is the size of the alphabet, and it is usually measured in bits function calculateEntropy($password) { // See http://en.wikipedia.org/wiki/Password_strength // Entropy per symbol for different symbol sets // Missing All extended ASCII printable characters // Missing Diceware word list // TODO // Larger Character Set // '/[\!"#$%&\'\(\)\*\+,\-.\/:;<\=>\?\@\[\]^_`\{|\}~]+/' => 32, $cases = array( "/\s+/" => 1, // Arabic numerals (0β9) (eg PIN) "/[0-9]+/" => 10, // Arabic numerals (0β9) (eg PIN) "/[az]+/" => 26, // Case insensitive Latin alphabet (az) "/[AZ]+/" => 26, // Case insensitive Latin alphabet (AZ) '/[\!\@#$%\?\&\*\(\)_\-\+=~:;.]+/i' => 18 // Other Character ); $L = strlen($password); // Length of password $N = 0; // Character Set foreach($cases as $regex => $value ){ if (preg_match($regex, $password)){ $N += $value; } } // Don't confuse hexadecimal for alpha numeric characters // hexadecimal numerals (0β9, AF) (eg WEP keys) if (ctype_xdigit($password)){ $N = 16; } // Fix pure number cases that might have been changed by hexadecimal // Arabic numerals (0β9) (eg PIN) if (ctype_digit($password)){ $N = 10; } // Using H = L Log2N // See http://en.wikipedia.org/wiki/Password_strength // Random passwords entropy $H = $L * log($N, 2); return number_format($H, 2); } // Claculate Total time it would take // Using Entropy & froce / s function totalTime($entropy, $force) { bcscale(0); // Total Base on entorpy 2^H $total = bcpow(2, $entropy); // Time Taken per sec on Force $ss = bcdiv($total, $force); $time = ""; $parts = []; $parts['yr'] = bcdiv($ss, "31104000"); $parts['mo'] = bcdiv(bcmod($ss, 31104000), 2592000); $parts['day'] = bcdiv(bcmod($ss, 2592000), 86400); $parts['hr'] = bcdiv(bcmod($ss, 86400), 3600); // Clean Year // Can really generate large numbers $suffix = ""; $yr = $parts['yr']; if (!empty($yr)){ if (bccomp($yr, "1000000") > 0){ $parts['yr'] = bcdiv($yr, "1000000"); // Million $year = " million "; } if (bccomp($yr, "1000000000") > 0){ $parts['yr'] = bcdiv($yr, "1000000000"); // Billion $year = " billion "; } if (bccomp($yr, "1000000000000") > 0){ $parts['yr'] = bcdiv($yr, "1000000000000"); // Trillion $year = " trillion "; } } foreach($parts as $t => $v ){ if (empty($v)){ continue; } $time .= number_format($v, 0) . $suffix . $t . "+"; break; } return empty($time) ? "1min" : $time; }
Misunderstanding
You are right, the length of the password is important, since the entropy of the password. Most recommendations advise users to use bcrypt , password complexity, etc. Without understanding password strength
But the fact that the simplest passwords can often be the strongest.
Source | Linked Blog Post
So, I want to know how slow it is, of course, and, in particular, what password strength is considered safe to use.
A source
Definitely not 6 letters :)
- <28 bits = very weak; may contain family members.
- 28 - 35 bits = weak; Most people, often good at passwords for logging into a desktop computer, should be avoided.
- 36 - 59 bits = Reasonable; fairly secure passwords for network and corporate passwords.
- 60 - 127 bit = Strong; may be useful to protect financial information.
- 128+ bits = Very Strong; often overkill
Conclusion
Here are some good links you can look at