How can I estimate the time it takes a certain computer to guess a password?

As cyber security and its exploitation become more prominent and relevant, I find websites such as https://howsecureismypassword.net/ to be very interesting. When the user enters a password, it provides them with an estimated time a desktop PC would require to guess that exact password. I understand this time is based on a number of variables such as frequency, character diversity, simplicity, etc.

I would be very interested in finding a source (lecture, book, speech, etc.) detailing the process one would go through to estimate such a time.

Other helpful ideas would be some sort of formula, or algorithm that would allow me (and my computer) to calculate a theoretical password-guess-time.

And for those viewing my question with a sufficient deal of hardware knowledge, is the estimated fundamentally built on the frequency of the processor? Since the aforementioned website bases its calculation off a desktop PC, if would assume it has something to do with the CPU.

So if anyone has a worthy source, formula, or algorithm, please share it. I won't vote down if it's relevant to the question at hand.

Thomas Gerot

Posted 2016-02-03T07:59:29.927

Reputation: 113

Answers

The answer to "Can I estimate the time an attacker with specific known hardware will take to guess a password with a known hashing algorithm?" is "you can't".

This is because the hardware merely provides the maximum possible speed. You can look at oclHashcat for some benchmarks.

However, the software makes advances as well, which is critical and not predictable.

More importantly, it depends entirely on a combination of how the password is formulated and how the attacker attacks it.

Almost no users use long cryptographically random passwords, which can only be reasonably attacked by starting an exhaustive keyspace search, i.e. a mask or brute force attack.
Most users use really bad passwords, which are extremely vulnerable to hybrid, rules-based dictionary, permutation, or other attacks
And those that aren't really bad, but aren't cryptographically random, are still vulnerable to less than brute force time given Markov attacks and advanced rules-based dictionary or mask attacks
And for XKCD fans, there are combinator attacks, where it really depends on the word choices... which most humans are REALLY bad at.
- So the attacker isn't using every English word... they're using the top 5000, or three top 5000 and one top 20,000, or two top 5000, one top 5000 verb, and so on...
- And dictionaries of famous quotes and lines.
  - as part of rules based attacks.
Or fingerprint attacks work well on some usage patterns.

Note also that those "password strength" sites almost never take into consideration ANY variant on Moore's law, which in password cracking (a ridiculously parallelizeable operation) is alive and well, so when they say a thousand years, they mean for hardware of the same price in a decade and a half or so doing nothing but dumb, blind, idiotic pure brute force exhaustive keyspace search.

Try them - these are all HORRIBLE worthless pointless passwords:

password
- "Instantly" - ok, whenever they say your password is bad, it's bad.
Password
- "Instantly" - ok, whenever they say your password is bad, it's bad.
Password123
- "412 years" - Really?
P@$$w0rd123
- "4 thousand years" - Yeah, right... leet speak in almost all of its forms is just another ruleset
Jennifer2007
- "25 thousand years" - you're kidding, right? Significant other's/daughter's first name plus the year they married/met/were born?
B@$3b@111
- "275 days"... and it's baseball1 with leet speak, and we covered that.
WinniethepoohWinniethepooh
- "3 octillion years" - and it's straight out of John the Ripper's default jumbo rules against the default (pathetic) JtR password.lst file.
Ncc1701Ncc1701
- "98 million years" - you're kidding, right? Again, it's straight out of John the Ripper's default jumbo rules against the default (pathetic) JtR password.lst file.
a1b2c3123456
- "37 years" - and it's straight out of John the Ripper's default jumbo rules against the default (pathetic) JtR password.lst file.
THunDeRBIrD
- "59 years" - and it's straight out of John the Ripper's default jumbo rules against the default (pathetic) JtR password.lst file.

See also my answer to Should I reject obviously poor passwords? on security.stackexchange.com, which also covers strength meters and cracking times.

Anti-weakpasswords

Posted 2016-02-03T07:59:29.927

Reputation: 481

You should try at https://security.stackexchange.com/, they will probably be more sutable to help you.

But as far as i can see it its number of combintations/calculations + per second if the password is not on the list or simple algorythem like x0=1;x1=X0+1;xn=x(n-1)+1. And it seems there is an extra time factor if using non english letters

Marifarm IT

Posted 2016-02-03T07:59:29.927

Reputation: 23

Well I initially though to post it there, but judging the question by what I'm seeking, I found this to be the most relevant and accurate site to post in. Also, your information is heading down the right path, but I am most interested in making my own algorithm for performing such estimation. – Thomas Gerot – 2016-02-03T08:58:45.180

If you try to write your own algorythem maybe try step by step. First try to write the algorythem for numbers+english letters ( small + big cases ) then maybe handle lists or at least to 10 or 100 popular passwords that are instant hits. Then go to handle speciall characters and other languages. – Marifarm IT – 2016-02-03T09:15:59.787

maybe check out this http://cubicspot.blogspot.si/2011/11/how-to-calculate-password-strength.html it has an explanation on what a good or bad passwords are

– Marifarm IT – 2016-02-03T09:20:51.483