Password Entropy, Part II
Passwords are, generally speaking, expensive to crack.
Even assuming a centralized effort could be an order of magnitude more efficient, this still leaves us with an estimate of US$1M to perform a 2⁷⁰ SHA-256 evaluations and around US$1B for 2⁸⁰ evaluations1.
So it would cost $1M to crack a 71-bits-of-entropy password (on average..), and $1B to crack an 81-bit password.
| Pattern | bits of entropy | cost to crack |
|---|---|---|
| MotocrossVarietyGaveScroll | ||
| = 4·log2(65) | 51.70 bits | <$1M |
| MotocrossVarietyGaveScrollFilter | ||
| = 5·log2(65) | 64.62 bits | <$1M |
| MotocrossVarietyGaveScrollFilterUncombed | ||
| = 6·log2(65) | 77.55 bits | $1M - $1B |
and the non-diceware passwords:
| Pattern | equation | bits of entropy | cost to crack |
|---|---|---|---|
| 1234-56-7890 | log2(10,000,000,000) | 33.22 bits | probably a buck |
| wCEHMbIs | 6·8 | 48 bits | could probably do it on an iPad |
| abcdefghijklm | 13·log2(26) | 61.11 bits | <$1M |
| H65j/aS5vfmm | 9·8 | 72 bits | $1M |
| 0mE07rdje4xzvxUE | 12·8 | 96 bits | more than $1B |
| aT7bubJTM4w2RoyeNPsQ | 15·8 | 120 bits | way more than $1B |
Now this is all Assuming lots of things, like:
-
the hash algorithm is SHA256, and not SHA224 or SHA512 or SHA3 or scrypt
-
we’re just doing one round (I think), not sha256(..sha256(x)..)
-
we can ignore all(?) of the known attacks on SHA256, like collision attacks (finding the collision would be even harder?), length extension attacks (again, harder?), attacks we don’t even know about…
-
the source is right
They provide a source paper2 that goes into depth:
In 2013, Bitcoin miners collectively performed ≈ 275 SHA-256 hashes in exchange for bitcoin rewards worth ≈ US$257M. … Even assuming a centralized effort could be an order of magnitude more efficient, this still leaves us with an estimate of US$1M to perform a 270 SHA-256 evaluations and around US$1B for 280 evaluations.