zlacker

[parent] [thread] 10 comments
1. paulpa+(OP)[view] [source] 2022-02-08 18:24:43
It doesn't unless you chose something stupid like "correct horse battery staple" or "word + word + number". 7 words chosen from 1000 word dictionary password encrypted AES 256 cannot be cracked with existing technology, 8 words impossible with future tech.
replies(4): >>everyb+Jq >>foxyv+rv >>shadow+Hx >>johndo+cX1
2. everyb+Jq[view] [source] 2022-02-08 20:14:25
>>paulpa+(OP)
Is there any "standard" 1000-word dictionary?
replies(4): >>mrkram+rt >>ncmncm+Ct >>planke+Pt >>rainbo+6r1
◧◩
3. mrkram+rt[view] [source] [discussion] 2022-02-08 20:26:14
>>everyb+Jq
There is for example this https://www.kaggle.com/wjburns/common-password-list-rockyout...

But you can refer to https://hashcat.net/hashcat/

◧◩
4. ncmncm+Ct[view] [source] [discussion] 2022-02-08 20:27:03
>>everyb+Jq
You wouldn't want to use that one.
◧◩
5. planke+Pt[view] [source] [discussion] 2022-02-08 20:27:51
>>everyb+Jq
bitcoin developers have taken a crack at it: https://github.com/bitcoin/bips/blob/master/bip-0039/bip-003...
6. foxyv+rv[view] [source] 2022-02-08 20:34:50
>>paulpa+(OP)
This depends on the key derivation function used. PBKDF2 or BCrypt with strong enough difficulty factor makes even fairly short passwords difficult to crack. On the other hand, a straight SHA-256 hash method can be broken insanely quick with fairly long passwords.
replies(1): >>grwgre+KR1
7. shadow+Hx[view] [source] 2022-02-08 20:44:24
>>paulpa+(OP)
Yeah, but at the end of the day these keys have to be used by human beings so the passwords were likely something practically sized and easy to use.

Especially since in general the likeliest failure mode would be the user forgetting the password to their millions of dollars worth of Bitcoin keys, followed by someone attacking the password.

◧◩
8. rainbo+6r1[view] [source] [discussion] 2022-02-09 02:16:12
>>everyb+Jq
Not 1000, but the EFF diceware long word list has my vote.

https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt

◧◩
9. grwgre+KR1[view] [source] [discussion] 2022-02-09 06:03:44
>>foxyv+rv
>fairly long passwords

how long are we talking?

replies(1): >>foxyv+Hq6
10. johndo+cX1[view] [source] 2022-02-09 07:04:20
>>paulpa+(OP)
That depends entirely on the hash function being used.

With a bad choice like SHA256, a 7 word passphrase could be cracked in as little as a few months with a single ASIC. The US government probably has a bunch of them already, so I think that an 8 word passphrase is already within reach for current tech.

Of course, with a real key derivation function like Argon2id, things would look much better.

◧◩◪
11. foxyv+Hq6[view] [source] [discussion] 2022-02-10 15:01:25
>>grwgre+KR1
I never really did the math before but I whacked something together real quick in Excel. At $0.30/THash BTC we can come up with some cost expectations for password lengths. Here I will use a 74 possible character password using 26 upper and lower case letters, 10 numbers and 12 symbols. Totally random of course. Using (Possible Chars ^ Password Length) as the number of combinations and guessing we will find our answer at about %50 of our guesses. (See! Super rough)

With SHA-256 it takes about $21 to crack a 6 character password.

$1500 to crack 7 characters.

$108,330 to crack 8 characters.

$7.8 million to crack 9 characters.

$561 million to crack 10 characters.

$40 billion to crack 11 characters.

$3 trillion to crack 12 characters.

$200 trillion to crack 13 characters.

Edit Note: BTC is kinda expensive per hash right now. Usually this would all be cheaper. Past 14 characters it could be 1 cent and still outrun the usual US budget for a couple years.

[go to top]