Search Space 0
Length 0
Possible Combinations 0
Complexity

Organized attackers with the right resources won't use one or two computers to try and crack your password. One possibility would be that the workload gets distributed across many computers networked together, each with multiple GPUs. Another possibility could be the use of custom designed FPGAs (field-programmable gate arrays) specifically programmed to crack passwords. These can also be used in a distributed manner to increase the rate of guesses. While it's not likely, specialized ASIC hardware could also be used which can present a serious concern in certain situations.

Mid-range computer costing ~$1,000

Mid-range CPU
Based on 4,500 guesses per second
0
Mid-range GPU
Based on 700,000,000 guesses per second
0

High-end computer costing ~$2,000

High-end CPU
Based on 8,000 guesses per second
0
High-end GPU
Based on 2,500,000,000 guesses per second
0

Distributed attack ~$10,000+

100 CPUs in parallel
Based on 10,000 guesses per second per CPU
0
100 GPUs in parallel
Based on 5,000,000,000 guesses per second per GPU
0

The results from above assume that a basic cryptographic hashing function is used to protect your password. One of the best things you can do is to not use MD5, SHA1, SHA256, or SHA512 by themselves. Use something like PBKDF2 or bcrypt. These are key derivation functions that use salting and key stretching. They are designed to be much slower than plain cryptographic hashing algorithms due to the key stretching that is performed. They are also resistant to rainbow table attacks because of their use of salting. There are a few additional things you need to watch out for:

  • Use a random salt! Don't reuse a constant value for the salt.
  • Use a good random source for salt generation. Don't use the basic random functions that are built in to many programming languages and don't use functions that generate a "unique ID".
  • Use a library (or build it yourself if you want) that will prevent timing attacks.