Search Space 0
Length 0
Possible Combinations 0

Organized attackers with the right resources won't use one or two computers to try and crack your password. One possibility would be that the workload gets distributed across many computers networked together, each with multiple GPUs. Another possibility could be the use of custom designed FPGAs (field-programmable gate arrays) specifically programmed to crack passwords. These can also be used in a distributed manner to increase the rate of guesses. While it's not likely, specialized ASIC hardware could also be used which can present a serious concern in certain situations.

Mid-range computer costing ~$1,000

Mid-range CPU
Based on 4,500 guesses per second
Mid-range GPU
Based on 700,000,000 guesses per second

High-end computer costing ~$2,000

High-end CPU
Based on 8,000 guesses per second
High-end GPU
Based on 2,500,000,000 guesses per second

Distributed attack ~$10,000+

100 CPUs in parallel
Based on 10,000 guesses per second per CPU
100 GPUs in parallel
Based on 5,000,000,000 guesses per second per GPU

The results from above assume that a basic cryptographic hashing function is used to protect your password. One of the best things you can do is to not use MD5, SHA1, SHA256, or SHA512 by themselves. Use something like PBKDF2 or bcrypt. These are key derivation functions that use salting and key stretching. They are designed to be much slower than plain cryptographic hashing algorithms due to the key stretching that is performed. They are also resistant to rainbow table attacks because of their use of salting. There are a few additional things you need to watch out for:

  • Use a random salt! Don't reuse a constant value for the salt.
  • Use a good random source for salt generation. Don't use the basic random functions that are built in to many programming languages and don't use functions that generate a "unique ID".
  • Use a library (or build it yourself if you want) that will prevent timing attacks.