Unfortunately, this chart is already out of date, the 2023 version looks like this: It is now the up to date chart.
This uses 12 RTX 4090 GPUs and MD5.
For the old chart you would need 40 billion guesses per second, and that is what the RTX 2080 was at five years ago. With a RTX 4090 you can guess 164 billion hashes per second.
Using 8 AWS A100 GPUs at $32.77/h you can guess over 520 billion times a second and then the chart looks like this:
All the charts and benchmark numbers are from here. There is way more on that page that I’m just going to leave out here, but I recommend you read through it.
Of course this isn’t quite accurate, this assumes the hashing algorithm MD5 which is no longer recommended, because it’s so fast. It also ignores salting. But it assumes the worst case, a complete brute force with no dictionary/rainbow table, so I think it’s not a bad estimate.
Edit: spelling
Edit again: The comment I was referring to is gone, so I removed the refrence. The numbers are still correct though.
Yes, this is what it looks like using bcrypt, and the same AWS GPUs:
But they also mention that most low priority logins that people don’t care about like forums, restaurants, etc. still use MD5, and password reuse becomes a huge problem here.
The hashing algoritm is important though. I recently had to design some password hashing system and associated parameters. My work laptop can do a couple dozen million md5 attempts a second no problem. It’s like a factor of 100 - 1000 slower than this sheet. Not bad overall.
However, using the right hashing algorithms with good tuning such as key derivation rounds and hashing rounds and such can slow that thing down to 2 or 3 attempts per second. Even if you had some system a million times faster than my CPU (at which point the NSA will make you offers and you should take them, or else), you won’t break those passwords given their hash. You wouldn’t even break them if they were simple random lower + upper case sequences of low length.
Unfortunately, this chart is already out of date, the 2023 version looks like this:It is now the up to date chart.For the old chart you would need 40 billion guesses per second, and that is what the RTX 2080 was at five years ago. With a RTX 4090 you can guess 164 billion hashes per second.
Using 8 AWS A100 GPUs at $32.77/h you can guess over 520 billion times a second and then the chart looks like this:
All the charts and benchmark numbers are from here. There is way more on that page that I’m just going to leave out here, but I recommend you read through it.
Of course this isn’t quite accurate, this assumes the hashing algorithm MD5 which is no longer recommended, because it’s so fast. It also ignores salting. But it assumes the worst case, a complete brute force with no dictionary/rainbow table, so I think it’s not a bad estimate.
Edit: spelling
Edit again: The comment I was referring to is gone, so I removed the refrence. The numbers are still correct though.
thanks for this, OP forgot to mention that it’s MD5 and i think that’s absolutely crucial
Yes, this is what it looks like using bcrypt, and the same AWS GPUs:
But they also mention that most low priority logins that people don’t care about like forums, restaurants, etc. still use MD5, and password reuse becomes a huge problem here.
deleted by creator
Keypasss hashing is a lot better than default MD5 though.
They use SHA-256, salt and key derivation to increase security.
But a better password and checking your settings is a never a bad idea.
deleted by creator
The hashing algoritm is important though. I recently had to design some password hashing system and associated parameters. My work laptop can do a couple dozen million md5 attempts a second no problem. It’s like a factor of 100 - 1000 slower than this sheet. Not bad overall.
However, using the right hashing algorithms with good tuning such as key derivation rounds and hashing rounds and such can slow that thing down to 2 or 3 attempts per second. Even if you had some system a million times faster than my CPU (at which point the NSA will make you offers and you should take them, or else), you won’t break those passwords given their hash. You wouldn’t even break them if they were simple random lower + upper case sequences of low length.
Ohh, thanks. I updated it.