Because people don’t choose random passwords. They choose rememberable passwords. If everyone was using a password manager there wouldn’t be such an issue as they do produce random password strings.
Mark -- Mark Andrews > El 15 sept 2025, a las 8:07, Vasilenko Eduard via NANOG > <[email protected]> escribió: > > If it is so easy to enforce long enough and random enough passwords, > Then why did IT people move to hashes with much lower speed? > > Take, for example, 16 really random letters (on keyboard), then the time to > check all MD5s would go to 9.2B years (for the same 8 cards "NVIDIA GeForce > RTX 5090"). > Even if the attacker gets access to 100k of "NVIDIA GeForce RTX 5090", it is > still 0.72M years. > 16 random letters are definitely enough for the purpose. > Ed/ > -----Original Message----- > From: Jay Acuna via NANOG <[email protected]> > Sent: Friday, September 12, 2025 18:17 > To: North American Network Operators Group <[email protected]> > Cc: Jay Acuna <[email protected]> > Subject: Re: MD5 is too fast > >> On Thu, Sep 11, 2025 at 10:17 AM nanog--- via NANOG <[email protected]> >> wrote: >> > > See; The simple policy of: Routing protocol keys are to be created using > "pwgen 85" or at least "pwgen 38". > Never create a key by hand. This rule preferably applies to all `passwords' > sent over the network or keys which secure a network protocol, even if > encrypted transport is used, and even if hashed. > >> Have you calculated how long it should take to test all 80-bit passwords? >> 200-bit passwords? 2000-bit passwords? > A password with 80bits randomness or entropy (An ~11-character properly > generated random password) contains 2^80 = 1208925819614629174706176 > possibilities. > > If you can make 1 Trillion guesses per second, then it takes on average > 19167 years to crack. > That is the expectation if the hash is secure. > You divide the number of possibilities by (two times the number of guesses > per second)*86400*365. > Current hardware gets you 80 million guesses per second per GPU for about > $1800 per node, So the 1 trillion guesses per second is 12,500 hardware nodes > obtainable by spending approximately $22.5 million. > > At that rate you need approximately 10 years' worth of brute forcing before > you have a >= 0.1% chance of guessing it randomly. > > Each additional bit doubles the figures up to approximately 128 bits. > Where you are looking at a 5395141535403007094 years to crack on average. > Adding bits will eventually reach the problem that your hashing algorithm > only maps inputs to 256 bits of output, so the adversary could guess a > different password from yours which happens to hash to the same value as the > correct one. > >> Suppose that a good server can try about a billion passwords per second. How >> long do you think it takes to try all the passwords? > -- > -JA > _______________________________________________ > NANOG mailing list > https://lists.nanog.org/archives/list/[email protected]/message/BNJVO2FJCT7CPD5FZSOWRBAZCJLPCNVZ/ > _______________________________________________ > NANOG mailing list > https://lists.nanog.org/archives/list/[email protected]/message/FRWYU5IWBZU3F73ILPW5ABLRDUGOUBG2/ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/CGSQRLJIDQ6XZ223H44QGT3N4U24OW3Z/
