-1

Suppose I have a database containing hashes. Hashes are obtained from password developed from randomly chosen set of 94 characters such that each password size is of 8 characters. So we have 94^8 passwords. Each of the passwords are converted into hashes i.e 94^8 hashes and stored in the database.

Now the attacker gets access to the hashes and he used pre-computed hashes stored in a rainbow table. How can we calculate the time for finding a match between the hashes stored in the DB and the hashes stored in the rainbow table?

schroeder
  • 125,553
  • 55
  • 289
  • 326
user2994783
  • 97
  • 2
  • 1
    What type of hash? How big is the rainbow table (same size as the number of hashes?) – schroeder Nov 28 '19 at 22:23
  • See https://security.stackexchange.com/questions/58254/how-do-we-estimate-the-time-taken-to-crack-a-hash-using-brute-force-techniques or https://security.stackexchange.com/questions/188141/how-to-estimate-the-time-for-a-hacker-to-crack-a-strong-password or https://security.stackexchange.com/questions/8607/how-quickly-can-these-password-schemes-really-be-beaten or https://security.stackexchange.com/questions/145369/how-long-will-it-take-to-crack-the-passwords-stolen-in-the-yahoo-hack-announced. For rainbow table info, see this: https://security.stackexchange.com/questions/379/what-are-rainbow-t – Luc Nov 28 '19 at 22:25
  • You do not provide sufficient details. How many hashes has the attack DB and what is the hardware performance of the systems comparing them ? – Overmind Nov 29 '19 at 06:58

1 Answers1

1

Hash on the rainbow table: instantaneous.

Bruteforce a hash: depends heavily on the hash type (MD5, SHA, etc), how many rounds, if it's salted or not, hardware used...

948 is not that big. A system calculating 100 billion MD5 hashes per second will run all the possible passwords in about 17 hours. MD5 is bad for this, but the same system will do the same for SHA1 (even salted) in 51 hours, a little more than 2 days.

So unless you know the algorithm used, the size of the salt, and the number of rounds, we cannot possibly know.

ThoriumBR
  • 51,983
  • 13
  • 131
  • 149
  • 2
    "*Hash on the rainbow table: instantaneous.*" No: it's a trade-off, not magic. I guess this would be the most relevant topic for details: https://security.stackexchange.com/questions/379/what-are-rainbow-tables-and-how-are-they-used You probably mean that it's relatively fast to crack if it's in a rainbow table (since nobody would make a rainbow table that is slow enough that you'll give up waiting), but "instantaneous" is too much of a hyperbole to be correct. – Luc Nov 28 '19 at 22:02
  • In your case what is the size of password and what is the size of character set?94^8 is 6X10^15 which is slightly bigger than 100 billion i.e. 1X10^14. I have got one calculation which says that 6 character passwords over alphabets from A-Z i.e. 26^6 =3X10^8 takes 3 secs to crack. Based upon that I want to find my answer for 94^8. Hope once you provide me the above information, I can do better calculation. – user2994783 Nov 28 '19 at 22:06
  • "crack" and "lookup in rainbow table" are completely different things. – schroeder Nov 28 '19 at 22:24
  • OP says "he used pre-computed hashes stored in a rainbow table." That implies the rainbow table is already available, and the time taken to walk it is so small that can be considered instantaneous. – ThoriumBR Nov 28 '19 at 22:42
  • 1
    @user2994783 100 billion passwords per second is the hash rate of the linked gig, not the number of passwords. That is 94^8 that I stated. – ThoriumBR Nov 28 '19 at 22:43
  • Thanks for removing my confusion. God bless you guys. – user2994783 Nov 28 '19 at 22:53