Four years mastering offline password cracking
Four years mastering offline password cracking
Somebody on Hacker News today posted about spending four years mastering offline password cracking. Not as a job. Just as a thing they decided to get very good at. The comments are a mix of admiration, suspicion, and people asking whether this is legal. It mostly is.
What offline cracking actually means
Offline cracking happens after a database breach. Attackers obtain a database of password hashes. A hash is a one-way transformation of a password. You cannot reverse it directly, but you can hash a candidate and compare the result. The cracking happens on the attacker's own hardware with no rate limiting and no account lockouts.
A modern consumer GPU can compute somewhere between 10 billion and 100 billion MD5 hashes per second. At that rate, every possible 8-character alphanumeric password can be exhausted in roughly 6 hours. On one GPU that costs less than a gaming PC.
Why length alone is not enough
Serious crackers do not just try every combination. They study how humans create passwords. People use dictionary words, capitalise the first letter, add numbers at the end, substitute letters with similar-looking numbers. Four years of studying this means four years of encoding these patterns into rulesets that crack engines apply to wordlists of real leaked passwords.
What this teaches you
Almost everyone's password hygiene is worse than they think. The patterns crackers exploit are the same patterns almost everyone uses. Password managers solve almost all of this. A 32-character random string per site is not crackable by any method that currently exists. Two-factor authentication limits the damage even when a password is cracked.
What fascinates me about this field is that it is fundamentally about human psychology. We create memorable passwords because we need to remember them. The failures are not about stupidity. They are about the mismatch between how human memory works and what secure systems require. That mismatch is not going to be fixed by telling people to try harder.