So I have been looking into password cracking recently. I stumbled across several websites that claim to tell you roughly how long it would take for your password to be cracked.
Really, I was wondering how they calculate this.
From what I understand the possible combinations of a password is the pool size ^ password length. E.g a 5 letter password with upper and lower case letters would be 52^5 = 380204032 possible combinations and on average, assuming only brute-force methods are being used only 50% of these combinations would need to be checked before the password would be cracked.
So how then can a website estimate the time to be cracked? Surely it is dependent on the hashing algorithms being used, processing power, etc or do they just make assumptions for number of guesses per second?
I was wondering whether there is a definitive/standard way to estimate password cracking times and if so, how is it calculated.
Thanks
assuming only brute-force methods are being used
That is almost never the case, all semi-professional crackers use a combined method. For checker sites however, the implementation can differ... Usually they will implement a simple client side JS based checker, which can use statistics produced (dictionary word or differs only slightly? lenght? char-set? -> you have the answers for all of that).
Possibly the best way of implementation:
Has the password(and hash) been on the most commonly used passwords lists or leaked already, hence been commonly tested by crackers? Also, famous xkcd 1 and 2.
If not, what is the complexity(character set, special chars, etc.) and therefore the entropy of the password? Where does it end up on the category of passwords complexity and pre-estimated cracking time?
Finally, Password cracking is cheap, there are services to rent, and the 2019 cost estimates are here using AWS and hashcat. In hashcat or john the ripper, you will see exactly the startegies they implement e.g. starting off with your dictionary of choice(e.g. use dict from a specificy language - if for instance the adversary got hold of a spanish website's hashed password database - and the tools will use typical replacements of o->0, a->4 etc., add short words, adding numbers(e.g. dates) before and after so exploiting all the human elements really). Users have been conditioned( really wrongly) to choose a word, and make it more "complex" by adding few numbers, and some special chars in the beginning/end. But it's been long known that lenght beats complexity.
Here is another great explanation from a famous security expert/researcher on the exact same topic.
For the site mentioned specifically, if you check the source of the webpage, there is currently a specific JS asset, that you can put into a beautifier.
view-source:https://howsecureismypassword.net/app.60d36fdc.js
It's 12k lines, so I cannot really post the code, but for some time here is the beatified version on pastebin.