Find it hilarious that Buzzfeed and Palantir have an office next to each other
It's not a 100% fair analysis because I'm using the most common words and numbers from the leak itself but you can probably get similar results using the exact same wordlist (+ adjusting for the region/language of the user base)
Even if the password was hashed with Bcrypt of cost 9 (or Argon2 with m=16mib, t=3), that's a successful crack every 20 minutes with just a single GTX 1080 (about $100 used)
Or about 100 cracks per dollar by renting a GPU
Doing some analysis on an old password leak and 5% of the 15 million passwords or over 700,000 passwords could be be cracked in under 100,000 attempts
(minimum length of 6 with a mix of letters and numbers)
There’s another password hash algorithm called yescrypt that’s used in a lot of Linux distributions and might be better than both argon2 and bcrypt, but a GPU implementation doesn’t exist yet so I wasn’t able to cover it in the blog
Very tempted to buy a press and just make my own tortilla
Not satisfied with the frozen ones
The calculation above assumes a 20 cycle read latency for RTX 3000s and before, and a 30 cycle latency for RTX 4000s and after. It also accounts 15 cycles for calculations + bank conflicts
I might be underestimating the additional cycles caused by bank conflict tho
I do find it interesting that doubling the cost of each internal iteration gives up something very close to the actual numbers, but I have no idea if that's just a coincidence or if the GPU is taking 2x longer than expected to read from memory
I spent a while trying to calculate the theoretical hashing speeds of Bcrypt but I couldn't get something that I'm super confident in
It doesn't look *wrong* tho
Can we send the emperor back to Kyoto? The imperial palace takes up a lot of valuable space and should be a public park