Less good against non-NTLM passwords ... from my comment last time:
Taking SHA-1 (which YOU MUST NOT USE for password hashing blah), it only manages 63 billion a second. To try all the passwords for that in the alphanumeric space:
All of which demonstrates the importance of requiring longer passwords. Also, keep in mind that these are maximum times required to crack a password and not the average times.
The average time to crack will just be half of the maximum, so it's not a big difference (compared to order of magnitude errors, anyway). Still good to point out, though.
I would guess that the letter frequency, digram and trigram frequencies etc are quite skewed compared to random. Just by taking that into account, you would crack an average password much faster than you suggest by trying the most likely passwords first. There are plenty of already cracked passwords to draw statistics from.
That in addition to traditional dictionary attacks.
That's a good idea if the password was human-generated. With computer-generated random passwords, like gH8r;2CpyyK!a, you might want to optimize differently.
Taking SHA-1 (which YOU MUST NOT USE for password hashing blah), it only manages 63 billion a second. To try all the passwords for that in the alphanumeric space:
- 10 chars: 35 weeks
- 11 chars: 44 years
- 12 chars: 2,800 years
- 16 chars: 11 times the age of the sun
10 chars for bcrypt: 600,000 years...
http://www.wolframalpha.com/input/?i=%2865**16+%2F+63+billio...