WP Cloud WIBU WhitePaper Licensing in the cloud EN | Page 8

White Pap er
Calculating Hacking Times
Let’s get mathematical for a minute. We can get very deep into the math here, but let’s keep things
relatively simple. If you aren’t that interested in math, you can skip to the bullet points below. A hash is
a one-way mathematical function that maps data of arbitrary size (like a password) to a bit string of a
fixed size and is typically used to store users’ passwords in a database. Hash functions are very clever: A
slight change in the input translates to a completely different output. This is important: it means that if
two people have exactly the same password, knowing the hash of one will not give an attacker any clue
as to the content of the other, since the hash will be very different. Further, because the hash is of a fixed
size, an attacker cannot even deduce a password size from knowing the hash. Current SHA512 3 hashing
algorithms take 0.0017ms (let’s call this y) to compute a hash on a “standard” desktop computer. Let’s
assume an attacker has access to a supercomputer or botnet that is one hundred thousand times faster
than this. Let’s further assume the range of characters you could use is x. So, if your password consisted of
characters 0, 1, 2, …, 8, 9, then obviously x=10. If your password could consist of the possible characters a,
b, c, … x, y, z, A, B, C, … X, Y, Z, then x=52.
Let’s say z = the number of characters in the password.
If the time in seconds taken to run through all possible combinations of the character set you use is t, then
t =
y*x z
= 1.7*10 -11 *x z
100000
But the actual time taken to crack a password is half that. Why half? It is really a fiddle factor, and it helps
us realise that when trying every combination of a password, you are statistically likely to get lucky half-way
through the combinations you are trying.
With that in mind, suppose a hacker managed to obtain the hash of a user’s password by nefarious means
(perhaps they were able to break into a site and steal the database, for example) and wanted to try a brute
force 4 attack. Suppose further that this attacker happened to have access to a supercomputer (or a large
botnet). Of course, none of this is even remotely likely, but let’s use it as a hypothetical experiment. In this
event, how long would it take to crack a password 5 ? Running the numbers through this equation is quite
easy and gives some interesting answers.
� A 9-digit “pin code” would take less than one hundredth of a second to crack (x=10, z=9).
� An eight-character lower case password would take 1.8 seconds (x=26, z=8).
� An eight-character lower or upper case password would take 7.6 minutes (x=52, z=8).
� 
If you include numbers and special characters, then an 8-character password would take about four
hours (x=80, z=8).
� 
If you consider a 16-character password, you’d be looking at over 10 12 years [that is a 1 followed by 12
zeros (x=80, z=16)] – a thousand billion years.
� 
Of course, it would “only” take a thousand billion years to crack if you knew the user id that the
password was associated with. If you had to crack that too… You know where this is going 6 .
An obvious question here is: They won’t know that I’m only using lower case letters, so I’m as safe as if I
use all special characters too, right?
Actually, CodeMeter Cloud uses a special password hash which is even more secure than this!
Try all combinations of a password with the expectation of “guessing” correctly eventually
5
https://thycotic.force.com/support/s/article/Calculating-Password-Complexity
3
4
8