# The problem of hiding stuff, continued

This post follows up a previous one, and incorporates some comments that have been raised on the Facebook group “Hacker Italia” (link here). Specifically, I’m willing to give a follow up to this observation (the whole set of observations deserves way more than a single post):

Se posso permettermi ancora un paio di consigli ci vedrei bene un ragionamento sul rapporto tra costo dell’attacco e valore dell’informazione nascosta, sia economicamente sia in termini di dimensioni dello spazio delle chiavi

which translates to “I’d like to see also the relation between the ratio between attack costs and hidden information, both from an economical and a technical perspective”.

In order to do so, let’s take a look at what the bruteforcing algorithm is.

Bruteforcing is a “sure killing technique”. By exhausting the whole solution tree, sooner or later the password – in this case – is found. The nightmare is the size of the solution tree, which makes it very challenging.

Let us take a live case. In one of my past assignments, I have been asked to produce a comparison between levels of protections achieved by 6-characters, 8-characters, 10 and 12-characters long passwords. As always, we assume an alphabeth $$\mathcal{A}$$ such that $$\mid \mathcal{A}\mid=62$$. Observe that

 # chars # different passwords order of magnitude 6 56800235584 11 8 218340105584896 15 10 839299365868340000 18 12 3,2262667623979E+21 22

Suppose there is a machine that can crack 4 passwords at a time (parallel processor, call it as you prefer). Let us take this one as reference machine; also performances are described – keep in mind that this one is not even the fastest password cracking machines on Earth. Assume that our passwords are then stored in NTLM format – it means, according to the specs, a hashing speed of 123.6 GH/s (read: 123 600 passwords per second).

The cracking times are as follows:

 # chars # different passwords cracking time 6 56800235584 6 days 8 218340105584896 56 years 10 839299365868340000 215 324 years 12 3,2262667623979E+21 827 704 272 years

Now, this is not a “professional cracking system”, a battery of these machines would really shorten these values, however it is transparent how 2 more chars in the password harden it.

Creating a more complex password cracking machine would be quite expensive – just keep in mind that the aforementioned machine costed, at the time of this writing, roughly 5000 dollars. Plus the cost of electricity and all the other costs, makes a cost per crack of .000000039¢. Cracking the Solution tree would have the following costs (in USD):

 # chars # different passwords cracking cost (USD) 6 56800235584 1 108 8 218340105584896 8 515 264 10 839299365868340000 32 732 675 269 12 3,2262667623979E+21 125 824 403 733 518

It goes without saying that also spanning half the Solution Tree would not change too much, in terms of costs.