This might be a silly question but it might not - if let’s say 5 (or even 50) people use the same username and password in multiple sites, and they have another site’s leak. Would they be able to easily crack the hash?
They will start a dictionary attack on the most common passwords and check their hashes against the stolen database. The speed depends on whether the password hashes obtained are salted in a known method (or not at all). If so, they can perform the dictionary search or brute force locally and VERY quickly.
Take these charts with a grain of salt, they always depend on the attacker’s computing power. My password was generated with a password manager and it will take millenia to crack with a reasonable number of modern GPUs so I’ll be able to change it in time.
If the method is not known, they will need to go through the servers, which have rate limits.
The passwords are probably hashed with usernames so they can only attack one person at once but of course, once they have the plaintext password, they can use it anywhere else the user reused it or a variation of it.
Not a silly question! The answer is technically yes, but not really.
Considering there are still sites that store plaintext passwords, there has to be some that just hash it and call it a day. For those, once you crack the hash, you know everyone with the same hash has the same password. Any real site does some more complex stuff to “personalise” each hashed password.
The real issue is when you reuse the password and it gets cracked once, people will try that with your email for other leaks and live sites. If a lot of people use the same password (like “password123”), they’re likely to try it as one of the first guesses to crack any new leaks.
I’m oversimplifying my already oversimplified knowledge of basic cryptography, but it’s a really interesting topic!
You’re contributing to the DDoS attack. Just wait, if your password is good enough and not in use elsewhere it should take a while to crack the hash.
Pretty sure that was a joke >.>
This might be a silly question but it might not - if let’s say 5 (or even 50) people use the same username and password in multiple sites, and they have another site’s leak. Would they be able to easily crack the hash?
They will start a dictionary attack on the most common passwords and check their hashes against the stolen database. The speed depends on whether the password hashes obtained are salted in a known method (or not at all). If so, they can perform the dictionary search or brute force locally and VERY quickly.
Take these charts with a grain of salt, they always depend on the attacker’s computing power. My password was generated with a password manager and it will take millenia to crack with a reasonable number of modern GPUs so I’ll be able to change it in time.
If the method is not known, they will need to go through the servers, which have rate limits.
The passwords are probably hashed with usernames so they can only attack one person at once but of course, once they have the plaintext password, they can use it anywhere else the user reused it or a variation of it.
Not a silly question! The answer is technically yes, but not really.
Considering there are still sites that store plaintext passwords, there has to be some that just hash it and call it a day. For those, once you crack the hash, you know everyone with the same hash has the same password. Any real site does some more complex stuff to “personalise” each hashed password.
The real issue is when you reuse the password and it gets cracked once, people will try that with your email for other leaks and live sites. If a lot of people use the same password (like “password123”), they’re likely to try it as one of the first guesses to crack any new leaks.
I’m oversimplifying my already oversimplified knowledge of basic cryptography, but it’s a really interesting topic!