A post a while back showed that a series of 8 5970 GPUs could test 33.1 billion MD5 passwords per second. A pretty impressive number.
But let’s put that into perspective using this calculator that looks only at combinations, none of that entropy BS that clouds things up.
At 100 billion checks per second, essentially 3x as fast as 8 5970 GPUs, it would take about 19 hours to crack a simple 8 character password with a full character set of 95. Adding just one single character to that turns 19 hours into 2.5 months. One more character and we’re nearing 20 years. Another and we’re nearing 20 centuries.
That’s only 11 characters. That’s nothing, really.
But even if you could check 100 trillion passwords per second it would take an entire 1.83 years to crack the password. And with just one character even that becomes infeasible, pushing the time for a 12 character password at 100 trillion guesses to 1.74 centuries.
And, let’s face it, 100 trillion is going to take massive amounts of energy and funding.
The fact that MD5 is multiple orders faster than other methods also puts things into perspective. SHA 256 is meant to be fast and even it’s going to be 10x as slow. If you use PBDKF2 I’d assume it’s a matter of multiply rounds ie: if one round takes 10x as long 10 rounds will take 100x as long. LastPass defaults to 500 rounds so that’s 5000x as slow and I personally use 30,000 rounds so that’s… 300,000x as slow.
Basically, if you use a full character set and 12 character passwords there’s simply no way anyone’s getting into your system. It’s so damn easy to remember a password that’s 12 characters too.
Just a few other tidbits for the 100 trillion checks per second:
16 characters = 1.41 hundred million centures
20 characters = 11.52 thousand trillion centuries
I mean, really, no one is going to even try. It would be cheaper to try to break the encryption but only because it’s like comparing spending every bit of energy the earth has to offer or just spending millions of dollars.
The point of this post is to demonstrate that if you use even a slightly secure password you make it impossible to bruteforce and if you exert virtually any small amount of effort into creating a strong password the solar system would collapse long before anyone ever broke into it.