Always private
DuckDuckGo never tracks your searches.
Learn More
You can hide this reminder in Search Settings
All regions
Argentina
Australia
Austria
Belgium (fr)
Belgium (nl)
Brazil
Bulgaria
Canada (en)
Canada (fr)
Catalonia
Chile
China
Colombia
Croatia
Czech Republic
Denmark
Estonia
Finland
France
Germany
Greece
Hong Kong
Hungary
Iceland
India (en)
Indonesia (en)
Ireland
Israel (en)
Italy
Japan
Korea
Latvia
Lithuania
Malaysia (en)
Mexico
Netherlands
New Zealand
Norway
Pakistan (en)
Peru
Philippines (en)
Poland
Portugal
Romania
Russia
Saudi Arabia
Singapore
Slovakia
Slovenia
South Africa
Spain (ca)
Spain (es)
Sweden
Switzerland (de)
Switzerland (fr)
Taiwan
Thailand (en)
Turkey
Ukraine
United Kingdom
US (English)
US (Spanish)
Vietnam (en)
Safe search: moderate
Strict
Moderate
Off
Any time
Any time
Past day
Past week
Past month
Past year
  1. Recently I received an email from my company's IT department and they were working with a third party to test password strength. They claimed that they were able to brute force my password, which was 18 characters, upper and lowercase letters, numbers, and special characters. I was under the impression that this is fairly secure from brute force.
  2. Was this helpful?
  3. security.stackexchange.com

    So if you have a 256-bit secret key and use SHA-256 as your hash function, there are about 2 256 potential HMAC keys (~10 77-- for comparison there's only been about 10 26 nanoseconds since the big bang) an attacker would have to iterate through before they find the K used (if they in fact find the correct K and not an unlikely collision that ...
  4. Aug 29, 2023For password hashing, this means trying every potential password combination to find the one that produces the target password hash. Brute force attacks rely on repeatedly making guesses and checking if the output matches. With sufficient computing power and time, brute force attacks are guaranteed to succeed eventually. The aim is to minimize ...
  5. However, this hash will be of the password + salt, not just the password. As for the thing about modern GPUs: if done properly, the hashing algorithm used will be something like argon2id which is designed to be expensive to compute and in particular hard to brute-force on a GPU. In that case, without salting, using a pre-computed rainbow table ...
  6. To be pedantic, there is no correct password: there is only a correct hash. All possible passwords that hash to the same result are valid. In most cases, you will generally search in a very limited space (say, a combination of a few letters) and therefore you'll most likely find the password that was originally used, but you will never know.
  7. stackoverflow.com

    I'm primarily asking this question for transport of a password database (not online storage where the server would have the private key to decrypt the encrypted password at all times). I know that a cryptographic hash should be irreversible, but an off-line brute force attack on weak passwords would easily reveal a password.
  8. stackoverflow.com

    This is an offline brute-force attack. I have the database full of hashes and their respective salts. The salts are per user, but I only want to attack one user's password at a time. Specifically, I am asking how to brute force a password using a custom series of hashing algorithms, such as the one I showed above: pseudocode:
  9. Brute force attack In a brute force attack, every password is eventually found because the technique is to test every possible keystroke for each single key in a password until the correct one is found. Keyloggers log or record every keystroke on the computer keyboard to obtain passwords and other important data. A pass-the-hash attack is a hacking technique where an attacker uses an ...
  10. passwarden.com

    Reverse Brute Force Attack. With this type of brute force attack, an attacker uses a common password against multiple usernames to gain access to an account. Credential Stuffing. This type of attack is possible because many users reuse the same username/password combination across multiple sites.
  11. crypto.stackexchange.com

    While an eight digit search space is easily iterated, the default settings for LUKS/cryptsetup use a password hash that takes 1s to compute (PBKDF2-SHA1 with iterations chosen to reach that time). That means a brute force of eight digits would take $10^8/60/60/24$ days or over three years on that hardware.
  12. Can’t find what you’re looking for?

    Help us improve DuckDuckGo searches with your feedback

  1. You question does not make a lot of sense to me. If you already know the hash and know what input generates it, what is the point of your bruteforce?

    On the other hand bruteforcing something means to apply some procedure many times with different inputs and comparing the output with your hash. If you do not know what procedure to use, there is no way you will be able to apply it many times.

    But if you know the input and the hash, you can bruteforce it in the beginning to find what algorithm is used. For example

    sha1(i), sha1(md5(i)), md5(i) and so on trying many combinations of possible hash functions. You might guess partially what is used. So if you output is 160 bits long, you can guess that may be the last step was sha1.

    --Salvador Dali

    Was this helpful?
Custom date rangeX