If your password is a word or a common word/number combination, and I have the encrypted hash, I can break it in a few hours, maybe a day. (edit: ran the calculations for another post, it takes 25 minutes to crack any common password, even with bcrypt)
If it's not, it might take days-weeks depending on how long it is and which algorithm they used. If it's under 8 characters, there are databases that can break it instantly.
(Edit: As sordifPontification points out, these don't apply to bcrypt, especially if it's salted as it should be)
Gab is based on Mastodon which uses bcrypt to store password hashes. There are no rainbow tables for bcrypt for anything 8 characters or less. For under 8 characters, the rainbow tables would be ~211 296 876 372 480 bytes in size. Plausible given current storage but very unlikely.
Edit: And this calculation is probably off by an order of magnitude as I forgot about the salt and was basing this off the hash length.
Edit edit: Plus a 16 byte salt renders rainbow tables completely useless.
If your password is a word or a common word/number combination, and I have the encrypted hash, I can break it in a few hours, maybe a day. (edit: ran the calculations for another post, it takes 25 minutes to crack any common password, even with bcrypt)
If it's not, it might take days-weeks depending on how long it is and which algorithm they used. If it's under 8 characters, there are databases that can break it instantly. (Edit: As sordifPontification points out, these don't apply to bcrypt, especially if it's salted as it should be)
No.
Gab is based on Mastodon which uses bcrypt to store password hashes. There are no rainbow tables for bcrypt for anything 8 characters or less. For under 8 characters, the rainbow tables would be ~211 296 876 372 480 bytes in size. Plausible given current storage but very unlikely.
Edit: And this calculation is probably off by an order of magnitude as I forgot about the salt and was basing this off the hash length.
Edit edit: Plus a 16 byte salt renders rainbow tables completely useless.
Good points on the bcrypt part. Editing my post above
It's been a long time since I've done anything in that world, How are passwords that consist of several real words with no numbers or symbols?
Several real words (3+) are very safe. Easy to remember and it just takes exponentially long for any algorithm to work it's way up to that point.
Yep. Another reason for password manager. Have 20+ character passwords that are random and use all possible characters.