Gab Social, being based on Mastodon, stores bcrypt hashes of the passwords.
An Nvidia 2080Ti GPU with a bcrypt cost factor of around 10 can only crack 250 hashes/second (versus 54 billion for MD5). As long as you're using a random passwords even a 6 character password with only a corpus of upper and lowercase letters plus numbers would still take around 7 years to crack.
Having the hashes does make dictionary attacks much more plausible, however; these could be performed in fairly short order.
This is a good reason to use a password manager with strong passwords (16 characters minimum) that are fully random.
250 hashes/second, 200k words in my 'leaked passwords' dictionary: (200k/250/60) = 30 minutes to crack anyone stupid enough to use a common password. And out of 100,000s of users that's gotta be 10% or so.
I'm not trying to crack any specific password (theoretically, in this example). I'm just trying to crack a large number of random passwords.
That's the point though. bcrypt largely limits the effectiveness of password cracking to dictionary attacks.
Even an 8 character password with a corpus of most special characters will still take you around 380,000 years to crack at 250 hashes a second ((86^8) / 250 * 86400 * 365).
Gab Social, being based on Mastodon, stores bcrypt hashes of the passwords.
An Nvidia 2080Ti GPU with a bcrypt cost factor of around 10 can only crack 250 hashes/second (versus 54 billion for MD5). As long as you're using a random passwords even a 6 character password with only a corpus of upper and lowercase letters plus numbers would still take around 7 years to crack.
Having the hashes does make dictionary attacks much more plausible, however; these could be performed in fairly short order.
This is a good reason to use a password manager with strong passwords (16 characters minimum) that are fully random.
250 hashes/second, 200k words in my 'leaked passwords' dictionary: (200k/250/60) = 30 minutes to crack anyone stupid enough to use a common password. And out of 100,000s of users that's gotta be 10% or so.
I'm not trying to crack any specific password (theoretically, in this example). I'm just trying to crack a large number of random passwords.
That's the point though. bcrypt largely limits the effectiveness of password cracking to dictionary attacks.
Even an 8 character password with a corpus of most special characters will still take you around 380,000 years to crack at 250 hashes a second ((86^8) / 250 * 86400 * 365).