250 hashes/second, 200k words in my 'leaked passwords' dictionary: (200k/250/60) = 30 minutes to crack anyone stupid enough to use a common password. And out of 100,000s of users that's gotta be 10% or so.
I'm not trying to crack any specific password (theoretically, in this example). I'm just trying to crack a large number of random passwords.
That's the point though. bcrypt largely limits the effectiveness of password cracking to dictionary attacks.
Even an 8 character password with a corpus of most special characters will still take you around 380,000 years to crack at 250 hashes a second ((86^8) / 250 * 86400 * 365).
250 hashes/second, 200k words in my 'leaked passwords' dictionary: (200k/250/60) = 30 minutes to crack anyone stupid enough to use a common password. And out of 100,000s of users that's gotta be 10% or so.
I'm not trying to crack any specific password (theoretically, in this example). I'm just trying to crack a large number of random passwords.
That's the point though. bcrypt largely limits the effectiveness of password cracking to dictionary attacks.
Even an 8 character password with a corpus of most special characters will still take you around 380,000 years to crack at 250 hashes a second ((86^8) / 250 * 86400 * 365).