When you have direct access to the encoded passwords like this you no longer have to try passwords on individual accounts and on the time-schedule the security system limits you to. Imagine trying to guess the combination to a highschool locker - pretty slow going. Now imagine every guess you took was instantly tried on every locker in the school.
Your odds of getting into any specific targeted locker (account) is kinda low, but sinces there's 10s of thousands of lockers in this virtual school, you're going to get thousands of accounts.
Then you use these username/password combinations at banks, paypal, bitcoin exchanges, amazon, etc. Again, 50-80% of them won't work, but we're on the order of 10s of thousands, and this can all be automated.
So you end up with thousands of compromised accounts on third parties, and you sell these accounts (for like $20 each) to 4th parties who have money laundering networks.
Now you have $100k and none of it has come directly from any of your victims, making it hard to trace to you.
Gab Social, being based on Mastodon, stores bcrypt hashes of the passwords.
An Nvidia 2080Ti GPU with a bcrypt cost factor of around 10 can only crack 250 hashes/second (versus 54 billion for MD5). As long as you're using a random passwords even a 6 character password with only a corpus of upper and lowercase letters plus numbers would still take around 7 years to crack.
Having the hashes does make dictionary attacks much more plausible, however; these could be performed in fairly short order.
This is a good reason to use a password manager with strong passwords (16 characters minimum) that are fully random.
250 hashes/second, 200k words in my 'leaked passwords' dictionary: (200k/250/60) = 30 minutes to crack anyone stupid enough to use a common password. And out of 100,000s of users that's gotta be 10% or so.
I'm not trying to crack any specific password (theoretically, in this example). I'm just trying to crack a large number of random passwords.
That's the point though. bcrypt largely limits the effectiveness of password cracking to dictionary attacks.
Even an 8 character password with a corpus of most special characters will still take you around 380,000 years to crack at 250 hashes a second ((86^8) / 250 * 86400 * 365).
When you have direct access to the encoded passwords like this you no longer have to try passwords on individual accounts and on the time-schedule the security system limits you to. Imagine trying to guess the combination to a highschool locker - pretty slow going. Now imagine every guess you took was instantly tried on every locker in the school.
Your odds of getting into any specific targeted locker (account) is kinda low, but sinces there's 10s of thousands of lockers in this virtual school, you're going to get thousands of accounts.
Then you use these username/password combinations at banks, paypal, bitcoin exchanges, amazon, etc. Again, 50-80% of them won't work, but we're on the order of 10s of thousands, and this can all be automated.
So you end up with thousands of compromised accounts on third parties, and you sell these accounts (for like $20 each) to 4th parties who have money laundering networks.
Now you have $100k and none of it has come directly from any of your victims, making it hard to trace to you.
Gab Social, being based on Mastodon, stores bcrypt hashes of the passwords.
An Nvidia 2080Ti GPU with a bcrypt cost factor of around 10 can only crack 250 hashes/second (versus 54 billion for MD5). As long as you're using a random passwords even a 6 character password with only a corpus of upper and lowercase letters plus numbers would still take around 7 years to crack.
Having the hashes does make dictionary attacks much more plausible, however; these could be performed in fairly short order.
This is a good reason to use a password manager with strong passwords (16 characters minimum) that are fully random.
250 hashes/second, 200k words in my 'leaked passwords' dictionary: (200k/250/60) = 30 minutes to crack anyone stupid enough to use a common password. And out of 100,000s of users that's gotta be 10% or so.
I'm not trying to crack any specific password (theoretically, in this example). I'm just trying to crack a large number of random passwords.
That's the point though. bcrypt largely limits the effectiveness of password cracking to dictionary attacks.
Even an 8 character password with a corpus of most special characters will still take you around 380,000 years to crack at 250 hashes a second ((86^8) / 250 * 86400 * 365).