2. Enter Passphrase Word Count:
3. Enter Iterations (Default for master password is 100,000, everything else assume 1):
- This calculator assumes the passphrase was randomly generated.
- It also assumes you’re not reusing this passphrase anywhere else; you should never reuse passphrases or passwords.
- The answers above are how long it would take to go through every possibility. So you can safely divide the answers above in half to give the attacker a 50/50 shot of finding the password in the first half of guesses.
- Bitcoin mining is not set up to crack passphrases and is only used as an over-the-top example.
What Are Iterations?
Websites don’t store your actual password but a hash version of it.
Think of a hash as a smoothie, if you blend the same raw materials for the same amount of time you always get the same smoothie.
The website compares the hash (or the “smoothie”) they have on file to the hash that was generated from your password to confirm you’re the correct user. Just like the smoothie, once blended, the hash can’t be returned to its raw material; the hash is irreversible, making it perfect for password storage on a server.
To slow down guessing or make your master password stronger without you doing anything extra, many password managers will hash the password multiple times. Hashing the hash over and over again is iterating the password. The more you do it, the stronger you make the password.
Adding more iterations will only linearly slow down an attacker, but adding one more word will exponentially slow down the hacker.
You don’t want too many iterations as it slows down your computer, and if your computer is too slow, you can crash it as the OS thinks it’s stuck in a loop. This is why password managers like Bitwarden stop you at 2 million iterations and also why they say to only add 50k iterations at a time.
Why Was The Passphrase Cracking Calculator Created?
I wanted to know how long should my master password be, and most of the cracking calculators on the internet never…
- Considered the number of iterations.
- The different types of word lists.
- Real-world cracking power.
It’s impossible to guess how strong your master password should be if you’re not factoring in these 3 things.
All cracking power is based on an attacker using ONE AMD Radeon RX 6800 XT.
ONE AMD Radeon RX 6800 XT can crack a Bitwarden master password at 36,900 H/s with iterations set to 99,999.
To get to 1 iteration we take 36,900 * 99,999 = 3,689,963,100 H/s.
We take 3,689,963,100 H/s and divide by how many iterations the user has selected to figure out the cracking power.
Iterations linearly slow down an attacker while adding another word to the passphrase exponentially slows down the attacker.
The AMD Radeon RX 6800 XT MSRP is $650 but can be found for much more due to high demand. Prices in the calculations are based on MSRP but rest assured, it will be more expensive due to demand and other components you’ll need to have to run this many graphic cards.
To put things into perspective, the highest cluster of graphic cards made for cracking passwords I have found was 448 RTX 2080s back in 2019. So someone having 1,000 of RX 6800 XT would be very unique, let alone 10,000 of them.
The AMD Radeon RX 6800 XT Compares very well to the RTX 3080, and both are current-gen graphic cards with a lot of power.
We went with the AMD Radeon RX 6800 XT as it’s the only real-world example we can find of anyone cracking passwords, especially master passwords from the likes of Bitwarden.