patternjavascriptModerate
Brute force password cracker
Viewed 0 times
brutecrackerforcepassword
Problem
I wrote this script for a proof of concept JavaScript password cracker:
This script works fine, but it is slow.
What would be the best way to speed up this algorithm?
var charset = " !\"#$%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~";
function crack(value){
function toRadix(N,radix) {
var HexN = "",
Q = Math.floor(Math.abs(N)),
R,
strv = charset,
radix = strv.length;
while (true) {
R = Q % radix;
HexN = strv.charAt(R) + HexN;
Q = (Q - R) / radix;
if (Q == 0)
break;
};
return ((N < 0) ? "-" + HexN : HexN);
};
var start = (new Date()) * 1,
cracked = false,
index = 0;
while(!cracked){
if(toRadix(index) == value)
cracked = true;
else
index++;
};
alert(((new Date()) * 1) - start);
};This script works fine, but it is slow.
What would be the best way to speed up this algorithm?
Solution
Expectation Setting
Your algorithm is an incrementing index, which you then convert in to the radix of your charset.
Your charset is what, 95 characters?
So, there are the following possible permutations for passwords:
OK, so, let's assume the person chooses an 8 char password you need to crack, and that it starts about half-way through your alphabet with a 'K'.
That means you will have to calculate about... 3,000,000,000,000,000 passwords before you get to the right one....
Now, let's assume your browser is super fast (like in the scale of a super-computer), and can compute 1 billion passwords each second....
It will need 3,000,000 seconds to get to the right one.... which is.... about 5 weeks (not 2.5 years as originally stated).
Now, your browser, if it is on an amazing PC, will be 1000 times slower.... so, the right way to crack this password this millennium, is to actually wait about 20 years, and then crack it then when computers are a few hundred times faster ;-)
Note, I would not expect even the fastest PC to be able to get to 5char passwords using a single-threaded execution model, in the most optimal way, to check more than 1,000,000 passwords a second, which makes 5 char passwords more than 2 minutes away....
This is one of the joys about brute-force tactics, by the way, is that, in general, the fastest way to crack a brute-force password of reasonable length, is to do nothing.... and wait for technology to get faster... and then start later, and finish sooner.
Alternate algorithm
Using recursion would be a natural way to solve the general problem of checking all solutions, but it has the problem that it checks all solutions in the wrong order (typically it solves the longest passwords first.... which would be counter-intuitive to check a bunch of 8-char passwords before you check all 7 char passwords.
So, you are left with just making the current system faster... and, that's a somewhat fruitless problem, because even halving the time would not be meaningful in most cases.
This leads on to multi-threading, which is the fastest way to accelerate the problem, but I am not sure this is available on your browser.
Your algorithm is an incrementing index, which you then convert in to the radix of your charset.
Your charset is what, 95 characters?
So, there are the following possible permutations for passwords:
1 char -> 95
2 char -> 9025
3 char -> 857375
4 char -> 81450625
5 char -> 7737809375
6 char -> 735091890625
7 char -> 69833729609375
8 char -> 6634204312890625OK, so, let's assume the person chooses an 8 char password you need to crack, and that it starts about half-way through your alphabet with a 'K'.
That means you will have to calculate about... 3,000,000,000,000,000 passwords before you get to the right one....
Now, let's assume your browser is super fast (like in the scale of a super-computer), and can compute 1 billion passwords each second....
It will need 3,000,000 seconds to get to the right one.... which is.... about 5 weeks (not 2.5 years as originally stated).
Now, your browser, if it is on an amazing PC, will be 1000 times slower.... so, the right way to crack this password this millennium, is to actually wait about 20 years, and then crack it then when computers are a few hundred times faster ;-)
Note, I would not expect even the fastest PC to be able to get to 5char passwords using a single-threaded execution model, in the most optimal way, to check more than 1,000,000 passwords a second, which makes 5 char passwords more than 2 minutes away....
This is one of the joys about brute-force tactics, by the way, is that, in general, the fastest way to crack a brute-force password of reasonable length, is to do nothing.... and wait for technology to get faster... and then start later, and finish sooner.
Alternate algorithm
Using recursion would be a natural way to solve the general problem of checking all solutions, but it has the problem that it checks all solutions in the wrong order (typically it solves the longest passwords first.... which would be counter-intuitive to check a bunch of 8-char passwords before you check all 7 char passwords.
So, you are left with just making the current system faster... and, that's a somewhat fruitless problem, because even halving the time would not be meaningful in most cases.
This leads on to multi-threading, which is the fastest way to accelerate the problem, but I am not sure this is available on your browser.
Code Snippets
1 char -> 95
2 char -> 9025
3 char -> 857375
4 char -> 81450625
5 char -> 7737809375
6 char -> 735091890625
7 char -> 69833729609375
8 char -> 6634204312890625Context
StackExchange Code Review Q#68063, answer score: 16
Revisions (0)
No revisions yet.