The thing to remember is where this question came in - attacks are currently limited to - but also are making use of - the ways people create passwords.
A very common way of creating a password for a site is to append the site name to the password. Just about any automated cracking system will try various combinations of this as a matter of course. So that particular part of a personal password generation algorithm adds almost no security. Applying MD5 to create a scrambled, but deterministic password, is less common, but is clearly also an option for any cracking system to add to the set of mechanisms that people might use. If there is evidence that it is common enough, you should assume that the cracking programs will add it. It is a small step for a cracking program to try combinations of the various generation schemes. So overall, adding the site and applying MD5 adds just a few bits of entropy.
This is part of the problem the article the OP sighted covers. A strong password has a lot of entropy. A weak password has low entropy. In principle a 55 character password has a lot of entropy, but the ways people use to generate them, they have vastly less. So much less that they are amenable to successful attack. It doesn’t matter if the password appears like so much gobbdygook to a human. Humans aren’t doing the attacking. The cracking programs are built to apply every deterministic password generation algorithm that is both tractable and common enough to be worthwhile. They started life as simple dictionary attacks plus the usual silly things like the username backwards, and expanded out into full phrase attacks, whilst also adding common twists that people use - like odd capitalisation, appending site names. The entropy in these password schemes is so vastly less than the potential entropy in a truley random password that the passwords are now subject to attack.
A true random password has the entropy that the size of password allows. A password that is selected from a smaller set has, by definition, less entropy.
There are quite a number of password generation systems out there. They can generate fully random, pronounceable, or otherwise restricted, passwords. Even the pronounceable ones have much much less entropy than the fully random ones. They may well become subject to attack in the future, but they still contain much more entropy than passwords derived from words and phrases, plus little tweaks.
sailor, the problem with your passwords is that you’re generating them from words. If the word you started with is good enough already, then why are you bothering with the hashing? And if it’s not good enough already, then an attacker can just try generating passwords the exact same way you did until they get something that matches.
And can try every password generation method he knows to generate guesses, if you truly are the one who knows your method then no, he won’t know. But since we don’t know what you method we have no way of evaluating your claim here, in theory someone else could have come up with the same method, independently of you. Catch-22 I know.
You asked how long it would take, the strength of the password depend entirely on the “salt”. If the “salt” weak, then the password is weak, if the “salt” is strong, why aren’t just using that as a password in the first place?
By that reasoning “Qwertyuio12” is just as secure as “DjS4Md5ctE8Z”, since the generation method doesn’t matter.
Using a MAC address as any sort of seed for a password is stupid - there isn’t as much entropy in a MAC address as you might think - it might look like a nice long string of numbers, but there is a set of manufacturer codes, bits to define uni/multicast, and the unique numbers are generally allocated sequentially. For a particular model device, that is a very small space to search…
You are not understanding the question. What entropy? There is no “entropy”. The MAC is not the question, the MAC is a given, it is fixed, it is public.
I am tired of just going around in circles. For the last time, here is my statement of the challenge: I make public a list of MAC addresses (or numbers or strings) and their corresponding hashes. These hashes are created by a fixed algorithm which uses as input a secret string with the MAC or string appended to it. Then I give another MAC or string and the attacker needs to discover the corresponding hash. That is it. Simple.
In my view the hash algorithm is impossible to reverse so the only way to solve the question is to discover the algorithm and the secret word to which the MAC is appended and that requires more computing power than is available today. I say this is impossible and I am willing to bet money on it. If you know anyone who thinks they can solve the problem tell them to come here and we can set it up so that it is worth their time.
This system is used in routers and, as far as I know has never been cracked with a cryptographic attack. When it has been cracked it has been by other means, not by cryptographic attack. So, you think you can crack it or know someone who can crack it? Let’s see it! The challenge is there.
I don’t want to continue running around in circles so that’s all I have to say until someone expresses interest in accepting my challenge.
No, it can be done in a matter of seconds, if it’s in the common dictionaries, or hours, if it’s in the larger dictionaries, on a single machine with a graphics card.
Who will do it? Can you do it? Can you find someone who can do it? Otherwise it’s like saying I have invented a perpetual motion machine and asking people to just take my word for it. When I see it done I’ll believe it. Otherwise I think it is just a matter of people not understanding the difficulty of the problem. I am willing to put money on the table to make it worth the while of some expert. Any takers?