How to crack billions of passwords?


In the old days, passwords were stored in plain text. It didn’t take long to figure out that this was not a good idea: a breach of the system resulted in hackers having instant access to all accounts. To prevent this, one-way hashing was introduced. A variable length password is transformed in a fixed length code (‘hash’) and stored. When a user authenticates, the entered password is hashed too. If the stored and calculated hash match, the entered password is correct. If the system is breached, the passwords of the system are still safe: password hashes cannot be decoded or reversed to retrieve the plain passwords.

Figure 1: exponential growth (93^length)
  • Cracking speed can be decreased by using slower hashing algorithms. A simple way of achieving this is using N iterations of an algorithm. This slows cracking down with a factor N. This technique is known as ‘key stretching’.
  • Hardware-specific slowdowns typically exhaust fast memory by using relatively large amounts of it. This will result in a significant drop in performance on the targeted platform, since the system needs time to access slower memory. Introduced slowdowns are platform and processor-specific.
Figure 2: cracking speeds for various types of hashes

Cracking platforms

There are four different type of platforms for cracking password hashes. Each one has specific characteristics.

Finding the right tool for the job

With theoretical limitations and available cracking platforms in mind we can pick the right tools for the job. Password hashes can be divided in two categories: hashes with and without hardware-specific slowdowns. Let us call them ‘simple’ and ‘advanced’ hashes.

Cracking at

Let us go back to the original question: how to crack billions of passwords? We have seen that simply buying more generic computing power is not the best solution. Instead, at Scattered Secrets we focus on smart cracking strategies and hardware that excels in a specific job. As a result, we run a wide variety of cracking hardware. For simple standard hashes we mainly use multi-GPU systems. For simple non-standard hashes we mainly use multi-CPU systems. For power and rack space efficiency, we typically combine massive GPU and CPU power in a single system:

Figure 3: Scattered Secrets’s cracker category ‘heavy’: four GPUs and four CPUs in a single system
Figure 4: Scattered Secrets’s cracker category ‘FPGA’: under the hood of a forty-eight FPGA system



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store