And to your solid point about the 70%, I forgot to math that out to illustrate the importance of protecting the remaining people who *aren't* reusing passwords. (And I know you know this, mostly posting for those following along).
In the 16 million bcrypt cost 12 case, if 70% of them can be "pre-cracked" with correlation, then the amount of time for the attack above to run for the remaining 30% drops from 300 days to 90 days. Which is an okay amount of time to buy between compromise and discovery, until we remember that you can have a lot more than two 4090s 😅, and of course, bcrypt parallelizes relatively well, such that a different hash like Argon2 or yescrypt is a better choice. But if bcrypt is the only option for some reason, bumping the work factor higher, if feasible, would be recommended.
Royce Williams
npub1d9…v7m3z
2025-09-09 12:56:46 UTC
in reply to nevent1q…qmj2
Author Public Key
npub1d9j86kugzarj4skw6juglk2de6mful9svqu8yac6vum5wz5xtcwsyv7m3zSeen on
wss://relay.momostr.pinkPublished at
2025-09-09 12:56:46 UTCEvent JSON
{
"id": "56d3b5bd61f3cbd7c845b8f8b54d17bb841c18827e1958e9d37f353bf4f1a045",
"pubkey": "69647d5b8817472ac2ced4b88fd94dceb69e7cb0603872771a6737470a865e1d",
"created_at": 1757422606,
"kind": 1,
"tags": [
[
"proxy",
"https://infosec.exchange/@tychotithonus/115174447946899248",
"web"
],
[
"e",
"58bfcd19db6a74e1c03cba6a7adaa686e52c2f4d4f27be818b3252e0c0b0c4d2",
"",
"reply",
"69647d5b8817472ac2ced4b88fd94dceb69e7cb0603872771a6737470a865e1d"
],
[
"e",
"c87d38503fea7c4b20261dfc968c9dd0f1710eb9fd868f88a260220a25c5c98f",
"",
"root",
"69647d5b8817472ac2ced4b88fd94dceb69e7cb0603872771a6737470a865e1d"
],
[
"p",
"69647d5b8817472ac2ced4b88fd94dceb69e7cb0603872771a6737470a865e1d"
],
[
"p",
"597022b3c20de92675ad38e490aa9b80cda1beed34e044ecc73d8e00c42c63eb"
],
[
"proxy",
"https://infosec.exchange/users/tychotithonus/statuses/115174447946899248",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://infosec.exchange/users/tychotithonus/statuses/115174447946899248",
"pink.momostr"
],
[
"-"
]
],
"content": "And to your solid point about the 70%, I forgot to math that out to illustrate the importance of protecting the remaining people who *aren't* reusing passwords. (And I know you know this, mostly posting for those following along).\n\nIn the 16 million bcrypt cost 12 case, if 70% of them can be \"pre-cracked\" with correlation, then the amount of time for the attack above to run for the remaining 30% drops from 300 days to 90 days. Which is an okay amount of time to buy between compromise and discovery, until we remember that you can have a lot more than two 4090s 😅, and of course, bcrypt parallelizes relatively well, such that a different hash like Argon2 or yescrypt is a better choice. But if bcrypt is the only option for some reason, bumping the work factor higher, if feasible, would be recommended.",
"sig": "61a957bf866eb45652c85983193174295294c02a20560480eb2f5ecabec4ace5f0ffb699b18d7dcb553664de2bd131814fa02324e5c45f892311a4dedf41152b"
}