It's more likely the passphrase/crack was obtained by other means than bruteforcing.
A 21 character password with upper+lower case, numbers and popular punctuation has about 65^21 combinations.
Sure attackers can use many GPUs. Say you have 1 million devices that do 600 million SHA256 per second.
Say pbkdf2 with "only" 10,000 rounds of sha256.
65^21 x 10000 / (1 million x 600 million) seconds = 6.22206506 × 10^19 years. Sure in theory you'd probably might find it less than 50% of the way through but in practice you're going to use a different method.
Thus I doubt the problem was with pbkdf2 and I suspect this article is a distraction from the actual methods used/vulnerability exploited.
Power management, mobile and firmware developer on Linux. Security developer at nvidia. Ex-biologist. Content here should not be interpreted as the opinion of my employer. Also on Mastodon and Bluesky.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Unlikely to be brute forced
Date: 2023-04-20 02:35 am (UTC)A 21 character password with upper+lower case, numbers and popular punctuation has about 65^21 combinations.
Sure attackers can use many GPUs. Say you have 1 million devices that do 600 million SHA256 per second.
Say pbkdf2 with "only" 10,000 rounds of sha256.
65^21 x 10000 / (1 million x 600 million) seconds = 6.22206506 × 10^19 years. Sure in theory you'd probably might find it less than 50% of the way through but in practice you're going to use a different method.
Thus I doubt the problem was with pbkdf2 and I suspect this article is a distraction from the actual methods used/vulnerability exploited.