Brute Force — Attack Methods

Project reference document Time2Crack

Recipients: developers, security researchers, advanced users

Overview

Historical and academic background

Math: Keyspace and entropy

Architecture of a brutal attack modern force

Calculation speeds by hash algorithm

Tanket detection in Time2Crack

Calculation of cracking time: rawTime()

Date reduction detected: detectDateAndReduce()

Monotonicity guard: floor of other attacks

HF calibration and the role of gross force

Comparison with other attacks

Theoretical and practical limitations

What brute force does not say

Effective defences

References

1. Overview

Crude force is the most fundamental attack in password cracking: it consists of testing systematically all possible combinations No intelligence, no heuristic — only the raw computing power against the size of the space to travel.

In Time2Crack, brute force plays a double role:

Modeled attack It represents the maximum theoretical time that an attacker would put, assuming no other exploitable vulnerability.

Floor (monotonicity guard) : it serves as a lower terminal for all other attacks — no specialized attack can legitimately display a time less than that which would take raw force on the alphabetical sub-chain of the password.

In practice, raw force is almost never the fastest attack on a real human password — PCFG, Markov or hybrid attack will be more effective. But for a truly random and long password, it represents reality: the attacker has no choice but to browse the space exhaustively.

2. Historical and academic background

2.1 Origins

The raw force precedes the computer: the principle of testing all possible combinations is used since the first mechanical encryption machines (Enigma during the Second World War). The bomb of Alan Turing was, in a broad sense, a device of raw force forced by a hypothesis of cribs.

With the advent of computers, the unix password force was formalized from the 1970s to the 1980s:

Year	Event
-------	------------
1979	Morris & Thompson: First academic article on Unix password security, with raw force analysis on /etc/passwd
1988	Morris Worm: first mass feat using, among other things, a dictionary and raw force password crack
1993	Crack 5.0 (Alec Muffett): first public cracking tool by raw force on Unix
2004	Ophcrack : groove tables + raw force on LM/NTLM hashes Windows
2007	GPU-accelerated cracking (Elcomsoft): first public use of the GPU to accelerate gross force
2012	Hashcat open source: reference tool, maximum GPU operation
2016	Hive Systems: Annual publication of tables "gross force by GPU" become industrial reference

2.2 Benchmarks

The GPU revolution changed the order of magnitude of the raw force. On CPU, an attacker of the 1990s tested ~10,000 MD5/second passwords. A RTX 4090 in 2024 in test 168.9 billion per second — an acceleration of 16 million times in 30 years.

Key academic sources :

Gosney, J (2012) : first multi-GPU public benchmark on LM/NTLM, showing 180 GH/s with 8 GPU
Hive Systems (2025) : annual tables calibrated on 12× RTX 4090, quoted by Forbes, CNBC, BBC
Sprengers, M. (2011) : Radboud University thesis on GPU cracking, mathematical formalization

3. Math bases: keyspace and entropy

3.1 Keyspace

Keyspace (keyspace) is the total number of possible passwords for a given length and tank:

keyspace = charset_size ^ length

Examples:

Charset	Size	Length	Keyspace	Rating
----------	--------	-----------	-----------	-----------
Single digits	10	8	108 = 100,000,000	~108
Minuscules alone	26	8	268 million	~2 × 1011
Alphanumeric	62	8	628 million	~2 × 1014
Full ASCII	95	8	958 billion	~6 × 1015
Full ASCII	95	12	9512 - 5.4 × 1023	~5 × 1023
Full ASCII	95	16	9516 - 4.4 × 1031	~4 × 1031

3.2 binary entropy

Entropy (measured in bits) is the logarithmic formulation of keyspace:

entropie = length × log₂(charset_size)

In Time2Crack (function entropy()) :

function entropy(pw) {
  return pw.length * Math.log2(getCharset(pw).size);
}

The relationship between entropy and keyspace:

keyspace = 2^entropie
entropie = log₂(keyspace)

Concrete examples :

Password	Charset	Length	Entropy	Keyspace
--------------	----------	-----------	-----------	-----------
"12345678"	10 (digits)	8	26.6 bits	108
"password"	26 (lower)	8	37.6 bits	268
Password1	62 (alphanum)	9	53.6 bits	629
"P@ssw0rd!"	95 (full ASCII)	9	59.3 bits	959
xQz7@mK9#2pL	95 (full ASCII)	12	79 bits	9512

3.3 Mathematical Hope: Keyspace / 2

Crude force does not always test keyspace Integer combinations — on average, it finds the password midway, as the target is equiprobably distributed in space.mathematical expectation the number of attempts is therefore:

tentatives_attendues = keyspace / 2

This is exactly what models bruteTime() in Time2Crack:

// "For brute force: expected value is keyspace/2 (uniform random search)"
function bruteTime(keyspace, rate) {
  const ls = Math.log(keyspace / 2) - Math.log(rate);
  return Math.exp(ls); // = (keyspace / 2) / rate
}

This division by 2 is correct under the assumption that the attacker travels the space linearly (non-repetitive). keyspace/2 Attempts.

14. Effective defences

14.1 User side: length and randomity

Gross force is defeated by two combined factors:

Length : each additional character multiplies the keyspace by charset_sizeFrom 8 to 12 characters (charset 95) multiplies the keyspace by 954 - 81 million.
True random : a cryptographically secure generator (CSPRNG) produces passwords that do not benefit from any probabilistic reduction. Markov, PCFG and Neural have no advantage over a really random password.
Practical recommendation :

Password Manager + Random Generation ≥ 16 characters with complete float = out of range of any raw force in a human life horizon

14.2 Server side: resistant algorithms

The choice of the hash algorithm multiplies or divides the raw force time by factors up to several million :

Recommendation	Algorithm	Reason
----------------	-------------	--------
Recommended	Argon2id	Memory-hard, GPU resistant
Recommended	bcrypt (cost ≥ 12)	Intentionally slow, salty
Acceptable	scrypt	Memory-hard but less standardized
Inadequate	SHA-256 salted	Too fast even with salt
Dangerous	MD5, SHA-1, NTLM	Non salty, extremely fast

15. Bibliographic references

Academics

Morris, R., & Thompson, K. (1979). Password security: A case history. Communications of the ACM, 22(11), 594–597. → Founding article on Unix password security
Sprengers, M. (2011). GPU-based password tracking (Master's theses). Radboud University Nijmegen. → Mathematical formalization of GPU cracking, benchmarks on single GPU
Wheeler, D.L. (2016). zxcvbn: Low-Budget Password Strength Estimate. 25th USENIX Security Symposium. → Data on effective keyspace (Table 2: -30% for structured passwords)
Dürmuth, M. et al. (2015). OMEN: Ordered Markov ENumerator. ESORICS 2015. → Comparative reference for probabilistic terminals vs gross force

Industry

Hive Systems. (2025). 2025 Hive Systems Password Table. https://www.hivesystems.io/password-table → Annual benchmarks on 12× RTX 4090, standard reference
Gosney, J (2012). 8x Nvidia GTX 1080 Hashcat benchmarks. GitHub Gist. → First public multi-GPU benchmark, historical reference
Hashcat. (2024). Official Hashcat benchmarks v6.2.6. https://hashcat.net/hashcat/ → Official speeds by algorithm, source of Time2Crack constants
NIST SP 800-63B. (2017, updated 2024). Digital Identity Guidelines: Authentication and Lifecycle Management. → Official recommendations on password length and complexity
OWASP. (2024). Password Storage Cheat Sheet. https://cheatssheetseries.owasp.org/cheatssheets/Password Storage Cheat Sheet.html → Recommendations on bcrypt (cost ≥ 12), Argon2id as modern standards

Document generated for Time2Crack project — last update : 2026-04-18 Based on implementation in app.js, raw functionsTime(), getCharset(), and monotonicity guard

The Brute Force Attack — Comprehensive Operation

Contents