Time2Crack

Relevance: Founding methodology for the realistic estimate of password force. Wheeler (2016) states that entropy-based meters (NIST, OWASP) significantly overestimate safety. Time2Crack follows this approach: estimate the cost of the best known attack, not theoretical entropy.

Relevance: Critical analysis of biases in password force models. Shows that dataset bias results. Time2Crack uses rockyou2021 (32.6M weighted passwords) to minimize this bias.

Relevance: Major comparative study (USENIX 2023) of 12 password strength meters out of 14 real dataset. Determines that:

• Weighted Spearman correlation ρ is the standard metric to evaluate accuracy
• Scientific target: ρ > 0.85 for good calibration
• No meter exists without compromise (zxcvbn: ρ=0.76, Hive Systems: ρ=0.68)

Time2Crack aims ρ > 0.80 overall.

Relevance: Systematic evaluation framework for password strength meters (2018). Recommend: Spearman correlation + Kullback-Leibler divergence for offline attacks. Time2Crack incorporates these two metrics.

Relevance: Introduces metric α-Guesswork (Gα) : proportion of passwords cracked with G attempts. Evaluate the practical safety of the model.

Relevance: Founding comparison of probabilistic models (Markov, PCFG, neural). Determines that attacks by combination of words are underestimated by naive formulas (row multiplication = false independence hypothesis). Time2Crack corrects this with rockyou empirical calibration.

Relevance: Founding methodology of PCFG (Probabilistic Context-Free Grammar). Established:

• Structure breakdown (L=letter, D=digit, S=symbol)
• Skeleton threshold 20-50 to capture real structures
• Validation on real datasets (LinkedIn, Yahoo, RockYou)

Time2Crack uses SKELETON THRESHOLD=100 (revision to decrease to 30-50).

Relevance: Next-Gen PCFG expansion with performance improvements and accuracy. Valid approach PCFG on millions of passwords.

Relevance: Foundations of attacks by dictionary and groove tables. Sets that dictionary + mutations covers ~95% of passwords in practice.

Relevance: NIST recommendations for selecting passwords and hash algorithms. Established:

• bcrypt, scrypt, PBKDF2, Argon2 as acceptable algorithms
• MD5, SHA-1 unsalted are not acceptable (rainbow tables)
• dictionaries of 100k+ recommended words for attacks

Relevance: Industrial benchmark reference with 12× RTX 4090 GPUs. Time2Crack uses this profile as a baseline "experienced attacker" (12 GPU cluster).

Relevance: GPU speed study for hash cracking. Sets benchmarks for MD5, SHA-1, NTLM, bcrypt with modern GPU.

Relevance: Official Hashcat Benchmarks on RTX 4090 for all hash algorithms. Time2Crack uses these numbers as single GPU speeds and multiplies them by 12 for the experienced profile.

Relevance: First system to exceed 330 GH/s NTLM (8 GPU cluster). Validated by industry as a multi-GPU reference.

Relevance: Commercial GPU infrastructure available (100-1000 GPU clusters). Time2Crack uses for professional profiling (~100 GPU).