Password Security Demo

Step 1: Select Your Event / Classroom

This demo is running as a live event. Your instructor has created a dedicated room (event) for your class session — multiple instructors may be running this demo simultaneously in different classrooms. Please select the correct event or room that matches your current class session.

Step 3: Enter Your Password

Format: DDMMYYYY Example: 15031998

⚡ SHA-256 Hash Generated:

...

This 64-character string is the "fingerprint" of your password. It is the only thing sent to the server.

📚 About This Project

This application is a security demonstration designed to show how authentication works in modern web apps — and why certain common practices are dangerous.

🔒 How Hashing Works

When you type or pick your birthday, your browser runs it through a hash function (SHA-256). This creates a unique fingerprint which is sent to the server. Your actual birthday never leaves your device.

🐄 The Cow to Burger Analogy:
Think of it like turning a cow into a burger. It is easy to go from cow → burger, but absolutely impossible to reconstruct the original cow from the burger. Hashing is a one-way mathematical function designed exactly like this.

Your password is never sent to the server. Instead, your browser computes this one-way fingerprint — and only the hash is transmitted.

⚠ The Illusion of Safety:
Even though we use a secure SHA-256 hash (meaning the server never sees your password), this system is still extremely easy to hack. Why? Because birthdays are predictable.

An attacker doesn't need to "reverse" the hash. They just use a brute-force function: they take every possible date in a 100-year range (~36,500 dates), hash each one, and compare them to your hash. On a modern computer, this takes less than a second. This project proves that even with strong math (hashing), a weak or predictable password makes your security irrelevant.

🔢 Password Character Space & Brute Force Times

The character space of a password is the total number of possible combinations an attacker must try to guarantee cracking it. This table shows various password types ranked by strength (weakest → strongest), the size of their character space, and how long a brute-force attack would take using two different methods:

Browser (1M hashes/sec): Using JavaScript in a web browser (SHA-256 via WebCrypto API)
GPU RTX 4090 (22B hashes/sec): Using a consumer GPU with hashcat for password cracking

Password Type	Character Set	Formula	Combinations (Digit Count)	Browser (1M/s)	GPU RTX 4090 (22B/s)
4-digit PIN	Digits 0–9	10⁴	10,000 (5 digits)	~10 ms	Instant
8-digit birthday (DDMMYYYY)	Valid calendar dates	~36,525 dates	36,525 (5 digits)	~36 ms	Instant
6-digit number	Digits 0–9	10⁶	~1.00 × 10⁶ (7 digits)	~1 second	Instant
8-char lowercase only	a–z (26 chars)	26⁸	~2.09 × 10¹¹ (12 digits)	~2.4 days	~9.5 seconds
8-char alphanumeric	a–z, A–Z, 0–9 (62)	62⁸	~2.18 × 10¹⁴ (15 digits)	~6.9 years	~2.8 hours
8-char + special chars	94 printable ASCII	94⁸	~6.10 × 10¹⁵ (16 digits)	~193 years	~3.2 days
12-char alphanumeric	a–z, A–Z, 0–9 (62)	62¹²	~3.23 × 10²¹ (22 digits)	~102 million years	~4,647 years
12-char + special chars	94 printable ASCII	94¹²	~4.76 × 10²³ (24 digits)	~15.1 billion years	~685,500 years

💡 Key Takeaways

Birthdays are trivial to crack — under 40 milliseconds, even in a browser
Length beats complexity — 12-char alphanumeric (102M years) >> 8-char + special chars (193 years)
GPUs obliterate weak passwords — what takes 6.9 years in a browser falls to 2.8 hours on a $1,600 GPU
This assumes NO salting — with proper salting, GPU attacks become impractical even for weak passwords