That’s how long it takes to crack our password

There are two basic methods used by cybercriminals to crack passwords. In the case of one solution, words or their combination are tried out, for which dictionaries available in electronic form are used. The other possible way is “brute force”, i.e. the trial method, when they try to decipher the code by playing through all possible combinations. The latter solution definitely brings results, the only question is how long the attempt takes: it takes minutes or even thousands of years to decrypt the password.

Apart from the worst online services, there is no online system that stores the password itself. Instead, only the fingerprint of the password created with the hash function is entered into the database. The peculiarity of the hash is that it is one-way, that is, the original information cannot be restored from the result, the attacker can only try to crack the password – that is, try all kinds of inputs until the desired hash is produced.

For the second time this year, security company Hive Systems has published the Hive Systems Password Table, a chart that shows how many years it takes to crack a password based on the length and complexity of the password used, assuming the malicious party is an average a hacker with a desktop computer and a high-end video card.

hive_table

Digital footprint is slowly becoming a standard accessory (x)

Thyssenkrupp’s government systems already have a considerable wealth of data.

Digital footprint is slowly becoming a standard accessory (x) Thyssenkrupp’s government systems already have a considerable wealth of data.

The success of the attack largely depends on how computationally intensive the hash itself is, the performance can be accelerated almost linearly by adding additional GPUs. For this reason, experts recommend a much more computationally intensive hash function for storing passwords, one of the widely accepted such functions is bcrypt, but today there are still many websites that use MD5.

The 8-character long passwords requested by many websites are no longer a great challenge for hackers, in most cases they can be cracked almost immediately or within a few minutes. The time needed to hack can be reduced even further if one uses multiple video cards or a cloud service that can be rented for a few dollars an hour.

When compiling the 2020 table, Hive Systems used another RTX 2080 GPU as a basis, and for the recent table, an RTX 3090. An important feature of a video card is how many calculations it performs per second, typically in floating point operations (FLOPS), and while based on its performance, the RTX 2080 card can crack 37,085 million hashes per second (MH/s), while the RTX 3090 already has 69.38 million, which 86 percent more. The worse news is that cloud services can also be used by cybercriminals, so if they have enough money, they can even deploy one of Amazon’s high-performance clusters. The e-commerce giant currently offers 8 Nvidia A100 Tensor Core GPUs in its service, easily pushing the RTX 2080’s 10 trillion FLOPS to 2,500 trillion FLOPS.

Therefore, when choosing a password, a few simple rules of thumb should be taken into account: if possible, use both numeric and alphabetic characters, and the password should contain both upper and lowercase letters, but as the table shows, the most important thing is the length of the password. Thus, if we want to choose an easy-to-remember but hard-to-crack character string, use a passphrase instead of a password. Cracking an 18-character password with numbers, uppercase and lowercase letters, and symbols can take up to 438 trillion years.

The method and the various comparisons can be read in more detail at on the Hive Systems site.


Source: HWSW Informatikai Hírmagazin by www.hwsw.hu.

*The article has been translated based on the content of HWSW Informatikai Hírmagazin by www.hwsw.hu. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!