Time to ditch eight-character passwords – they may no longer be enough in 2024


Advancements in computing power now allow the cracking of any 8-character-long password in a reasonable amount of time, even if it’s hashed. The standard recommendation now is to have a strong password of at least 16 characters.

According to a new report by cybersecurity company Hive Systems, no amount of creativity will save a short password from crackers, especially if they’re stored in weak hashes.

A single graphic card, such as Nvidia RTX 4090, is already a capable device at cracking passwords.

A “strong” 8-character length password may include numbers, uppercase and lowercase letters, and symbols, but if it is stored in MD5 hash, a single RTX 4090 will crack it in 59 minutes.

MD5 hashes have not been recommended for storing passwords for a while now, as they’re too insecure. However, many services online still rely on them.

The more secure storing solution is bcrypt hashes with a sufficiently high number of iterations. Bcrypt is designed to be more taxing on hardware and, therefore, takes longer to crack.

A single RTX 4090 would need to chug for 99 years to crack 8-character bcrypt password hashes set to 32 iterations (2^5), which is considered a very low iteration count.

passwords-time2

Any experienced attacker could use more hardware or buy cloud resources to speed up the brute forcing. Twelve graphic cards RTX 4090 will crack the same password in 7 years if it contains symbols and numbers. If the password only contains lowercase letters, the job will be done in 22 hours, the Hive Systems report shows.

If a state-sponsored actor really wants to crack your password, it could probably arrange some time with 10,000 GPUs like the Nvidia A100. Then, the hardest 8-character-long password would be revealed in just five days.

Using only 32 iterations (2^5) for bcrypt is insecure, and security experts usually recommend using at least 2^12 cost (4096 iterations) or 2^14 (16384 iterations) for bcrypt to be effective.

However, the problem is that users usually have no way of telling what algorithm their service provider uses to store passwords. While many still use MD5, leaks in the past revealed that some companies even stored passwords in plain text.

The brute force method for cracking passwords is the least effective and rarely used. Hackers often rely on so-called dictionary attacks that try different passwords by systemically guessing every word from a pre-compiled list containing previously leaked passwords, dictionary words, and permutations.

If one’s password contains dictionary entries or has already appeared in any known data leak, it could be cracked immediately.

password-time3

“People are predictable”

Hive Systems noted that non-randomly generated passwords are much easier and faster to crack “because humans are fairly predictable.” Therefore, the calculated timeframes are “the best case” reference point (or the worst if you are a hacker).

“These metrics assume you’re using a password that has not been part of a breach in the past. Attackers will try hashes to all common and breached passwords before bothering to crack new ones,” Hive Systems said.

Researchers warn that criminals like to keep their stashes of passwords secret to gain more leverage.

“You won’t find the LastPass breach represented in HaveIBeenPwned. Why? Because the trove of passwords hasn’t surfaced in public yet! Imagine how many stolen secrets and vulnerabilities never reach the light of day or even the dark web.”

The US Cybersecurity and Infrastructure Security Agency (CISA) recommends that a strong and unique password be at least 16 characters long (even longer is better) and random “like a string of mixed-case letters, numbers, and symbols (the strongest!) or a passphrase of 5 –7 random words.”


More from Cybernews:

Label working with Snoop Dogg and Iggy Azalea faces cyberthreat

ByteDance prefers TikTok shutdown in US if legal options fail

CISA’s ransomware warnings helped patch 852 vulnerabilities

BerryDunn suffers third-party breach, 1M affected

Qualcomm announces new chip in a bid to compete with Apple and Intel

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are markedmarked