Organizations are increasingly adopting passwordless authentication; however, passwords are still the most common method of securing accounts. The problem with passwords is they can be guessed, and with modern GPUs, brute-force attempts to guess passwords can crack weak passwords incredibly quickly. Passwords of 6 characters, for instance, can be guessed instantly, regardless of the letters, numbers, and special characters used.
Each year, Hive Systems conducts research to determine how long it takes to crack passwords and produces an annual table that clearly demonstrates why the length and makeup of passwords really make a difference to security. To produce the table, Hive Systems assesses the relative strengths of hashed passwords against brute force attempts to guess passwords, broken down by complexity and length, and provides a time of how long it would take a hacker with a consumer budget to crack passwords using a desktop computer with a top-level consumer-grade graphics card. For comparison purposes, Hive System also calculates how long it would take an advanced, well-resourced hacker to crack a password, such as a member of an organized crime gang that has access to cloud compute resources. There has also been a new development since last year’s table, and that is the launch of ChatGPT, which was also factored into the calculations.
In past years, Hive System based their analysis on the use of a wide range of special characters, which naturally allowed considerable variety when creating passwords; however, this year’s table is more realistic as the special characters included in the analysis more closely reflect those that are accepted by websites when creating passwords, which are ^*%$!&@ and #. All other special characters were dropped. Cracking passwords involves taking a hash of a password, which has been created using a hashing algorithm to convert it from plaintext, and then making a combination of characters on the keyboard and hashing them and comparing the two. The researchers based their analysis on an application called Hashcat, which supports many different hashing algorithms.
If a password is set of 8 characters, using the NIST recommendation of choosing a randomly generated string of 8-characters, using a top-of-a-range GPU that was available in 2018 (RTX 2080) it would take 4 hours to crack a password with numbers, upper- and lower-case letters, and symbols. Today, using the latest GPUs (RTX 4090) it takes just 59 minutes, but if cloud resources were used, the time taken to crack the password drops to just 19 minutes if using 8 x A100 GPUs from Amazon AWS, and 12 minutes if using 12.
While the researchers could not test the resources that were available to train ChatGPT, they were able to infer how long it would take using the 10,000 A100 GPUs that were used to train ChatGPT and worked out it would take around 1 second to crack the password. Fortunately, even the most well-resourced hacker would be unlikely to use that number of GPUs to guess your password. The table below shows how long it would take a hacker using standard equipment to guess a password and clearly shows why password length and complexity matter. Of course, if your password is disclosed to someone in a phishing attack, it doesn’t matter how complex your password is and your account can be accessed so in addition to setting a strong password, make sure you also set up multi-factor authentication and, ideally, hardware-based multi-factor authentication.