The latest audit of password cracking time released by Hive Systems.
Depending on the length of the password and its composition — the mix of numbers, letters, and special characters — a password can be cracked instantly or take half a dozen eons to decipher.
Using today’s computers, four-five-six-character passwords that only contain numbers can be cracked in seconds, but an 18-character passcode consisting of upper- and low-case letters, symbols, and numbers would take over 19 quintillions of years to crack.
Hive’s research last year found that 11-character passwords can be cracked instantly using brute force. This year’s findings revealed the effectiveness of newer industry-standard password hashing algorithms — like bcrypt — for encrypting passwords in databases. The same 11-character passcode now takes 10 hours.
In the past, companies used MD5 encryption for password hashing, but it wasn’t secure or robust. Alex Nette, CEO of Hive and co-founder, explained that they now use bcrypt encryption which is much more robust.
The good news is, websites and businesses are using stronger password-hashing algorithms. This means that cracking times have increased. However, with the rise in computer power these times will decrease again.
The tradeoffs of encryption
Hashing passwords to create a strong encryption is an excellent security practice. However, it has some drawbacks. Nette said that encryption slows down the process. “Bcrypt is safer, but it can make it difficult to log in or slow down a website if there are too many hashing steps.”
He added: “If we used the best encryption, a site could be completely unusable by users on the Internet, so there is usually a compromise.” “That compromise may end up as an opportunity for hackers.”
Jason Soroko is senior vice president for product at Sectigo, a global digital certificate provider.
TechNewsWorld reported that MD5 will continue to be widely used, in particular for large databases of passwords due to its smaller size and greater efficiency.
MJ Kaufmann is an author and teacher with O’Reilly MediaThe operator of an online learning platform in Boston acknowledged that the use of stronger hashing algorithm made it more difficult to crack passwords. However, he maintained that only organizations that had changed their code were able to benefit from it.
She told TechNewsWorld that the changeover is slow because it is time-consuming, and requires significant updates to be compatible. Many organizations are still using older algorithms in the near future.
Worst Case Scenario for Hackers
Kaufmann stated in the past that there have been great advances made with regards to data protection. “Organizations are finally taking data protection more seriously thanks to regulations like the GDPR that have effectively given consumers greater power by imposing harsh penalties on companies,” explained Kaufmann.
She continued: “Many organizations have increased their data protection in anticipation of future regulation.”
Hackers are less interested in cracking passwords than they used to be. Kaufmann explained that cracking passwords wasn’t important for adversaries. “In general,” Kaufmann said, “attackers look for the least amount of resistance when they are planning an attack. They often do this by phishing, or by using stolen passwords from other attacks.
Soroko from Sectigo said: “Although it’s interesting to see how much time it takes to brute-force hash passwords, we must also understand that social engineering and keylogging malware are responsible for many stolen usernames and credentials.”
The study shows that the use of passwords renders brute force attacks useless for an attacker, he said.
Nette said that Hive’s password-cracking table represents the worst case scenario for a hacker. He said that the table assumes that a hacker has been unable to crack a password using other methods and must brute-force a password. “The other methods could reduce the time it takes to obtain a password, if they are not instant.”
Log In, Don’t Break In
Adam Neel said that phishing is becoming more popular as the password encryption standard increases. Critical Start, is a national company that provides cybersecurity services.
“If attackers are likely to choose the easiest route, i.e. a password that will take them months or even a few years to crack,” he said in a TechNewsWorld interview. Social engineering is now easier for attackers to perform with the help of AI. They can create convincing emails and messages.
Stephen Gates is a subject matter expert in security at Horizon3 AIIn San Francisco, the maker of a solution for autonomous penetration testing noted that hackers today don’t need to hack systems, they simply log in.
“Through stolen credentials via phishing attacks, third-party breaches — that include credentials — and the dreaded credential reuse problem, credentials are still the number one issue we see as the method attackers use to gain footholds in an organizations’ networks,” he told TechNewsWorld.
“Also there is a tendency for administrative users to select weak passwords or use the same password across multiple accounts. This poses a risk that attackers have and can exploit,” he said.
He continued: “In addition, some levels of admin accounts or IT type accounts are not subject to the password policy or requirements for length.” This lax credential management approach could be due to a lack awareness of how attackers use low-level accounts to gain high-level access.
Passwords Are Here To Stay
It is unlikely that passwords will be eliminated. Darren Guccione is the CEO of Keeper SecurityChicago-based company, which offers online password storage and management.
He continued: “It’s important to acknowledge, however, that passkeys won’t replace passwords anytime soon, if at all. Only a fraction (a tiny percentage) of the billions websites that exist today support passkeys. This very limited adoption is due to a number of factors, such as the support provided by the underlying platforms, website adjustments and user-initiated settings.
He said that while we are moving closer to a future without passwords or hybrid, it is not a “one-size-fits all” approach. “Businesses must carefully evaluate their security requirements, regulations, and user needs in order to implement practical, effective password alternatives.”
