Bad news: Many of today’s best passwords can be cracked by brute force in less than an hour
If you don’t use random computer-generated passwords or one of the best password generators, there’s a good chance your logins could be cracked within an hour, research warns.
A new report on password strength, recently conducted by Kaspersky, noted that advances in computer processing power made password cracking significantly easier.
In their experiment, the researchers used a database with 193 million passwords from the dark web. These were hashed and salted, which meant they still had to guess them.
Improvement of the algorithm
The researchers then used an Nvidia RTX 4090 GPU and tried to estimate the time needed to crack the passwords using various algorithms.
The core of the research is that some eight-character passwords can be cracked within 17 seconds. These passwords were composed of English letters and numbers in the same capital letters, or 36 combinable characters. Looking at the entire database, it took the researchers less than an hour to crack more than half (59%) of the passwords.
The researchers tried several algorithms, including the hugely popular brute force attack. This method tries all possible password combinations, and while it is less effective for longer passwords and passwords with different character types, it was still able to crack many short and simple passwords with ease. They then tried to improve brute force by making it consider certain character combinations, words, names, dates, and sequences.
With the most efficient algorithm, the researchers guessed 45% of the passwords within a minute, 59% within an hour and 73% within a month. Only a quarter (23%) of passwords would take longer than a year to crack.
To better protect accounts, Kaspersky recommends users use random computer-generated passwords, avoid meaningful words and names in passwords, and check password strength with the best password managers.
Finally, it advises users to ensure that the passwords do not appear in any leaked databases by HaveIBeenPwned? and ensure they use unique passwords for different websites.