How weak is YOUR password? Graphic shows exactly how long it would take hackers to break it

As annoying as the incessant requests for longer and harder-to-remember passwords are, experts say there’s a good reason for the nuisance.

It has become increasingly easier for hackers to guess your password as computer processing speeds have increased.

With the massive cloud-based computing power now available for anyone to rent — and massive supercomputers out there, like the one ChatGPT trained — cybersecurity firm Hive Systems says a truly professional hacker can access your secrets almost instantly.

The company has created a new table that shows how secure or vulnerable your password is, based on the number of characters and the diversity of characters you’ve used.

They say you need a completely random password, which is at least 12 characters long, with a combination of numbers, special symbols, uppercase and lowercase letters, if you even want to keep an amateur hacker out of your account, thanks to the power of the contemporary consumer desktop technology.

Hive has now updated its table to better illustrate password vulnerability, organized by number of characters and the diversity of numbers, letters, and symbols used.

One of the company’s main takeaways: passwords consisting of only a series of numbers are by far the easiest to hack, with even 11-digit passcodes now guessable in an instant. If your password is six characters or less, they say, it might as well not even exist.

Fresh for 2023, the group also removed some special characters from the password analysis and test, recognizing that most websites and services will only accept these eight symbols in addition to the usual alphanumeric options: ^*%$!&@#

For comparison, the group took the example of the guidelines of the US National Institute of Standards and Technology.

NIST recommends at least a random, complex eight-character password that includes numbers, both uppercase and lowercase, and special symbols.

According to Hive, such a password, which used to take four hours to crack via brute force methods, can now be correctly guessed in just one.

But hackers can act even faster if they can leverage cloud computing for consumers. In those cases, that random, complex 8-character password can be guessed in minutes.

If the hacker had access to top-notch enterprise-level cloud computing, Hive says he could guess that kind of password almost instantly.

But what has really changed dramatically, the Hive team says, are the processing speeds of the best consumer graphics cards, or graphics processing units (GPUs).

When the team created their first password table in 2020, they based their time estimates on a 2018 GPU (the RTX 2080 graphics card) and security best practices for 2018, (MD5 hashing).

That still turns out to be the assumption of many “How strong is my password?” sites go by,” reports Hive their methodology page for this year’s analysis.

“The best GPU of 2022, whether you were gaming or amateur crypto mining, was the RTX 4090.”

As Hive’s comparison of password-cracking speeds for the RTX 2080, RTX 3090, and RTX 4090 shows, the range of truly strong passwords is shrinking every year.

When Hive created their first password table in 2020, the group based their time estimates on a 2018 GPU, the RTX 2080 graphics card, and compared it to 2018 security best practices

In recent years, the security group found that newer RTX 3090 graphics cards could crack about 70 billion hashes per second (H/s). Hashes are an encrypted, encrypted version of user passwords, which are stored by your standard password-protected services and sites

In 2022, the RTX 4090 was the best GPU, whether for gamers or amateur cryptominers. When Hive put the RTX 4090 to the test, only very long, complex passwords were safe

When creating their table in 2022, Hive based its data on, first, the time it would take for a hacker to use only processing equipment on a consumer budget and a desktop computer and top-notch graphics card. Then they also checked the numbers for cases where the hacker had a professional organized crime budget and could afford to use cloud computing resources when cracking.

In the latter case, they looked at pricing and processing speeds for big names like Amazon AWS and Microsoft Azure as well as the growing market for independent options, where one’s computer can be rented at cost per hour.

Perhaps the most interesting aspect of their 2023 study was their work to estimate ChatGPT’s hacking power.

The machine-learning algorithm underlying ChatGPT was trained on a Microsoft Azure supercomputer, notes Hive, which has a network of about 10,000 NVIDIA A100 GPUs. The group estimated how fast such a network would be compared to other common graphics cards.

Hive couldn’t test the 10,000 A100 GPUs directly training ChatGPT, but they were able to extrapolate based on computational speeds that scale with password-cracking speeds

The dramatically reduced green space on their ChatGPT password table shows just how powerful hackers can be with ChatGPT’s training hardware

The dramatically reduced green space on their ChatGPT password table shows just how powerful hackers can be with ChatGPT’s training hardware.

While Hive couldn’t test a 10,000 A100 directly, they were able to make concrete extrapolations based on computational speeds that scaled linearly and directly to password cracking speeds.

One caveat Hive notes in their methodology report is that their tables assume users are using a truly randomly generated password. That means that even if you use a complex variety of numbers, symbols and letters, your password is more vulnerable if you make it up yourself.

“Nonrandomly generated passwords are much easier and faster to crack,” says Hive, “because people are pretty predictable.”

Hive’s tables also assume that a user’s password has not already been leaked in one of the many notorious data breaches reported in recent years. They say it’s worth checking if your favorite password is already available.