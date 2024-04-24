Cybersecurity

Internet

See all Internet

IT

See all IT

Mobile Tech

See all Mobile Tech

Security

See all Security

Technology

See all Technology

Newsletters

See all Newsletters

Brute Force Password Cracking Takes Longer, But Celebration May Be Premature

weak password credentials on a sign in screen

Brute force cracking of passwords takes longer now than in the past, but the good news is not a cause for celebration, according to the latest annual audit of password cracking times released Tuesday by Hive Systems.

Depending on the length of the password and its composition — the mix of numbers, letters, and special characters — a password can be cracked instantly or take half a dozen eons to decipher.

For example, four-, five-, or six-number-only passwords can be cracked instantly with today’s computers, while an 18-character password consisting of numbers, upper- and lower-case letters, and symbols would take 19 quintillion years to break.

Last year, Hive’s research found that some 11-character passwords could be cracked instantaneously using brute force. This year’s findings revealed the effectiveness of newer industry-standard password hashing algorithms — like bcrypt — for encrypting passwords in databases. Now, that same 11-character password takes 10 hours to crack.

“In years past, companies were using MD5 encryption to hash passwords, which isn’t very secure or robust. Now they’re using bcrypt, which is more robust,” explained Hive CEO and Co-founder Alex Nette.

“The good news is websites and companies are making good decisions to use more robust password-hashing algorithms, so cracking times are going up,” he told TechNewsWorld, “but given the increases in computer power, those times will start to go down again, as they have in years past.”

Encryption Tradeoffs

While hashing passwords with strong encryption is a good security practice, there are tradeoffs. “Encryption slows things down,” Nette noted. “Bcrypt is more secure, but if you create too many iterations of the hashing, it could make it slow to log into a website or make the site load slower.”

“If we had the best encryption in place, a website could be totally unusable for users on the internet, so there’s usually a compromise,” he added. “That compromise could end up being an opportunity for hackers.”

“Bcrypt delivers a 56-byte hash versus a 16-byte for MD5, which accounts for the much stronger resistance to brute force attacks,” noted Jason Soroko, senior vice president of product for Sectigo, a global digital certificate provider.

“MD5 is still in wide usage and will probably continue to be, especially for large password databases due to the smaller and more efficient size,” he told TechNewsWorld.

MJ Kaufmann, an author and instructor with O’Reilly Media, an operator of a learning platform for technology professionals, in Boston, acknowledged that stronger hashing algorithms have played a role in making it harder to crack passwords, but maintained that it only helps organizations that have changed their code to adopt the algorithms.

“As this change is time-consuming and may require significant updates for compatibility, the shift is slow, with many organizations still using weaker algorithms for the near future,” she told TechNewsWorld.

Worst Case Scenario for Hackers

Kaufmann noted that great strides have been made in recent times to protect data. “Organizations have finally started to take data protection seriously, partially due to regulations such as GDPR, which has effectively given more power to consumers through harsh penalties to companies,” she explained.

“Because of this,” she continued, “many organizations have expanded their data protection across the board in anticipation of future regulations.”

table of times to crack a password in 2024

While it may take longer for hackers to crack passwords, cracking isn’t as important to them as it used to be. “Cracking passwords is not that important to adversaries,” Kaufmann said. “In general, attackers look for the path of least resistance in an attack, frequently accomplished by stealing passwords through phishing or leveraging passwords stolen from other attacks.”

“As fun as it is to measure the amount of time it takes to brute force hashed passwords, it is critical to understand that keylogging malware and credential harvesting by social engineering tactics account for a huge number of stolen username and password incidents,” added Sectigo’s Soroko.

“The study also makes the point that password reuse renders all brute force methods unnecessary for the attacker,” he added.

Nette acknowledged that Hive’s table of password-cracking times represents a worst-case scenario for a hacker. “It assumes a hacker was unable to get someone’s password through other techniques, and they have to brute force a password,” he said. “The other techniques could make the time to get a password lower, if not instantly.”

Log In, Don’t Break In

“Cracking passwords has remained an important form of compromise for attackers, but as password encryption standards increase, other methods of compromise such as phishing become even more appealing than they already are,” added Adam Neel, a threat detection engineer at Critical Start, a national cybersecurity services company.

“If it is likely that the average password will take months or even years to crack, then attackers will take the route of least resistance,” he told TechNewsWorld. “With the assistance of AI, social engineering has become even more accessible to attackers through the form of crafting convincing emails and messages.”

Stephen Gates, a security subject matter expert at Horizon3 AI, maker of an autonomous penetration testing solution, in San Francisco, noted that today, hackers don’t have to hack into systems; they log in.

“Through stolen credentials via phishing attacks, third-party breaches — that include credentials — and the dreaded credential reuse problem, credentials are still the number one issue we see as the method attackers use to gain footholds in an organizations’ networks,” he told TechNewsWorld.

“Also, there’s a tendency among administrative users to choose weak passwords or reuse the same passwords across multiple accounts, creating risks that attackers can and have exploited,” he added.

“In addition,” he continued, “some levels of admin or IT-type accounts are not always subject to password reset or length policy requirements. This rather lax approach to credential management could stem from a lack of awareness about how attackers often use low-level credentials to get high-level gains.”

Passwords Here To Stay

The simple way to eliminate the password cracking problem would be to eliminate passwords, but that doesn’t look likely. “Passwords are intrinsic to the way our modern lives function across every network, device, and account,” declared Darren Guccione, CEO of Keeper Security, a password management and online storage company in Chicago.

“Nonetheless,” he continued, “it’s vital to acknowledge that passkeys will not supplant passwords in the near future, if ever. Among the billions of websites in existence, only a fraction of a percent currently offer support for passkeys. This extremely limited adoption can be attributed to various factors, including the level of support from underlying platforms, the need for website adjustments, and the requirement for user-initiated configuration.”

“While we inch closer to a passwordless or hybrid future, the transition is not a one-size-fits-all approach,” he said. “Businesses need to carefully assess their security requirements, regulatory constraints, and user needs to identify and implement effective, practical password alternatives.”

John P. Mello Jr.

John P. Mello Jr. has been an ECT News Network reporter since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the Boston Phoenix, Megapixel.Net and Government Security News. Email John.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
passkey, passwordless security
Proton Adds Passkey Support to Password Manager, Knocks Big Tech
April 9, 2024
hacked computer hardware
Ransomware Gangs Targeting Backups To Maximize Payoffs
April 2, 2024
passwordless computing
Google Takes Giant Step Toward Passwordless World With New Passkey Setting
October 11, 2023
More by John P. Mello Jr.
view all
woman using a dating app on a smartphone viewing a young man's profile
Mozilla Waves Red Flag Over Data Hungry Dating Apps
April 23, 2024
Apple iPhone 15 Pro
Pundit Predicts Apple AI Will Be Bound to iPhone, Analysts React
April 17, 2024
IT infrastructure setup, including servers, switches, routers, and structured cabling systems in a data center
Google Joins Amazon, Microsoft With New Arm-based Data Center CPU, Axion
April 10, 2024
passkey, passwordless security
Proton Adds Passkey Support to Password Manager, Knocks Big Tech
April 9, 2024
K9 for warriors service dog
New Wireless Tech Helps Service Dogs Combat Veterans’ PTSD
April 3, 2024
hacked computer hardware
Ransomware Gangs Targeting Backups To Maximize Payoffs
April 2, 2024
skyscraper buildings
BrainBox Adds AI Virtual Advisor to Its Facilities Management Solutions Repertoire
March 27, 2024
artificial intelligence cloud platform
MicroStrategy Adds New AI-Powered Self-Service Business Analytics Feature
March 26, 2024
Nvidia Blackwell Architecture
Nvidia Raises Ante in AI Chip Game With New Blackwell Architecture
March 20, 2024
Google Gemini on iPhone screen
Apple, Google Talks Could Bring Gemini AI to iPhone
March 19, 2024
More in Cybersecurity
cybercrime hackers
Hacker Nation: The World’s Third-Largest Economy
April 8, 2024
cybersecurity team in systems control room
Report Finds White Hats on Offensive Against Black Hat Hackers
March 6, 2024
browser security to secure the enterprise
Menlo Secure Cloud Browser Enables a Safer Enterprise Workspace
February 20, 2024
Deepfake AI face swap
Are Deepfakes Overblown?
February 19, 2024
A man looking for romance using a dating app on his smartphone
Mozilla Recommends ‘Swiping Left’ on AI Romance Apps
February 14, 2024
mobile app security
Mobile Security Firms Fortify Defenses as App Attacks Accelerate
February 5, 2024
smartphone user checking branded caller ID
AT&T, TransUnion Launch Initiative To Combat Business Call Spoofing
January 31, 2024
information technology professional usinging artifical intelligence to monitor a computer network
AI in 2024 Ushers in New Cybersecurity Dynamics
January 26, 2024
browser-based phishing attacks
Browser-Based Phishing Attacks Jump 198% in Second Half of 2023
January 24, 2024
smart device home hacker
Paranoia in the Home: 1 in 3 Americans Worried About Their Smart Gadgets Being Hacked
January 16, 2024

Your opinion on the TikTok controversy: ban, regulate, or maintain status quo?
Loading ... Loading ...

Technewsworld Channels

Applications

Applications

Courts, Regulators Pose Threat To Apple Services Revenue in 2024

Audio/Video

Audio/Video

OpenAI’s Sora, ElevenLabs, and the End of Video Media as We Know It

Chips

Chips

Google Joins Amazon, Microsoft With New Arm-based Data Center CPU, Axion

Computing

Computing

GTC 2024: The Brilliant Insanity of Nvidia’s CEO and Which AI Vendors Stood Out

Cybersecurity

Cybersecurity

Proton Adds Passkey Support to Password Manager, Knocks Big Tech

Data Management

Data Management

The Realities of Switching to a Passwordless Computing Future

Developers

Developers

AI Will Have a Transformative Impact on Software Development in 2024

Emerging Tech

Emerging Tech

Elegoo’s Vision Is Shaping the Future of 3D Printing

Exclusives

Exclusives

More Linux Malware Means More Linux Monitoring

Gaming

Gaming

Next-Generation Wi-Fi 7 Standard Expected To Be Finalized in Early 2024

Hacking

Hacking

Hacker Nation: The World’s Third-Largest Economy

Hardware

Hardware

Nvidia Raises Ante in AI Chip Game With New Blackwell Architecture

Health

Health

SevaCare Blood Pressure Monitor Offers Affordable Home Health Assurance

Home Tech

Home Tech

Temu and Homary: Online Retailers That Are Generally a Good Value

How To

How To

Lunar Lobster Is Dead: How To Upgrade to Ubuntu 23.10 Mantic Minotaur

Internet of Things

Internet of Things

Paranoia in the Home: 1 in 3 Americans Worried About Their Smart Gadgets Being Hacked

IT Leadership

IT Leadership

HP Amplify Event’s Second Act Was Worth the Wait

Malware

Malware

Mobile Security Firms Fortify Defenses as App Attacks Accelerate

Mobile Apps

Mobile Apps

The DOJ’s Flabby Antitrust Lawsuit Against Apple

Operating Systems

Operating Systems

Qualcomm Chip Closing Performance Gap With Apple M3 in Leaked Benchmarks

Privacy

Privacy

Are Deepfakes Overblown?

Reviews

Reviews

The Orbi RBE973 Wi-Fi Router Really Is That Good

Science

Science

AI-Powered Software Offers Breakthrough for Treating Dyslexia

Search Tech

Search Tech

Affiliate Marketing Contributing to Substandard Search Results: Study

Servers

Servers

Disorganization, Not Cost, Fuels the IT E-Waste Crisis

Smartphones

Smartphones

Apple, Google Talks Could Bring Gemini AI to iPhone

Social Networking

Social Networking

Tech Coalition Launches Initiative To Crackdown on Nomadic Child Predators

Space

Space

Amazon’s Competitor to Musk’s Starlink Takes Critical Step Toward Deployment

Spotlight Features

Spotlight Features

Standout Tech Products of 2023

Tablets

Tablets

10 Products From CES 2024 That Set the Innovation Bar

Tech Buzz

Tech Buzz

Might Nvidia Be the First Company With an AI CEO?

Tech Law

Tech Law

Electronic Frontier Foundation Calls for FTC Action on Poisoned Set-Top Boxes

Transportation

Transportation

How AI Could Have Prevented the Key Bridge Collapse

Virtual Reality

Virtual Reality

Vision Pro Revives One-and-Done App Purchases

Wearable Tech

Wearable Tech

Apple Vision Pro Impressions: One Week Later

Women In Tech

Women In Tech

‘Women Don’t Play’ Confronts Gender Disparity in the Tech Industry

More from ECT News Network

E-Commerce Times

ConvertKit Newsletter Platform for Creators: From Passion to Profit
ConvertKit Newsletter Platform for Creators: From Passion to Profit
April 23, 2024
B2B E-Commerce: Key Reports Indicate Many Web Stores Broken
B2B E-Commerce: Key Reports Indicate Many Web Stores Broken
April 10, 2024
Beyond the Cart: UX Hits and Misses Can Make or Break a Virtual Storefront
Beyond the Cart: UX Hits and Misses Can Make or Break a Virtual Storefront
April 2, 2024

LinuxInsider

How To Connect via OpenVPN on Ubuntu
How To Connect via OpenVPN on Ubuntu
April 19, 2024
Best Record Yet for Open Source Use in Business Worldwide
Best Record Yet for Open Source Use in Business Worldwide
April 12, 2024
What To Do if Your Linux Server Has Been Hacked
What To Do if Your Linux Server Has Been Hacked
March 22, 2024

CRM Buyer

Bigeye’s Dependency-Driven Monitoring Boosts Reliability of CRM Data
Bigeye’s Dependency-Driven Monitoring Boosts Reliability of CRM Data
April 15, 2024
AI-Human Collaboration and the Future of Customer Service
AI-Human Collaboration and the Future of Customer Service
April 4, 2024
Salesforce Enhances Field Service
Salesforce Enhances Field Service
March 21, 2024