Brute Force Password Cracking Takes Longer, But Celebration May Be Premature

Brute force cracking of passwords takes longer now than in the past, but the good news is not a cause for celebration, according to the latest annual audit of password cracking times released Tuesday by Hive Systems.

Depending on the length of the password and its composition — the mix of numbers, letters, and special characters — a password can be cracked instantly or take half a dozen eons to decipher.

For example, four-, five-, or six-number-only passwords can be cracked instantly with today’s computers, while an 18-character password consisting of numbers, upper- and lower-case letters, and symbols would take 19 quintillion years to break.

Last year, Hive’s research found that some 11-character passwords could be cracked instantaneously using brute force. This year’s findings revealed the effectiveness of newer industry-standard password hashing algorithms — like bcrypt — for encrypting passwords in databases. Now, that same 11-character password takes 10 hours to crack.

“In years past, companies were using MD5 encryption to hash passwords, which isn’t very secure or robust. Now they’re using bcrypt, which is more robust,” explained Hive CEO and Co-founder Alex Nette.

“The good news is websites and companies are making good decisions to use more robust password-hashing algorithms, so cracking times are going up,” he told TechNewsWorld, “but given the increases in computer power, those times will start to go down again, as they have in years past.”

Encryption Tradeoffs

While hashing passwords with strong encryption is a good security practice, there are tradeoffs. “Encryption slows things down,” Nette noted. “Bcrypt is more secure, but if you create too many iterations of the hashing, it could make it slow to log into a website or make the site load slower.”

“If we had the best encryption in place, a website could be totally unusable for users on the internet, so there’s usually a compromise,” he added. “That compromise could end up being an opportunity for hackers.”

“Bcrypt delivers a 56-byte hash versus a 16-byte for MD5, which accounts for the much stronger resistance to brute force attacks,” noted Jason Soroko, senior vice president of product for Sectigo, a global digital certificate provider.

“MD5 is still in wide usage and will probably continue to be, especially for large password databases due to the smaller and more efficient size,” he told TechNewsWorld.

MJ Kaufmann, an author and instructor with O’Reilly Media, an operator of a learning platform for technology professionals, in Boston, acknowledged that stronger hashing algorithms have played a role in making it harder to crack passwords, but maintained that it only helps organizations that have changed their code to adopt the algorithms.

“As this change is time-consuming and may require significant updates for compatibility, the shift is slow, with many organizations still using weaker algorithms for the near future,” she told TechNewsWorld.

Worst Case Scenario for Hackers

Kaufmann noted that great strides have been made in recent times to protect data. “Organizations have finally started to take data protection seriously, partially due to regulations such as GDPR, which has effectively given more power to consumers through harsh penalties to companies,” she explained.

“Because of this,” she continued, “many organizations have expanded their data protection across the board in anticipation of future regulations.”

While it may take longer for hackers to crack passwords, cracking isn’t as important to them as it used to be. “Cracking passwords is not that important to adversaries,” Kaufmann said. “In general, attackers look for the path of least resistance in an attack, frequently accomplished by stealing passwords through phishing or leveraging passwords stolen from other attacks.”

“As fun as it is to measure the amount of time it takes to brute force hashed passwords, it is critical to understand that keylogging malware and credential harvesting by social engineering tactics account for a huge number of stolen username and password incidents,” added Sectigo’s Soroko.

“The study also makes the point that password reuse renders all brute force methods unnecessary for the attacker,” he added.

Nette acknowledged that Hive’s table of password-cracking times represents a worst-case scenario for a hacker. “It assumes a hacker was unable to get someone’s password through other techniques, and they have to brute force a password,” he said. “The other techniques could make the time to get a password lower, if not instantly.”

Log In, Don’t Break In

“Cracking passwords has remained an important form of compromise for attackers, but as password encryption standards increase, other methods of compromise such as phishing become even more appealing than they already are,” added Adam Neel, a threat detection engineer at Critical Start, a national cybersecurity services company.

“If it is likely that the average password will take months or even years to crack, then attackers will take the route of least resistance,” he told TechNewsWorld. “With the assistance of AI, social engineering has become even more accessible to attackers through the form of crafting convincing emails and messages.”

Stephen Gates, a security subject matter expert at Horizon3 AI, maker of an autonomous penetration testing solution, in San Francisco, noted that today, hackers don’t have to hack into systems; they log in.

“Through stolen credentials via phishing attacks, third-party breaches — that include credentials — and the dreaded credential reuse problem, credentials are still the number one issue we see as the method attackers use to gain footholds in an organizations’ networks,” he told TechNewsWorld.

“Also, there’s a tendency among administrative users to choose weak passwords or reuse the same passwords across multiple accounts, creating risks that attackers can and have exploited,” he added.

“In addition,” he continued, “some levels of admin or IT-type accounts are not always subject to password reset or length policy requirements. This rather lax approach to credential management could stem from a lack of awareness about how attackers often use low-level credentials to get high-level gains.”

Passwords Here To Stay

The simple way to eliminate the password cracking problem would be to eliminate passwords, but that doesn’t look likely. “Passwords are intrinsic to the way our modern lives function across every network, device, and account,” declared Darren Guccione, CEO of Keeper Security, a password management and online storage company in Chicago.

“Nonetheless,” he continued, “it’s vital to acknowledge that passkeys will not supplant passwords in the near future, if ever. Among the billions of websites in existence, only a fraction of a percent currently offer support for passkeys. This extremely limited adoption can be attributed to various factors, including the level of support from underlying platforms, the need for website adjustments, and the requirement for user-initiated configuration.”

“While we inch closer to a passwordless or hybrid future, the transition is not a one-size-fits-all approach,” he said. “Businesses need to carefully assess their security requirements, regulatory constraints, and user needs to identify and implement effective, practical password alternatives.”