Stay Informed: Hackers Can Crack 59% Of Passwords Within An Hour

Security Bulletin

Stay Informed: Hackers Can Crack 59% Of Passwords Within An Hour

Home » Security Bulletins » Stay Informed: Hackers Can Crack 59% Of Passwords Within An Hour

June 24, 2024

What You Need To Know:

Researchers have recently discovered that a staggering 59% of real-world passwords leaked on the dark web can be cracked within an hour using just a modern graphics card and some technical knowledge. This finding underscores the vulnerability of many commonly used passwords and the efficiency of brute-force attacks powered by GPUs.

Why Are Passwords So Vulnerable?

Real-World Password Weaknesses: Unlike passwords created under artificial conditions in labs, real-world passwords often suffer from significant weaknesses. The analysis of leaked passwords shows that many users continue to use easily guessable passwords or simple variations of common words and phrases.
Effectiveness of Modern GPUs: Modern graphics cards, such as the RTX 4090, are incredibly efficient at password cracking. For example, this GPU can analyze 164 billion hashes per second for salted MD5 hashes. The sheer processing power allows for the rapid cracking of passwords, making even moderately complex passwords vulnerable.
GPU Speed: The speed of modern GPUs significantly outpaces that of CPUs. An 8-character password using a mix of uppercase, lowercase letters, and digits has 2.8 trillion possible combinations. A powerful CPU might take 7 minutes to crack this password, while an RTX 4090 could do it in just 17 seconds.
Accessibility of GPU Power: Even without owning high-end GPUs, attackers can rent them for a few dollars per hour, enabling the efficient cracking of large password databases.

What is Password Cracking?

Hashing and Storage: Traditionally, passwords were stored in plain text, making them highly vulnerable to breaches. Modern systems mitigate this risk by using hashing algorithms, which convert passwords into unique, fixed-length hash values. When a user logs in, their password is hashed and compared to the stored hash to grant access.
Cracking Techniques: Crackers attempt to retrieve the original password from its hashed form using various techniques:
- Brute-force attacks: Trying all possible combinations until the correct one is found.
- Rainbow tables: Pre-computed tables of common passwords and their hashes, which can quickly match a hashed password to its original form.
- Dictionary attacks: Utilizing a list of common words and phrases to guess passwords based on human predictability.

Enhancing Password Security:

Salting: One effective method to improve password security is the use of salting. This involves adding a random data string (salt) to the password before applying the hashing function. Each password-salt combination creates a unique hash, rendering pre-computed rainbow tables ineffective.
Multi-Factor Authentication (MFA): Adding an additional layer of security, such as multi-factor authentication (MFA), significantly enhances password protection. MFA requires users to provide two or more verification factors to gain access, making it much harder for attackers to breach accounts.
Password Managers: Password managers help users generate and store complex, unique passwords for each account. These tools reduce the risk of password reuse and simplify the process of maintaining strong password practices.
Regular Updates and Audits: Regularly updating passwords and conducting security audits can help identify and mitigate potential vulnerabilities. Encouraging users to change their passwords periodically and checking for compromised passwords are essential practices.

Strong Password Tips:

Make them long: Passwords should be at least 16 characters—longer is stronger!
Make them random: Use a random string of mixed-case letters, numbers, and symbols or create a memorable phrase of 4-7 unrelated words (a “passphrase”).
Make them unique: Use a different strong password for each account.

Survey Results: Real-World Password Vulnerability:

Kaspersky’s Findings: Researchers at Kaspersky analyzed real-world passwords and found a high vulnerability rate. Using a combination of brute-force and smart-guessing algorithms, they cracked 45% of passwords in under a minute and 59% within an hour. This efficiency is attributed to human predictability in password creation.
Human Predictability: People tend to favor common phrases, dates, and patterns, which makes their passwords susceptible to dictionary attacks. Even attempts at creating randomness are often biased towards certain keyboard patterns or common substitutions like “pa$$word” or “123456”.

Conclusion:

The study highlights the critical need for stronger password practices. Users should avoid common phrases, patterns, and substitutions, and instead create complex, unique passwords for each account. Utilizing password managers and multi-factor authentication can help in generating and storing these complex passwords securely. As attackers become more sophisticated, adopting robust password security measures is essential to protect personal and organizational data.

For those who would like more detailed information regarding this bulletin, please visit the following links:

https://www.cisa.gov/secure-our-world/use-strong-passwords

This bulletin is intended to keep you informed about the latest cyber threats, cybersecurity news, and how to protect yourself. If you have any questions or need further assistance, please contact our support team.

Planning for IT Expansion: Budgeting for the Future of Your SMB

Mastering IT Budgeting: A Smarter Approach for Small and Mid-Sized Businesses

Understanding Backup Management: Why Your Business Needs a Solid Backup Strategy

How to Ensure Your Business is Ready for the Next Technological Disruption

Backup Management: Safeguarding Your Business – Why It’s More Critical Than Ever

Security Bulletin