A complex password with a combination of upper and lower case letters, special characters and numbers can now be cracked in just five minutes without special hardware. Even slightly longer passwords are not unhackable.

It only takes five minutes to crack a password that contains numbers, uppercase letters, lowercase letters and special characters. The P@sw00rd is not a safe option, hopefully you’ve guessed it, but a complex set of characters like Fr13H#&P is actually not much better. This is shown by interesting calculations by Hive Systems. Hive took a look at the most commonly used techniques for securing passwords, combined with realistic hardware you can use today to crack that security.

Hash and MD5

How does a website know if the password you’ve entered is correct? Luckily, a website doesn’t keep a database of passwords to compare what you type against, because such a list would be worth its weight in gold to hackers. Instead, a website holds a hash your password.

A hash is a sequence of numbers and letters calculated by an algorithm. This algorithm takes inputs like P@sw00rd, and applies a complex computation sequence to it to get the hash. There are several hashing algorithms, MD5 is not the most secure but the most popular.

MD5 turns off P@sw00rd the hash 570dce9a02a335b5e71a90471666c499. Exactly how such an algorithm works is not important, but it is crucial to know that a hash only works one way. There is no possibility 570dce9a02a335b5e71a90471666c499 convert back to P@sw00rd.

So, with a database of hashes, a website can verify that you’ve entered the correct password, but an employee or hacker who hijacks the database (which happens regularly) can’t suddenly log into your account. The password is not known from the hashes alone. The only way to recover passwords is through brute force.

Nvidia GPUs

It takes time. To extract passwords from a stolen hash list, an attacker would need to run all possible combinations of letters, characters, and numbers through the hash algorithm and see if the result matches anywhere on the list. For a long time, this was an almost impossible task, after all, you have to carry out billions of calculations.

However, GPUs are very good at such calculations and are constantly getting better. An Nvidia RTX 4090 can calculate about 164 billion hashes per second. If you connect more GPUs together, the computing power also increases. For its analysis, Hive assumed a relatively well-equipped attacker with twelve Nvidia RTX 4090 GPUs at its disposal, good for 1.93 trillion hash calculations per second. Costs for the GPUs: including VAT, each around 1,900 euros, i.e. a total of 22,800 euros. This may seem like a lot, but today cyber criminals often work in well-organized gangs. With a successful ransomware attack on a company where the victim pays a ransom, they have already recouped the investment.

Work

From then on, the calculation is made quickly. How many unique combinations are there of a given character set? And how long does it take an attacker to calculate the hash of all these combinations? A password of six characters or fewer is worth it. Special characters or not: an attacker can spy out your password in less than a second. Eight characters was the standard for a long time. If you only use eight digits, it still takes less than a second. With a complex password, the attacker needs around five minutes with his Nvidia GPUs.

Adding an extra character to your password increases the number of possible combinations exponentially. A complex nine-character password already requires nine hours of calculation by the twelve GPUs. That’s better, but still not very secure.

From twelve characters, your password will gradually become more secure. The hacker with twelve Nvidia RTX 4090 GPUs needs 226 years. That sounds like a lot, but is it also future-proof? Hive calculated for the first time in 2020, back then based on RTX 2080 GPUs. Three years ago, it took about 34,000 years to crack the same password. It is not unthinkable that a password with twelve characters can be cracked within hours or even minutes within five years.

ChatGPT

Hive did a nice calculation to illustrate. What if someone used the hardware to train ChatGPT to crack passwords? ChatGPT was trained on about 10,000 Nvidia A100 GPUs. Such a supercomputer cluster can crack any password with ten characters or less within an hour. A 12-digit password is valid for up to eight months. It only lasts more than ten years from a combination of thirteen different characters.

That may sound silly, and in many cases it is, but not always. Nobody will try to crack your and my Google password with a supercomputer, but is it really unthinkable that a country would use HPC infrastructure to crack the password of an enemy general or researcher in a nuclear facility?

Limited by nature

The calculations show several things. The main conclusion is simple: 8-digit passwords are never secure. In this article, you can read how long a password should be and how to create a secure but useful one.

Then you notice how quickly the computing power catches up with the passwords. We shouldn’t wait for the quantum computer before even slightly longer passwords are no longer enough. As a concept, the password has an expiration date that is gradually approaching. Fortunately, alternatives such as passkeys are being worked on diligently. You can start today with Microsoft and Google, among others.

Other hash

In the meantime there are still solutions. Databases with hashes get stolen from time to time, it seems inevitable. Websites may use hash algorithms other than MD5. There are several complex alternatives that require more computing power to compute a hash. With a heavier algorithm, a GPU can check fewer hashes per second, and it becomes more likely to crack passwords if a database falls into the wrong hands. As long as MD5 remains popular and people reuse their passwords across websites, Hive’s analytics will remain very relevant.