As tedious as the incessant requests for longer, harder-to-remember passwords are, experts say there’s a good reason for the nuisance.
It has become easier and easier for hackers to guess your password as computer processing speeds have become faster.
With sprawling cloud-based computing power now available for everyone to hire – and massive supercomputers, like the system that drove ChatGPT – cybersecurity firm Hive Systems says a truly professional hacker could gain access to your secrets. almost instantly.
The company has produced a new chart showing how secure or vulnerable your password is, based on its number of characters and the variety of characters you’ve used.
They say you’ll need a completely random password, at least 12 characters long, with a mix of numbers, special symbols, upper and lower case letters, if you want to keep even an amateur hacker out of your account , thanks to the power of today’s mainstream desktop technology.
Hive Systems, a cybersecurity company, recommends passwords longer than 12 characters, consisting of a random mix of numbers, symbols, and upper and lower case letters
Hive offers services that help customers strengthen their online security and this year they updated their chart to better illustrate the vulnerability of passwords, categorized by number of characters and the variety of numbers, letters and symbols used. .
Among the key takeaways from Hive: passwords consisting of just a string of numbers are by far the easiest to crack, with even 11-digit passcodes now guessable in an instant. If your password is six characters or less, they say, it might as well not exist.
Fresh for 2023, the group has also removed a variety of special characters from its password analysis and testing, acknowledging that most websites and services only accept these eight symbols alongside the usual alphanumeric options: ^*%$!&@#
By way of comparison, the group took the example of US National Institute of Standards and Technology guidelines.
NIST recommends, at a minimum, a random, complex eight-character password using numbers, upper and lower case letters, and special symbols.
Today, according to Hive, such a password, which previously took four hours to crack via brute force methods, can now be correctly guessed in one.
But hackers can act even faster if they can take advantage of consumer cloud computing. In these cases, that random and complex 8-character password could be guessed in just a few minutes.
If the hacker had access to top-notch enterprise-level cloud computing, Hive says he could guess this type of password almost instantly.
But what has really changed profoundly, according to the Hive team, are the processing speeds of the best consumer graphics cards or graphics processing units (GPUs).
When the team created their first password chart in 2020, they based their time estimates on a 2018 GPU (the RTX 2080 graphics card) and security “best practices” for 2018, (MD5 hash).
‘It always seems to be the assumption of many “How strong is my password?” sites pass,” reports Hive in their methodology page for this year’s analysis.
“The best GPU of 2022, whether you’re gaming or doing hobby crypto mining, was the RTX 4090.”
As Hive’s comparison of password cracking speeds for the RTX 2080, RTX 3090, and RTX 4090 shows, the range of truly strong passwords is shrinking every year.
When Hive created its first password table in 2020, the group based its time estimates on a 2018 GPU, the RTX 2080 graphics card, pitted it against security “best practices” for 2018.
In recent years, the security group discovered that newer RTX 3090 graphics cards can crack around 70 billion hashes per second (H/s). Hashes are a scrambled, encrypted version of user passwords, which are stored by your standard password-protected services and sites.
In 2022, the best GPU for either gamers or hobbyist crypto miners was the RTX 4090. When Hive tested the RTX 4090, only very long and complex passwords were safe.
When making its chart in 2022, Hive based its data on, first, the time required by a hacker using only budget processing equipment and a desktop computer with a high-end graphics card. Next, they also analyzed the numbers of cases where the hacker had a professional organized crime budget and could afford to enlist cloud computing resources for their hack.
In the latter case, they looked at pricing and processing speeds for the two big providers like Amazon AWS and Microsoft Azure as well as the growing market for freelance options, where a person’s computer can be rented for the price of $1,000. ‘hour.
However, perhaps the most interesting aspect of their 2023 study was their work estimating the hacking power of ChatGPT.
The machine learning algorithm underlying ChatGPT was trained on a Microsoft Azure supercomputer, Hive notes, which has a network of around 10,000 NVIDIA A100 GPUs. The group estimated the speed of such a network compared to other common graphics cards.
Hive couldn’t test the 10,000 A100 GPUs that trained ChatGPT directly, but they were able to extrapolate based on compute speeds that scale with password cracking speeds
The significantly smaller green space on their ChatGPT password table shows how powerful hackers could be with ChatGPT training materials
The considerably smaller green space on their ChatGPT password chart shows how powerful hackers could be with ChatGPT training materials.
Although Hive couldn’t directly test a 10,000 A100, they were able to come up with some concrete extrapolations based on compute speeds that scale linearly and directly to password cracking speeds.
One caveat that Hive notes in its methodology report is that its tables assume that users are using an actual randomly generated password. This means that even if you use a complex variety of numbers, symbols and letters, your password will be more vulnerable if you invented it yourself.
“Non-randomly generated passwords are much easier and faster to crack,” says Hive, “because humans are quite predictable.”
Hive’s tables also assume that a user’s password has not previously been leaked in one of the many infamous data breaches reported in recent years. They say it’s worth checking if your preferred password is already available.
