In the cybersecurity landscape, choosing and creating strong passwords remains a fundamental pillar. A world completely passwordless is still a long way off: passkeys themselves have disadvantages that cannot be ignored. Today, therefore, the setting of strong passwordsless subject to attacks brute force. Cracking passwords it has in fact become even simpler in 2024, above all thanks to the massive computational resources that unauthorized users and cyber criminals can access to steal other people’s credentials.
The weak passwords they are the ones that lack complexity and length. This makes them easy to guess or discover through automated attacks (brute force). These attack attempts consist of repeatedly trying all possible character combinations until the correct password is found.
What are the characteristics of a weak password
The shortest passwords are by far the easiest to crack: the limited number of combinations that an attacker must try, makes him an easy prey for those who carry out attacks brute force. Additionally, passwords made up of only lowercase letters or numbers are easier to guess than those that include a combination of uppercase letters, lowercase letters, numbers, and special characters.
Likewise, passwords based on commonly used words, names, dates of birth or other easily accessible information, are significantly easier to hack. Sequences (patterns) predictable ones, such as “123456” or “password” are the first ones that are tested by attackers.
Given that the choice of a strong password and the simultaneous activation of two-factor authentication represent the better defense to protect ourselves from attacks, let’s see how soon – in 2024 – an attacker can trace back to any password the user has set.
Crack passwords by going back to the plaintext version, starting from the hash
Hopefully, the servers of the online services you use every day store user passwords securely. That is, they use one function of hashing which transforms the password into an encrypted version, completely different from the original password. L’hash it works one way: it is not an invertible function. In other words, as long as the algorithm hashing used is intrinsically safe, an attacker cannot trace the clear password starting from its hash.
In another article we saw what a password hash is and why it is important.
Try for example, in Windows 10 or in Windows 11to press the key combination Windows+X so to choose Windows PowerShell or Terminal. In the window PowerShell Paste the following code and press the Enter key:
$password = Read-Host -Prompt "Inserisci la password" -AsSecureString; $hash = [System.BitConverter]::ToString((New-Object System.Security.Cryptography.SHA256Managed).ComputeHash([System.Text.Encoding]::UTF8.GetBytes(([System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($password)))))) -replace '-', ''; Write-Host "L'hash SHA-256 della password è: $hash"
After entering any password, you will get the corresponding hash generated using – in this case – theSHA-256 algorithm. For example, writing password1234you will see that the hash returned will be the following:
B9C950640E1B3740E98ACB93E669C65766F6670DD1609BA91FF41052BA48C6F3
For crack passwords, attackers usually generate a list of all possible combinations of characters used by users and, for each of them, generate the corresponding hash. Looking for any password matches hashedrecovered for example following a IT accident (ie from the servers of the operator of a certain online service) and the list of hashes generated, it is possible to trace the clear password set by the victim user.
The role of graphics cards in cracking passwords
Generating the possible combinations of a password (taking into consideration parameters such as length and type of characters used) is feasible with any device but becomes much faster if you use a powerful graphics card.
Hashcat It is a very powerful and widely used password cracking tool. It supports a wide range of hashing algorithms and can be used to perform brute force attacks (brute force) or other types of attacks to try to obtain the original passwords from a given hash.
Here, combining one GPU batterytoday also easily accessible via the main cloud platforms (it is not necessary to invest significant amounts of money to set up powerful configurations locally…), the work of password cracking it has become much more streamlined than in the past. From here, the obvious observation arises that once “strong” passwords based on their characteristics, today they are no longer sufficiently safe.
The table published by Hive Systems (reproduced above) is worth a thousand words. If the NIST recommendations were still taken for granted (National Institute of Standards and Technology) dated 2017, which advocated the use of passwords no less than 8 characters long, today we would always find ourselves in the highest part of the table (purple and red colors). The password cracking in any case it would be instantaneous or in any case the times would be short using, at most, a configuration based on a battery of 12 NVIDIA RTX 4090 GPUs.
Are your passwords green?
In this case ecology and environmental sustainability have nothing to do with it. The experts at Hive Systems urge users to make sure their password are greeni.e. located in the lower right part of the table reproduced above.
An important aspect is that the technicians of Hive Systems they assume that the hash of the password to be broken is the result of a effective hashing algorithm it’s safe. We know that MD5, for example, has not provided any guarantees in terms of security for a long time and in 2017 Google also declared SHA-1 unsafe.
THE times necessary to crack passwords starting from a hash, expressed in the table, refer to the use of bcrypta hashing algorithm designed to be resilient to brute force attempts and so-called “dictionary attacks“. Therefore, if cracking a password is estimated to be fast or rather fast with bcrypt, the attack times with “weak” algorithms can be much shorter.
For to be safecross-reference the number of characters that distinguish the password (first column on the left) with its characteristics (combinations of letters, numbers and special characters) then draw your conclusions.
Opening image credit: iStock.com – matejmo
