Anonymity How do Hackers crack Passwords in an Hour?

Fixxx

Moderator
Joined
Aug 21, 2024
Messages
178
Reaction score
573
Points
93
1724997258726.png


6 out of 10 passwords can be cracked in less than 1 hour using a graphics card or cloud service!

The price of such a hack is a few dollars and some free time. Why this is and what to do about it - in our study. World Password Day passed away in May and in the wake of interest in the subject of passwords there was analyzed the strength of not "spherical passwords in a vacuum", but real passwords from darknet databases. It turned out that 59% of the passwords studied could be cracked in less than one hour and all you need is a modern video card and a little knowledge.


How passwords are usually hacked?

Let's start with an important note: by the phrase "crack a password" I mean cracking it's hash - a unique sequence of characters. The fact is that user passwords are almost always stored on company servers in one of three ways.
  • In the open. This is the simplest and most understandable way: if the user has a password, for example "qwerty12345", then it's stored on the company server: qwerty12345. In the event of a data leak, an attacker will not need to do anything more complicated than simply entering a username and password to gain authorization. This is, of course, if there's no two-factor authentication, although even with it, scammers can sometimes intercept one-time passwords.
  • Closed. This method uses hashing algorithms: MD5, SHA-1 and others. These algorithms generate a unique hash value for each passphrase - a fixed-length string of characters which is stored on the server. Each time the user enters a password, the entered sequence of characters is converted into a hash which is compared with the one stored on the server: if they match, then the password was entered correctly.
  • Closed with salt. In this method, a salt is added to each password before hashing - a random sequence of data, static or dynamically generated. The sequence "password+salt" is already hashed which changes the resulting hash, which means that existing rainbow tables will no longer help hackers. This method of storing passwords makes it more difficult to hack.

What's the cost of cracking passwords?

Modern GPUs do the best job of analyzing password strength. For example, for an RTX 4090 graphics card, the hashcat password recovery tool has a brute force speed of 164 gigahashes per second when cracking "salted hashes" created using the MD5 algorithm. Let's assume that the password being hacked consists of 8 characters, for each of which one of 36 different characters can be used (latin letters of the same case and numbers). The number of possible unique combinations in this case is 2.8 trillion (this can be calculated by raising 36 to the eighth power). Using a brute force method, a modern processor with a computing power of 6.7 billion hashes per second will crack such a password in 7 minutes. But the RTX 4090 mentioned above will cope with the task in just 17 seconds. Such a video card costs just under $2,000, but even if an attacker doesn't have the opportunity to buy one, he can almost easily rent computing power for just a few dollars per hour. What if it occurs to him to rent a dozen RTX 4090 at once? There is enough power to handle giant database leaks without any problems.


59% of passwords can be cracked in less than an hour!

There was tested the strength of passwords using both brute force and smart cracking algorithms. And if brute force searches through all possible combinations of characters in order until it finds a match, then smart algorithms are trained on a database of passwords and are able to calculate the frequency of various combinations of characters, starting with the most popular options and ending with rare ones. The results are disappointing: 45% of the 193 million real passwords can be cracked by smart algorithms in less than one minute, 59% in one hour and 67% in less than a month... And only 23% of passwords can be considered persistent - hacking them will take more than one year.

1724998000790.png


The selecting all passwords from the database doesn't take much more time than selecting one password. At each iteration, having calculated the hash for the next combination of characters, the attacker checks if the same one exists in the database. If so, then the corresponding password is marked as "hacked" after which the algorithm continues to guess other passwords.


Why are smart hacking algorithms so effective?

People rarely use random passwords and generate them in their heads much worse than machines: we use real phrases, personal names and sequences, which are exactly what smart hacking algorithms are used to solve. Moreover, even if you ask several people to choose any number from 1 to 100, most people will name...the same numbers! Researchers from the YouTube channel Veritasiumsurveyed more than 200 thousand people and found that 7, 37, 42, 69, 73 and 77 are in the top...

password-can-be-hacked-in-one-hour-01.jpg
*Veritasium survey results.

And even if you try to come up with a password using random characters, you will unknowingly most often choose the letters in the middle of the keyboard. The majority of passwords we studied (57%) contain a dictionary word which significantly reduces their strength. Half (51%) of these passwords will take less than a minute to crack, 67% can be guessed in less than an hour and only 12% of them are strong and will take more than a year to guess. Fortunately, only a few passwords consisted solely of a dictionary word - almost all of them can be cracked in a minute. Smart algorithms can easily parse most passwords containing dictionary sequences. Moreover, they even take character substitutions into account, so writing "pa$$word" instead of "password" or "@dmin" instead of "admin" will not make the password stronger. Using popular words and number sequences is also a bad idea. In 4% of passwords, the following were found in various forms:
  • 12345
  • 123456
  • love
  • 12345678
  • 123456789
  • admin
  • team
  • qwer
  • 54321
  • password

Recommendations:

This case study allows to draw some conclusions about password strength:
  1. Many user's passwords are not strong enough; 59% of the passwords studied could be cracked in one hour.
  2. Using words, names and standard sequences in a password reduces the time it takes to guess it.
  3. The most insecure passwords consist entirely of either numbers or dictionary words.
Here are some simple guidelines to help make your accounts more secure:
  • Generate strong passwords.
  • Never save passwords in browsers.
  • Enable two-factor authentication (2FA) wherever possible.
  • Use mnemonic phrases rather than meaningful phrases, names and vocabulary sequences.
  • Don't use the same password on different sites, because not all companies store user data securely.
  • Store all your passwords in a password manager and be sure to create a hack-resistant master password for it.
 
Top Bottom