As tedious as the incessant requests are for longer and harder-to-remember passwords, experts say there’s good reason for the nuisance.
It’s gotten easier and easier for hackers to guess your password as computer processing speeds have gotten faster.
With sprawling cloud-based computer power now available for rent to anyone — and massive supercomputers out there, like the system that trained ChatGPT — cyber security firm Hive Systems says that a truly professional hacker could access your secrets almost instantly.
The company has produced a new table showing just how safe or vulnerable your password is, based on its character count and the diversity of characters you’ve used.
They say you’ll need a fully random password, that’s at least 12-characters long, with a mixture of numbers, special symbols, upper- and lowercase letters, if you want to keep even just an amateur hacker out of your account, thanks to the power of today’s consumer desktop tech.
Hive Systems, a cyber security company, recommends passwords over 12 characters long, comprised of a random mixture of numbers, symbols, and upper and lowercase letters
Hive has now updated its table to better illustrate the vulnerability of passwords, ranked by character-count and the diversity of numbers, letters and symbols used.
Among the company’s major takeaways: passwords consisting of only a string of numbers are, by far, the easiest to hack, with even 11-number-long passcodes now guessable in an instant. If your password is made up of six characters or less, they say, it might as well not even exist.
Fresh for 2023, the group also cut down a variety of special characters from its password analysis and testing, acknowledging that most websites and services only accept these eight symbols alongside the usual alphanumeric options: ^*%$!&@#
For comparison’s sake, the group took on example from the US National Institute of Standards and Technology’s guidelines.
NIST recommends, at least, a random, complex eight-character password employing numbers, both uppercase and lowercase letters, as well as special symbols.
Today, according to Hive, just such a password, which used to take four hours to crack via brute force methods, can now be correctly guessed in only one.
But hackers can move even faster if they can leverage consumer cloud computing. In those cases, that random, complex 8-character password could be guessed in just a few minutes.
If the hacker had access to prime, enterprise-level cloud computing, Hive says they could guess that kind of password almost instantly.
But what has really changed profoundly, Hive’s team says, is the processing speeds of the best, consumer-grade graphics cards, or graphics processing units (GPUs).
When the team made their first password table in 2020, they based their time estimates on a 2018 GPU (the RTX 2080 graphics card) and the security ‘best practices’ for 2018, (MD5 hashing).
‘That appears to still be the assumption many “How strong is my password?” sites are going by,’ Hive reports in their methodology page for this year’s analysis.
‘The 2022 top GPU, whether you were gaming or amateur crypto-mining, was the RTX 4090.’
As Hive’s comparison of password-cracking speeds for the RTX 2080, RTX 3090, and RTX 4090 shows, the range of truly strong passwords is shrinking each year.
When Hive made their first password table in 2020, the group based their time estimates on a 2018 GPU, the RTX 2080 graphics card, pitted it against the security ‘best practices’ for 2018
In recent years, the security group found that newer RTX 3090 graphics cards could crack about 70 billion Hashes per second (H/s). Hashes are a scrambled, encrypted version of users’ passwords, which are stored by your standard password-protected services and sites
In 2022, the top GPU, whether for gamers or amateur crypto-miners, was the RTX 4090. When Hive put the RTX 4090 to the test, only very long, complex passwords were safe
When making their table in 2022, Hive based its data on, first, the time required by a hacker using only consumer-budget processing equipment and a desktop computer a top-of-the-line graphics card. Then, they also ran the numbers for cases where the hacker was on a professional organized-crime-budget and could afford to enlist cloud compute resources in their cracking.
In that latter case, the examined the prices and processing speeds for both big name providers like Amazon AWS and Microsoft Azure as well as the growing market for independent options, where a person’s computer can be rented at cost per hour.
Perhaps the most interesting aspect of their 2023 study, however, was their work estimating the hacking power of ChatGPT.
The machine-learning algorithm underlying ChatGPT was trained on a Microsoft Azure supercomputer, Hive notes, which boasts a network of about 10,000 NVIDIA A100 GPUs. The group estimated how fast such a network would be relative to other common graphics cards.
Hive could not test the 10,000 A100 GPUs that trained ChatGPT directly, but they were able to extrapolate based on calculation speeds that scale with password-cracking speeds
The dramatically smaller green space on their ChatGPT password table shows just how powerful hackers could be with ChatGPT’s training hardware
The dramatically smaller green space on their ChatGPT password table shows just how powerful hackers could be with ChatGPT’s training hardware.
Although Hive could not test a 10,000 A100 directly, they were able to craft concrete extrapolations based on calculation speeds that scale in a linear and direct fashion to password-cracking speeds.
One caveat that Hive notes in their methodology report is that their tables assume users are employing a truly randomly generated password. That means that, even if you’re using a complex variety of numbers, symbols and letters, you’re password will be more vulnerable if you made it up yourself.
‘Non-randomly generated passwords are much easier and faster to crack,’ Hive says, ‘because humans are fairly predictable.’
Hive’s tables also assume a user’s password was not already leaked in one of the many, infamous, data breaches reported in recent years. They say it’s worth checking up on whether your favorite, go-to password is already out there.
The post How weak is YOUR password? Graph shows how fast hackers could break it first appeared on www.dailymail.co.uk