When creating a password, many online services now require users to provide complex combinations of alphanumeric and special characters. This isn't just to annoy those who shirk password management; as computers become more powerful, it becomes easier to crack a password using brute-force methods. To help the public see things more clearly, a cybersecurity consulting firm has unveiled a new version of a very useful table that allows you to estimate the vulnerability of your passwords at a glance.
What is a brute force attack?
This term refers to a fairly rudimentary strategy that consists of asking a computer to explore all possibilities, one by one, systematically, until it finds the solution. The big advantage of this approach is that it offers a theoretical success rate of 100%. The question isn't whether the machine will eventually come across the right combination of characters, but rather when.
But that doesn't mean this approach is always viable in practice—far from it. Indeed, the resources required to carry out this type of attack increase exponentially with the size and diversity of the string. With a sufficiently complex password, the time required quickly explodes to reach orders of magnitude far greater than the lifecycle of a password.
This is one of the reasons why modern hackers tend to favor other approaches. One example is dictionary attacks, which seek to speed up the process by favoring more likely solutions, based on lists of frequently occurring terms (wordlists)... or on lists of real passwords recovered during previous hacks. The other approach, arguably the most dangerous, relies on social engineering. You're probably familiar with the famous phishing scam, which exploits a user's vulnerability to trick them into handing over their precious login details on a silver platter.
But that doesn't mean brute force is completely obsolete. The whole question is, therefore, determining at what level of complexity a password becomes sufficiently secure.
Length and complexity, the winning combination
This is where Hive Systems comes in, a consulting firm that maintains a table specifically for this purpose. Its goal: to determine how long it would take a well-equipped hacker to crack your precious key using the latest generation of consumer hardware (12 copies of the most powerful GPU available at the moment). This document has just been updated based on the performance of the new Nvidia RTX 5090. And it contains some very interesting information.
First notable change compared to the 2024 version: now, all passwords have 4 characters, whatever they are, fall instantly, that is, in less than a second in this context. This also applies to all passwords consisting solely of numbers: if it has 8 or fewer, it will fall in the blink of an eye against a well-equipped hacker.
But fortunately, almost no one uses such short passwords these days. According to a study by DemandSage, more than half of Internet users protect access to their accounts with 8 to 11 characters.
This range is very interesting, because we arrive at an area where the choice of characters makes a gigantic difference. With 8 digits, for example, the password can be cracked almost instantly. But add uppercase and lowercase letters, and symbols, and the estimated calculation time increases to 164 years. The difference is even more striking at 11 characters: 1 week of work if the password contains only numbers, and… 56 million years with the combination mentioned above.
Moral of the story: don't ignore the recommendations of those who suggest using long and complex passwords. Also, avoid relying on common terms, names of famous people, or dates, which are much more vulnerable to the dictionary attacks mentioned above. At the end of the day, nothing beats a good old-fashioned string of words; it's certainly more cumbersome in everyday life, but that extra layer of security is priceless in an age where so much of our lives are spent online.
For more details, Hive Systems' full analysis is available here.
0 Comments