How long does it take to crack a password in 2024?
Password cracking tools improve all the time. With AI entering the game, the time to brute force passwords has been reduced significantly already and continues to be reduced.
Password guidelines and rules have not changed all that much for users in the past ten or so years, however. Pick unique and strong, which means long and complex, passwords, and you are good to go.
While rules are relatively simple, especially when used in combination with a password manager, many Internet and computer users still do not follow them. They use passwords repeatedly or pick weak passwords that allow threat actors to crack them in a matter of seconds.
Brute force and dictionaries: two common attacks against passwords. Dictionary attacks use lists of passwords, often those found in leaks, as it is fast method to crack a percentage of passwords quickly. Brute forcing refers to trying any combination of a character set, say all numbers, upper- and lower-case letters on a password.
Password cracking chart 2024
Researchers at Hive Systems have updated the organization's password cracking chart to reflect advancements in computing power and security.
It shows how long a system with twelve RTX 4090 graphics cards would need to crack a password. It reveals the information for the cases "numbers only", lowercase letters, upper and lowercase letters, "numbers, upper and lowercase letters, and "numbers, upper and lowercase letters, symbols".
An 8 character password consisting only of numbers is cracked by the setup in 37 seconds. Change that to lowercase letters, and the time increases to 22 hours. With everything included, it is taking the machine 7 years in worst case to crack the password.
To find out how secure, or insecure, a password is, count its characters. Once you have the character count, check its line. Now analyze the composition of the character. Does it have only numbers or lowercase letters? Or a combination? Check the column and read the value. This is the time it would take Hive System's machine to crack the password.
Note: more powerful setups reduce the time it takes to brute force passwords significantly. Even if the time looks fine on this chart, it may not be fine if more powerful machines target the password.
Password recommendations 2024
- Always include numbers, upper and lowercase letters, and symbols, provided that the app or service supports this.
- Pick 16 or more characters, again provided that the service or apps support the number.
- Always use unique passwords.
Since it is impossible for most users to remember lots of unique 16 character passwords, it is recommended to use a password manager. You could give Bitwarden a try, it is open source and there is a free version available. The pro version has extra features and costs only $10 per year.
Improve security further
Certain attacks may reveal passwords without need to brute force or crack them. This is the case for phishing, which attempts to lure users on fake sites or get them to use fake apps to steal their credentials.
Two-factor authentication adds a second authentication step. While it sounds complicated on paper, it is not really.
What you need is an authenticator app and a few minutes to set up the security feature for important accounts. When you sign in next time, you still provide username and password in the first step, and then a code generated by the app in the second step.
If a threat actor steals the username and passwords, either through brute force attacks or other means, access is still prevented thanks to the second layer of security.
What about you? Do you use a password manager and two-factor authentication? How fast would your passwords be cracked?
I am struggling with passwords on my computer. First, I changed my password to “BeefStew” but the computer told me it wasn’t Stroganoff. So, Changed my password to fortnight but apparently that’s two week.
It was LATER suggested I use CAPITALS so I’ve changed it to LONDONMADRIDROME.
Yay, I’ve conqured the password woes.
Looking at the chart, with 9 or more characters of Numbers, Upper & Lower case Letters & Symbols, the password can’t be cracked for 479 years. We’ll all be long gone by then, so 9+ characters of the 3 types should be fine. Appreciate the article and chart.
In terms of probabilities only. With luck on our side we win at a lottery, at the casino, with luck on his side a hacker could crack a substantial password on the first attempt :)
What are you trying to protect from a brute force attack?
Many website will lock you out of your account after too many failed attempts.
I think (maybe) some also make you wait a while after entering an incorrect password.
Some require entering a 2FA code that is sent by text to my phone and must be entered before logging in.
So again, what are you trying to protect from a brute force attack?
It makes little sense to try and brute force accounts online. Passwords or password databases available locally, on the other hand are the main target for this type of attack.
That ‘Hive’ chart reeks of plagiarism
2023 on a different site.
https://specopssoft.com/blog/hashing-algorithm-cracking-bcrypt-passwords/
Almost identical, apart from using twelve cards instead of one card and few obvious flaws in the older chart.
And you can extrapolate most of it from a 2022 benchmark on github of HASHCAT running on a rtx4090.
https://gist.github.com/Chick3nman/32e662a5bb63bc4f51b847bb422222fd
184k hash/sec for regular bcrypt. 187/192k hash/sec for bcrypt in md5 and sha1 mode.
Apply some variance for over/under clocking, different driver/cuda version etc.
From there you just look at size of keyspace and divide with rate to get time for searching keyspace. Apply the usual caveat that there is a 50% chance of finding it before searching the whole keyspace, so on average you only need half that time per password.
2020 another site was having a little fpga board project beating that massively on TCO and running cost parameters compared to buyng and running best available GPU (and the computers to fit them in), using pre-2010 fpga boards from cryptominers who have moved on to better boards.
But it is all a bit academic. Lots of passwords are not stored in bcrypt. And like Harro pointed out in a earlier comment, 12 rtx 4090 is not the real enemy, even IF (and thats a big if) you are dealing with a leaked password database. Then you are looking at people using rented cloud compute (cheap) or organizations with professional equipment (at minimum fgpa farms, but all the way up to “custom silicon”). GPU is old hat doe this, just like bitcoin miners all moved to custom silicon.
Bcrypt is (was) mostly a thing on linux/unix and friends for storing user login passwords. There is a whole history lesson buried there.
Your comments about passwords does not take into account the reality that most important sites, like banks, only let you get a password wrong three times before you are forced to wait for the opportunity to try again. Even with AI this will still take years for even an 8 character password.
“1,2,3,4,5…..thats amazing I have the same combination on my luggage!”
I think there is some paranoia in making a password more than 20 characters. For one thing if it’s a password for logging in to a website, a password guessing program isn’t going to be able to guess at some insane maximum rate because they will be rate limited by the server. Even 20 characters is overkill for that. Master passwords should be long because the database could be brute-forced if someone got a hold of it and it holds all of your other passwords.
Martin you have often written about KeePass, and praised it. Now you only mention Bitwarden.
Anyway I use Keepass, great software. Not only to make strong passwords, but also the history component, adding attachments and notes.
Still using KeePass as my main password manager. Great program.
Thank you Martin.
All my passwords are alphanumeric and exceed 20 characters, so actually more than in the Hive chart which only shows 18 maximum. I’m also a Keepass fan and have been using it for quite a number of years already. Although it’s FOSS I do contribute a few euros every now and then as a sign of my appreciation to the developer.
Keepass is so easy to use and once you’ve created the master password it’s just a case of copy/paste to access all the sites where I have accounts. In fact, I don’t have a clue what all my passwords to sites are since only the master is necessary to remember.
12x 4090 seem kinda low…especially since a fast Google search reveals one can easily rent 14 of them for around $6 per hour and there’s a high availability of ex-mining datacenters full of RTX 20xx, 30xx and 40xx cards. Make it 32, 64 or even 128 because if someone really wants your password, they’ll happily pay even $1000 per day.
I use 32 characters, upper/lower/numbers/symbols (to the extent of what is accepted by a website) unique passwords.
Two-factor authentication only when required by the website.
No authenticator app for the time being.
Bitwarden is my password manager for the Web.
I use as well an encrypted local password manager app with which I create and save my logins. Bitwarden came after and I don’t use it to create passwords, hence local password manager serves as well as a backup.
@bruh
Your passwords in a physical notepad are no doubt in plain text.
Store them in KeePass, and your same data is thoroughly encrypted. Even if you do not use any other features of KeePass, you can keep to your same routine, but with less worry about anyone ever reading your list of passwords. I’m not saying you ever worry, but just because you are not paranoid doesn’t mean you are not being followed.
I should add that my own most valuable (financial) passwords are not in KeePass at all, they are on a slip of paper in a file drawer, same as you might use. A password manager is real handy for dozens of less critical web sites, each with its own URL, unique login ID and password. Once set up, signing in is a breeze everywhere I want to go. All I need is my single “master password” to the KeePass database.
My rat does not race, he takes the shortcut.
Never had issues storing passwords in notepads (both digital and physical).
I do not understand why someone people like to get caught up in the rat race, whether it’s security, or operating systems, or the latest digital or real life trend. Is your life so empty that you can spare the capacity to constantly think about this stuff?
To the “password manager” crowd: why do you use one? Were you specifically hacked/breached because you used lazy passwords? Did somebody stumble upon your list of website passwords which was stored in plain text, and you vowed “never again”? I bet for most of you, the answer is “no”. The next question is: Does using one make you feel better, superior perhaps to the normal folk? (If not consciously, maybe subconsciously…)
Maybe I am crazy, but I will use something until either:
1) I don’t want to use it any more for some reason
2) It’s unable to do the job it’s supposed to
If something works and hasn’t been severely obseleted by a direct upgrade, I’ll just use it, for years, for a decade+ in some cases.
Part of having a stable system definitely requires mental stability from the end user…
Not here to diss, just want to hear genuine thoughts.
I forgot to mention that the only time my passwords got hacked was when I was stupid and downloaded and ran something from a questionable website, I knew the risks and still did it. It was all on me.
Agree. People’s lives are THAT empty. As I read news about wars right now, I’m thinking these people who always complain about movies/series/games being this and that, wearing tinfoil hats and beagging about security.
They really need a war on their own soil where they have to fight for their lives every day. After that they will be cured and will no longer care about movies, games or what browser they use.
They have more complex passwords than you, they have more accounts than you, they have a plan when they lose their password manager (encrypted database).
They only need to memorize one really long password (for their DB).
They are not you. It really is easy.
@bruh, to answer your questions as far as I’m concerned,
> “why do you use one?”
Because the ratio “what it brings”/”hassle of using it” is greater than 1
Nevertheless I do believe that the ratio increases within an unsecured personal environment : PC or smartphone, if PC at home or at business, if at home, alone or within a crowded family, frequent friends/visitors lurking on the screen & keyboard to use the PC?…
> “Were you specifically hacked/breached because you used lazy passwords? Did somebody stumble upon your list of website passwords which was stored in plain text, and you vowed “never again”? I bet for most of you, the answer is “no”.”
I’ve never used lazy passwords nor same password(s) for different sites, apps, whatever requires a credential.
I don’t think the guide should be one’s personal experience but rather probabilities : not encountering an issue doesn’t mean one’s “lazy” approach is the best, it only means the odds were in his favor.
> “Does using one make you feel better, superior perhaps to the normal folk? (If not consciously, maybe subconsciously…)”
Subconsciously, no idea, but I don’t think so given I cannot imagine in what building a privacy and security environment has anything to do with pride. If friends come along I may happen to be proud of a tweak I figured out, of a design, skin I created … but in what could I be proud of in using a password manager? If I were snob maybe could i say “OK it’s only a password manager but if you guys knew how much I’ve paid for it you’d be applauding my high fashion attitude extended to the most simple matters”. In my case, I’m in no way snob. Functionality and ease of use is another credo, mine anyway :)
I use a password manager. Peace of mind.
Never got hacked but got some data about me from 2 or 3 data breaches. All together, dark web knows:
* my old physical address
* my old phone number
* my old facebook id
* my old email
I took steps to change older data when possible.
Additionally, I once got an email saying they had a video of me playing with myself, since they knew my password, which was ks5dhfj3ks1hf (example). Thanks to having custom passwords, I knew exactly where it had been leaked.
So, using a password manager is part of a layered protection to reduce the probability of getting on the bad side of these leaks.
@bruh > “Never had issues storing passwords in notepads (both digital and physical).”
Obviously they should be stored encrypted too because plain text is absolutely madness. Unless you are store them under some kind of disk encryption like Bitlocker, Truecrypt of Linux’s one.
I’m a long time fan and admirer of KeePass, a local password manager. I don’t trust anything in the “cloud” to store my passwords. Some people complain that KeePass has a clunky old interface, but I think that’s an advantage. No colorful flashy meretricious childish gingerbread to distract from the serious purpose. Gets the job done, and done well.
As to length of passwords, it’s easy to come up with words that are both lengthy and memorable. One technique if you are typing it yourself is to use a name or phrase that has lots of letters to begin with, such as San Francisco Wharf, then mix up the capital letters a bit and toss in some numbers and punctuation, to create saN!20franciSco^59whaRf. Or use KeePass to generate one for you, lengthy and random.
I’d also add in a suggestion not to fall for the dumb “Challenge Questions” like “What’s your favorite color”, which can be guessed pretty fast (red, yellow, blue?). The correct answer to “What’s your favorite color” is M74rsp!qd. Or FrankliN#63#roosevelT.
Now watch somebody crack that in 10 seconds!
I agree 100% about the answer that must be given to the “your favorite color” question. However, I disagree about Keepass because you are letting someone else to have your keys and passwords. With few words, the only person that you should tell a secret is yourself and only yourself, because all people have friends and couples. And even your friends may become traitors (your enemies will never betray you, just because the simply fact that they are just your enemies). You know.