Specops Software, an Outpost24 company, have released new research about bcrypt-passwords – and how easy (or not) they are to crack. This research follows previously released data on how long it takes attackers to brute force MD5 hashed user passwords with the help of newer hardware.
bcrypt is becoming an increasingly popular way to secure passwords, as it uses a strong hashing algorithm. Additionally, to increase security, bcrypt also adds a random piece of data to each password hash, ensuring its uniqueness and making it very hard to guess with dictionary or brute force attacks.
The research found that a bcrypt hash takes time to make but it also takes time to break. A threat actor might give up, lack the computational power, or it might give security teams the time need to notice suspicious activity. Even with higher computer speeds, bcrypt is very time-consuming to hack via brute force thanks to its variable number of password iterations.
However, ultimately, bcrypt hashing cannot prevent password compromise altogether. Short, non-complex passwords can still be cracked relatively quickly, highlighting the huge risks of allowing users to create weak (yet very common) passwords. But once a combination of characters are used in passwords over eight characters in length, the time to crack quickly becomes a near-impossible task for hackers.
This research coincides with an updated to the Breached Password Protection service. This month, over 21 million compromised passwords were added to the list. Recently, Specops announced a new continuous scanning capability for their Breached Password Protection tool.