New Specops Software research has unearthed the length of time it takes modern attackers to brute force user passwords. Plain text password storage is rare in these modern times, requiring attackers to adopt password cracking methods to make use of the majority of (hashed) password leaks. However, with the help of newer password-cracking hardware and software, the time to crack passwords is now considerably short.
Darren James, Senior Product Manager at Specops Software, states “the recent headline-making news of the possibilities of AI have some security researchers and IT teams wondering what this technology means for password security. We’ve long known that passwords are vulnerable to brute force cracking attempts. Recent advancements in automation and hardware have made these attacks all the more accessible for today’s cybercriminals.”
Below is a breakdown of the time it takes for to crack passwords:
When creating a strong password that will take a substantial length of time to crack, it must contain numbers, letters, symbols, both lower and upper case and be of 10 characters long. This will buy you 3 years. If your password is 11 characters long and follows the same creation method, then it will take 279 years – unfortunate but an issue for the many generations that precede you.
By contrast, if your password is only 8 characters long and only contains numbers, it will be broken ‘instantly’.
Also, if you are using a password that has already been compromised then you may as well pack your bags and close the account because hackers will again break into it immediately. Hence why security best practices always advocate against password reuse – no matter how long the password is.
The full research can be found here.