ENTER THE MATRIX

How Long It Would Take A Hacker To Brute Force Your Password In 2023, Ranked

How Long It Would Take A Hacker To Brute Force Your Password In 2023, Ranked
Modern day security measures are a good way to keep things in check, but if someone really wants to get into your accounts, this is how long it'd take them based on your password.
· 599.5k reads ·
· ·

Cyber security company Hive Systems offers services that helps tighten online security, and released a table of password vulnerability to highlight its concerns each year. Their table is a technical look at how long it would take a hacker to brute force their way into one of your accounts, depending on the length and composition of your password.

This year's table includes timely additions, like ChatGPT, the limitations they faced and also lists their methodology.


time it takes a hacker to brute force your password in 2023, hive systems


  • Passwords that use only numbers are the easiest to hack and accounts can be compromised within a week.

  • Passwords that have six or fewer characters are basically non-existent for a hacker.





H/T: Hive Systems.


Comments

  1. Daisy Karen 10 months ago

    What about it time out after three fail attempt? There a lot that go into Cyber security than a program trying to guess a password..

  2. Tqnkata 10 months ago

    This is absolutely wrong please re run your tests but with a modern day password hashing algorithm like argon2 and give us the results

  3. Jeff Prado 10 months ago

    The chart should be username and password......there are no websites ,without the two

  4. Klaus Wassermann 11 months ago

    The values given in the table are averages

  5. Blake Harvey 11 months ago

    None of that matters when it sends me a text and email of my new login from "blah blah" device and asks for the code they sent me.

  6. My 5billion year password just isnt cutting it anymore

  7. Fernando F. Gallego 11 months ago

    For those saying that websites don't allow you to do brute force, let me remind you that it is quite easy to download leaked account data that contains usernames and hashed passwords. It's possible then to generate thousands of combinations per second in a local computer until the hashed combination matches the leaked password hash, so the password is guessed and has to be input on the website only once. Hopefully the hash is salted so it doesn't match with a standard hashing function

  8. Oatie:) 11 months ago

    Easy secure passwords in a nutshell. Fuck password managers, thats worse than keeping a physical notebook.
    Pick a few numbers - Pick a few symbols - Pick a decent length phrase.
    Example:
    1981
    *-(
    If I have to make a new password one more time I'm going to lose it.
    Password:
    19*Iihtmanpomt-81igtli(

    Pick places where it makes sense to you for numbers/symbols, spread them out. Use only the first letter of each word in the phrase.

    Don't do full phrases.. "Jack and Jill ran up the hill" password brute force with word lists are way more common and easy to use now a days. I'd been using word lists and phrases more than a decade ago and was fairly successful in breaking log-ins.
    Ex-blackhat.

  9. Brian Bergin 11 months ago

    these kind of articles do a major disservice to all the readers. The advice being offered is decades out of date. There's a very simple way to ensure that your passwords are safe and secure as best as they can be. First up, get a password manager like Keeper and use a passphrase to secure the password manager along with two-factor authentication. If you aren't interested in using a password manager, such as keeper, then start to use pass phrases rather than thinking about passwords of mixed numbers letters and symbols. Jack and Jill ran up the hill... Is a much more difficult password to crack then a shorter, random one. My passwords are always as long as and as complex as any website allows. And while you're at it, turn on 2FA for every website, service, and account that you have that has it available. Banking, investments, social media, email, and even Amazon.

  10. Tony Conz 11 months ago

    My issue is that I can't remember a long or complex password, so there is a trade off. Write all of my passwords down making it extraordinarily easy to get into my account if found, or use the same simple password. At least they would have to take some swings before they could get in that way. For this reason I feel that shorter, regularly used, less complex passwords are better.

    1. Tom Groves 11 months ago

      One thing I learned as a chess player is that chess notation works very well as a password. For example, f3e4g4??Qh4# is the Fool's Mate and contains Uppercase, Lowercase, numbers and symbols but can be remembered easily by associative learning. Picking multiple difficult to hack but easy to remember passwords is just based off remembering several chess openings or sequences.

    2. Brian Bergin 11 months ago

      I promise you that "shorter, regularly used, less complex passwords" are definitely not better. If you have a problem remembering passwords I recommend you do two things. First, get a password manager and use a passphrase to secure the password manager along with two-factor authentication. Two, if you aren't interested in using a password manager, such as keeper, then start to use pass phrases rather than thinking about passwords of mixed numbers letters and symbols. Jack and Jill ran up the hill... Is a much more difficult password to crack then shorter passwords like you describe.

    3. Machete & Doggie LLP 11 months ago

      Tony, your password has been compromised if youโ€™re doing this. I can guarantee you will find it on the internet. If you were password literate you would know short regularly used less complex is insanity. Seriously. What you need to do is get a password manager. Itโ€™s an app on your computer and phone. It integrates with your browser. You enter a COMPLEX password in your password manager, keep a copy or three somewhere safe like at an attorneyโ€™s, memorise it and you use it to open your manager on your phone and computer. The manager remembers your usernames and very complex passwords it itself generates for you.

  11. Benjamin Scully 11 months ago

    Correct me if I am wrong, reading the comments seems to tell me that I should have a unique password for each site and if possible, a unique username.

    1. Tony Conz 11 months ago

      Then you have to write them all down to remember it all eliminating any security you may have had. ๐Ÿ˜‚

      1. Machete & Doggie LLP 11 months ago

        Itโ€™s 2023 and there is software for that. Also your list at home is a million times safer than your method of short password you use everywhere. One of those sites will be compromised without you knowing and your bank will be open.

        1. Danny Wheeler 11 months ago

          Password keeper software advice is a tad goatsy, but while i have you please tell me your mother's maiden name, childhood street address, name of your first pet and your SSN(security reasons of course).

  12. Guรญa Oficial 11 months ago

    This article us valid only for apps like zip that not blocks you after a number of wrong intents... the title should be: set safer zip passwords

  13. 26tn years haha. That's mine and I don't even know what TN means

    1. Andreas Tillman 11 months ago

      26 trillion years

  14. Aaron Bredon 11 months ago

    This is just another "train people to use passwords that are easy for computers to guess but hard for humans to remember" column.
    See http://xkcd/936
    Using 4 common words randomly chosen from a list of 2048 produces a password that is hard for computers to guess, and as far as memorizing the password - by the time you have typed it into the password change form, you have already memorized it.

  15. Malcolm Fletcher 11 months ago

    Nah, I would disagree, mostly because nearly every system on the planet is coded such that it prevents brute force attacks! Bruteforce effectively means using every possible combination of digits with a username. Firstly, they need to know the username.. admittedly with all the data leaks.. many are out there! But then comes the brute force. Most systems will lock you out after 3 or 4 attempts. This is rubbish..

  16. Dicky 11 months ago

    All of the experts in these comments are taking about hash and codez and whatnot. But remote a simple person, it's still better to have a longer password with alt characters than a simple 8 let's pw, isn't it?

    And since reading the comments just makes me feel stupid, can someone please just tell me a good password to use?

    1. Niels Boehm 11 months ago

      Mine is "correct horse battery staple" and I've used it for years and never head problems /s ๐Ÿ˜œ

      (Sharing passwords publicly is a bad idea and I hope you asking for one was a joke as well ๐Ÿ˜…)

  17. Wutzmyname 11 months ago

    1 million years and only one fuqup to get in instantly.

  18. Cold Savage ALT1 11 months ago

    While my Gmail password is much more insecure then my phone's password (16N/Upper and lowercase letters)

    1. Cold Savage ALT1 11 months ago

      I'm still extremely confident ๐Ÿ˜‚

  19. TotalBC Inc 11 months ago

    Ximplify, I agree with your 2FA and number of retrie, but I think you are missing the forest for the trees and also I don't think the article is well written, but this leans more to documents I would think The password protects also. Example we purchased a company and there were some encrypted spreadsheets etc. We were able to hash 90% but a couple of the old employees were more hyper security sensitive and did a stronger pswd/encryption. Plus believe it or not alot of people still don't use 2FA

    Anyone that has an documents, or anything of the such protecting passwords this is a good article for them because the chart is pretty spot on. But as I said, it's not explained well at all.

  20. Ximplify It 11 months ago

    My ATM Pin has only 6 characters and it can only be numbers. Can it be easily hacked?

    Obviously NO!!!

    Why? Because if you make 3 wrong attempts, the card is disabled!

    Assessing security by the complexity of password is simply too childish. A proper system would NEVER allow consecutive wrong attempts!!!

    Another point to note is that when password is too complex and long, what happened is that people have no choice but to write it down somewhere, or use a password with long length and has a certain pattern.

    The other common 'expert' advice to create long and secure password is to use initial characters of your favourite phase, so Starwars fan's password would all likely be Mt4bwu...

    In short, it is pure bunkum to measure security by password length, a more appropriate way is to disable it after a number of tries, add in incremental delays (such as what Apple and Samsung did by adding time penalty for wrong password), as well as having 2FA.

    Blindly adopting password length and complexity requirements would make it less secured, and as a hacker, this actually helped me to remove list of passwords that I do not need to try (e.g. all password less than 8 chars and those that do not have mixtures of number, letters and symbols).

    1. Erik Kantone 11 months ago

      You miss the way hackers work. They steal entire databases of user credentials. And then they start brute forcing the entire database and collect numerous accounts.

      So, if you have an account somewhere using an 8-char password, and their site is hacked and the user DB is stolen, nothing will stop the hackers from getting your username and password.

      1. Machete & Doggie LLP 11 months ago

        Yes

  21. SacramentoJr Zuniga 11 months ago

    So out of this website all i hear is use more than a couple brute force computer things๐Ÿ’€

  22. SilverStar Heggisist 11 months ago

    I used to have a 60+ character password for my home wifi. It was random letters, numbers, symboles and cap letters that I key mashed into the system. I then made it a word document on a flashdrive, because that was the only way to put the password in other devices.

    I later shortened it to 23 characters because my PSP wouldn't let you put enough characters in to input a password like that.

    1. Teresa Lloyd 11 months ago

      Damn paranoid much.. just for wifi...?

      1. Joanthan Miller 11 months ago

        That's not paranoia, it's encryption. ๐Ÿ™‚๐Ÿ’ฏ

        1. Danny Wheeler 11 months ago

          A solid password yes but encrypted it is not. By definition encryption converts data from plaintext to ciphertext, an encryption key or password would be what unlocks an encrypted data set. A strong wi Fi password in itself doesn't translate to encryption.

  23. caleb hanson 11 months ago

    This article is bold clickbait, and totally irresponsible.
    1. This โ€œstudyโ€ is based on MD5, a hashing algorithm that is known to be easily compromised with brute forcing. Most modern sites use AES 256 at a minimum, much slower to crack, sometimes by a lot, depending on how the hash is generated.
    2. For people talking about websites blocking retries: this is not referring to that kind of attack. This is assuming that a hacker has your password hash and understands the hashing algorithm and is (offline) trying to brute force match the hash. This is how the LastPass leaked data would be cracked, for example. A websiteโ€™s protections donโ€™t factor into the equation.
    3. A much more important factor now is whether your password is common, and appears on a โ€œrainbow tableโ€ - a file that leverages the most commonly used passwords to find the hash for your password. Hackers start there, testing the most common passwords. Brute-forcing is not an efficient way to crack passwords hashed with modern encryption.
    Have I Been Pwned has an online password checker that looks compares a password to known lists used for rainbow tables, if you want to check it out.

    1. caleb hanson 11 months ago

      *SHA 256, not AES. Coffee hasnโ€™t hit yetโ€ฆ

  24. F1rst World NomaD 11 months ago

    My basic password would take 15,000 years to crack...
    Guess I dont need to change it ๐Ÿคฃ

  25. Dante 11 months ago

    Just wondering security keys have started popping g up on my news feed, some programs allow me to opt out of a password and only use my key would that be more secure since I can't be logged in without my physical device?

    1. TotalBC Inc 11 months ago

      Yes but make sure you have a backup way to access. Look at DUO

  26. J Hisey 11 months ago

    Can you all not read? The title clearly says "in 2023". That means using today's technology.

    1. Matthew Knight 11 months ago

      While there are security flaws in the Two Factor security implications a device like the Yubi Key still helps as a second layer of security. The reality is there is no such thing as security. Someone is always going to figure away.

  27. Seth NoWai 11 months ago

    To be fair, it depends on what is password for and what measures are taken to make it harder. Like a lot of websites won't allow you to guess infinite times, then may add captcha after few attempts, also they might have some sort of "soft ban" on account, if there are too many attempts, can be also IP/location based so owner might not even notice. For your password protected files, depending on what it us you also can do things to increase delay between attempts, might mean that you need to wait few seconds before it opens or tells you about wrong password, but so does person doing brute force for every attempt.

    Still 2FA can be easy solution for online stuff, minor inconvenience, but it does prevent guessing. Of course there are ways around that too, but anything that makes it harder for hacker will help reduce pool if people who will try, unless you are someone who they will target specifically.

    Though to my experience working for company that also offers mail boxes for subscribers, brute force password attacks on online services are rare, it is way more common for attackers resort to phishing and malware. And that can get around even 2FA, as Linus from LTT recently found out.

    That being said, 6 or 8 character passwords still should be thing of the past. 12 characters should be minimum.

    1. Erik Kantone 11 months ago

      U are missing the point. Hackers are not brute forcing your account through a website. They steal the company's database. Then the brute force the entire database. No soft ban or 3-tries security will help you there.

  28. Aaron Love 11 months ago

    The best way to stop hackers, is by threatening to eat their ass like a pot of collard greens if they're caught doing so.

    Problem solved.

    1. Phillip Bouie 11 months ago

      "Eat their ass like a pot of collard greens..." Seriously, you might wanna use different analogy next time, some people like that freaky deaky shiznit. To them that sounds like part of the reward not a punishment. J/S!!

      1. Danny Wheeler 11 months ago

        To be fair, who doesn't like collard greens, eat that like groceries

  29. Steven Bew 11 months ago

    Yes let's not forget that most password protected websites only give you a limited amount of attempts. This chart is only accurate if that is not taken into account.

    1. Andrew Meyer 11 months ago

      Password cracking isn't done by actually trying various passwords directly on a site. When a site has it's passwords stolen it is generally the encrypted file of passwords. In simplest terms a hacker "cracks" password by encrypting strings of characters until they get a match against the stolen encrypted password table.
      Quite often users will use their email address as the username and reuse the same password in multiple locations.
      Now the hacker can try logging into target sites using that username and cracked password.
      The hacking isn't generally targeted at an individual rather they just become a means to an end to gain access to sites, or become a target because they had a weak password.

      1. TotalBC Inc 11 months ago

        Exactly

  30. Christopher Punton 11 months ago

    So 123456 not good any more, damn ๐Ÿ˜•

  31. Chris Page 11 months ago

    Still far too many online services have a maximum password length, 12 characters seems surprisingly common

  32. A A 11 months ago

    This also depends on how many people would even want to hack someone's account. If there's more than 1000 kids trying to hack Elon Musk's twitter account then probably more or less a year even with the maximum password? I mean, this is why we should have 2FA in the first place.

  33. HotRod 11 months ago

    77m years, let's check again in a couple years.

    1. Joanthan Miller 11 months ago

      Exactly. ๐Ÿคฃ

  34. Quantum Computers is a game changer, Don't trust to estimated time, when we ere on highschool ten lengths password tooks years to crack.

  35. Liam Kuh 11 months ago

    And 12m years later, the hackers finally cracked my Gmail and its nothing but spam mails waiting to be opened and became victim to click baits :] LOL.

  36. Scott Miller 11 months ago

    These estimates aren't accurate. I mean, surely computers will get better at this within the next 5 billion years.

  37. Koma Kg 11 months ago

    I have i hash if you all are pro to crack it.

  38. I like that 2bn years is only yellow, but 48bn years, now that's a good password.

  39. D7M 11 months ago

    My password is 40+ lowercase & uppercase characters, numbers and symbols. Also my personal application authentication system hashes your password more than 12 times AND it have a secret algorithm before it does all of that, I can't say it because the app is not released yet. Even if it was released I can't say it because it supposed to be secret this is my personal not popular application or a website, When we are talking about big companies I'm pretty damn sure they use a stronger way than me by many many times, Unless you have a crap password like mypassword123 everyone can guess it easily best way to not get your password or information stolen is by putting 20+ password including lowercase & uppercase characters, numbers and symbols, Don't ever save it in your password manager because if you installed a virus it can grab it easily, Logout from most important things after you're done with it, Don't download sketchy stuff that you're feeling suspicious about. And finally just relax.

    1. lukas Bolle 11 months ago

      Darn it I've the same password on my luggage

  40. Michelle H Merrick 11 months ago

    What I don't understand is that even with this brute strength computing power, how does a hacker get past what is generally 3 strikes and you're out?

    1. Steven Bew 11 months ago

      Exactly. This is old news and simply fishing for article views.

    2. Abe Nett 11 months ago

      Generally, they steal a database of hashed passwords from a company, then they have a database of passwords using the same hash and test for matches.

  41. 2Scoops Media 11 months ago

    This is why people don't like Velveeta.

  42. Unknown 11 months ago

    This is why we need to get rid of passwords entirely.

  43. Peter Marsden 11 months ago

    This is why you need a password manager, set 20 character password different for each account and then allow the password manager remember it

    1. besser nicht 11 months ago

      Oh yeah than you have to hack only one Software to get all passwords. Passwordmanager is a system to wealrn all passwords in a instant. Becauce programs have bugs, program language have bugs. It is really nice when you hack one programm and got all Passwords with login name in a instant. You can use txt file and decrypt it is the same with less Bugs. A txt file is saver then. XD

  44. Sam Haycraft 11 months ago

    It's all based on MD5 what a fucking joke, delete this whole thing lmao

    1. caleb hanson 11 months ago

      This ๐Ÿ‘†

  45. Brenda Hubsher 11 months ago

    Why can't there be a biometric login. It's not like someone is going to steal my finger prints. I know we are supposed to change passwords frequently, have a different password for each program, but that's just too much to remember, even if they are written down.

    1. besser nicht 11 months ago

      Because when you biometric login got hacked you can not use your finger again. Your biometric password is only a combination of ones and zeros. Biometric is a dumb unchangeable password and does not work when you are hurt

  46. Joรฃo Branco 11 months ago

    Well. Just use a two step login. Being the second step a pin locked authenticator app running on your mobile. That should do the job...

    1. besser nicht 11 months ago

      Best on a old phone without any internet Connection. Perfect. Then this mobile phone can not really be hijacked

  47. Brandon P 11 months ago

    So how long would a 40 digit pw with numbers, symbols (*&%) upper and lowercase letters take if 18 digits is 26 trillion years? Maybe my pw security is to high...

    1. besser nicht 11 months ago

      Do you save it somewhere? Like password manager

  48. Jay Mac 11 months ago

    I had my Hotmail and all my account hacked in seconds even with all the bells and whistles. If a hacker wants to get into your stuff it isn't hard at all. With enough schooling anyone can do it very easily. Anyone who thinks otherwise is a fool to the truth

    1. Brandon P 11 months ago

      Don't download shady viruses bro?

      1. Knightwolf 11 months ago

        The thing though these days irs usually makeware but the attacks are more complicated usually you want to steal the authicatican token

        What 2fa and password is the same thing when you get a verse of some sort the token is copied which means there login is a exact copy of your computer.

        I recommend checking linus tech tips recently hacked on youtube he explains more on that type.

        Maleware can also be carried in jpeg these days as well when plugging a phone at a airport https://www.malwarebytes.com/blog/news/2019/11/explained-juice-jacking

  49. Rich Rigney 11 months ago

    I offered Anyone on Facebook $10,000 if they could hack my password and it never happened. I will offer anyone here $10k if they can hack my Facebook, Yahoo, Google or Reddit PW. No, they aren't the same. Yes, you will surely fail. Of course the only way you get the $10K is if you succeed, don't attempt anything harmful should you miraculously succeed and you have to let me know and prove you succeeded. Happy hacking.

    1. Michelle H Merrick 11 months ago

      What are your id's on those systems?

  50. Sliv Sells 11 months ago

    Its old information

  51. Hate to break it to you all but your password is most likely being brute forced on their local pc, not against the original authentication server. This means that no amount of captchas or delays will help.

    How? Well if you've ever seen news articles of mass data leaks, then that's how.

    All the person needs is your hashed password, an inkling of the hashing algorithm used, and then they can simply run millions of requests a second through multiple gpus until one of those requests repeats the hashed password.

    Once you get a hash that matches the stolen hash then you know the password.

    Sucks but it is what it is.

    1. Shawn Baird 11 months ago

      Why brute force when users are all to keen to give away their passwords in phishing attacks.

    2. That's not how that works. I mean, the process is right, but you don't understand the theory of large hashing algorithms. The idea behind algorithms like SHA-256 is that they take into account the birthday problem, by design, and make sure that the roots of the hashes are not close to each other, nor sqrt(n). This ensures that algorithmic attacks like Pollard-ฯ take as close as possible to their theoretical max runtime to break the log problem.

      Obviously this doesn't matter on old, bad hash algorithms, but newer, bigger ones like SHA-256/512 are only theorized to be brute forcible if/when quantum computing becomes a thing. If you had a way to break SHA-256, then you'd be a billionaire; it's a mathematically sound hash under current conventions. Even running millions of operations per second, a naive brute force attack on a strong hash would take until the heat death of the universe to solve the log -- about 7.3 novemdecillion years, to be precise.

    3. Joe 11 months ago

      Not if it's a decent hashing algorithm with something like PBKDF2. Then the delay is baked in to the algorithm itself.

  52. James Harmon 11 months ago

    If your password is stored online, it can be stolen. This is why I write mine on paper, and am the only one with access to it.

    1. radiumsoup 11 months ago

      News flash: if you use a password on any internet site, then your password or password hash is already stored online. It's more important that you never reuse a password between any two services.

      1. Jay Mac 11 months ago

        Some ppl are so dumb it hurts. And I mean James..I write it down so it doesn't get stored online...like wow talk about stuipdity

  53. James Harmon 11 months ago

    This is why there needs to be an hour wait between three consecutive failed logins.

  54. Sridhar Ayengar 11 months ago

    This is why you should use a passphrase.

    1. Brandon Nunn 11 months ago

      Agreed!

      Now, tell that to the ungodly number of sys-admins who still insist on capping password length at 16 characters...

      1. Jonny Somrak 11 months ago

        16 is definitely too short. But sometimes the limitations come with the technology used. The default PHP hashing algorithm relies on Bcrypt which has a limit of 72 chars and it silently ignores the rest.

        This demonstrates this limitation:
        https://onlinephp.io/c/351cf

        So I can't use more than 72 chars on almost all websites.

      2. Rich Rigney 11 months ago

        I agree passwords shouldn't have a cap on their length. The longer and more complicated the password the better and more secure it is. Requirements should always keep the time frame it takes to brute force in the 50+ years time frame. Personally mine remain in the Trillions of years or more.

  55. david lee 11 months ago

    if the password try has a 3sec delay between tries how long would it be?

  56. Sam 11 months ago

    I use Authenticator in my mobile so if my password is stolen, the hacker has to steal my mobile too ๐Ÿ˜‚

    1. Rich Rigney 11 months ago

      Actually that is no longer the case, and hasn't been for some time. A simple SIM replica (the hacker duplicates your phones SIM card and installs in into theirs, which gives them access to all of your incoming messages including 3rd party Authentication messages. If they have already hacked your password they are in.

      1. Ateo Sempre 11 months ago

        Hackers duplicate SIM cards by pretending to be you and then apply for an eSIM for your existing SIM card. But I already applied for an eSIM and now I use an eSIM on my phone so it's more difficult for hackers to duplicate my SIM card (eSIM card).

  57. Cody Burris 11 months ago

    Hmm lies I can crack a 8-16 character password in a matter of minutes to hours symbols upper case lower case it does not matter. They truly don't know how cracking passwords work bruteforc
    ing yes but dictionary and rule attacks make it so much easier.

    1. Anthony Brown 11 months ago

      You can't even form a sentence, there's no chance you're cracking anything bud.

    2. Jeff Carter 11 months ago

      It's not "lies" if they literally said "brute force" and not "crack." Not saying you're wrong about the ability of other techniques to significantly reduce the time to crack, but there are enough actual lies in the world, I don't like people mislabeling truths as lies.

  58. Henry 11 months ago

    Brute forcing assumes an automated attack which presupposes there is no captcha to contend with, which almost every serious site uses, and no automated brute-force detection system. Amazing how a simple capcha can mitigate this kind of attack.

    1. Unknown 11 months ago

      If you look at their methodology and footnotes:

      "Cracking passwords this way assumes that the attacker has acquired a hash digest of one or more passwords, such as those found in password data breaches on HaveIBeenPwned or more recently LastPass!

      The implied attack assumes that MFA is not used or has been bypassed. If you can get access to download the encrypted database, like what happened with LastPass, you donโ€™t need to deal with MFA when making attempts thereafter."

      It's clear they aren't talking about brute-forcing a login dialog, but about cracking a list of hashed passwords.

  59. Diamond Mind 11 months ago

    15k years to get mine :) Nice

    1. Marko Krajnc 11 months ago

      I already know your password is 13 characters long and contains letters, numbers and symbols!

  60. Robert 11 months ago

    What about 50 plus character passwords that use upper, lower, numbers, symbols and special characters?

    I once visited a forum site that let me use 256 characters as a password, it would need me to sign in a second time because of a too long password. I changed it to 254 characters and I didn't need to enter my password a second time.

    I now use 255 characters for my banking app and 32 characters for each reset question. Also secured with biometrics. Everything else gets 50 characters or whatever the max the site supports.

    All in my KeePass database that I've used for the last 11 or so years now.

    1. Isaac Ibbotson 11 months ago

      I've been messing with KeePass the past couple of days. It definitely isn't for people who don't really care that much about digital security.

      It definitely answered a lot of questions I had about passwords. Love the ability to max out the allowable password characters on any given site

  61. Tony Lovell 11 months ago

    These articles never explain where a hacker is going to find a server that does not apply throttling to the rate at which they can iteratively try passwords. Do they have a means of side-stepping this limitation? If not, explain how they are going to brute force a password at 4 guesses per minute.

    1. Xurtio Xaos 11 months ago

      First, hackers get in via malware like qakbot, Gootloader, icedID, an exploit, or pure play social engineering. Then they use mimikatz or similar tool to grab all the active hashes for the whole organization and download them. Then they work through the password list, looking for all the crackable one via brute force.
      But also, not all servers have throttle limits. The primary ones may, but many organizations leave some random ftp, SQL, or other random server without such protection.

    2. Robert Clark 11 months ago

      There are a lot of very large hash tables out there, so these figures are probably way overstated. The actual time will be much less as you only need to search a hash table where the computation is already done.

    3. EG Frost 11 months ago

      Normaly you dont try to bruteforce the Login. But when you get into the Database you can dump all passwordhashes and then you can bruteforce that hashes localy on your own System.

      Even more usual is it in active directorys, If you are able to capture hashes or even If you get Domain Admin you can dump all Users hashes and crack them on your system.


Cut Through The Chaos With Digg Edition

Sign up for Digg's daily morning newsletter to get the most interesting stories. Sent every morning.