Some passwords can be cracked in an instant – but who is actually to blame?

In a recent report, security researchers from Kaspersky show how they have cracked passwords in seconds using modern graphics cards. For this to work, however, a number of conditions must be met. The blame for this does not lie solely with owners of online accounts and their "weak" passwords.

Methodology

In their experiments, the researchers reportedly used the computing power of Nvidia's current high-end GPU GeForce RTX 4090 to crack passwords offline using a brute force or dictionary attack.

The brute force approach involves bluntly trying all conceivable combinations of characters until a password is guessed. The more computing power available, the faster the query. In dictionary attacks, cyber criminals draw on large lists of leaked log-in data and try them out.

The researchers used 192 million leaked passwords circulating on the darknet as a basis. In their experiments, they treated the passwords with the hash algorithm MD5, including the salt value, before cracking them. MD5 has long been considered insecure, but this is a theoretical attempt. They state that the computing power available to them can try 164 billion hashes per second.

In this scenario, they say they were able to crack 28% of passwords with upper and lower case letters in less than a minute. If numbers are added, the figure shrinks to three percent. And for 55 percent, the process would take longer than a year due to the complexity of the password. With optimized algorithms such as negram_seq, which calculate the probability of the next character, they were able to further increase the success rate.

Classification

In conclusion, the security researchers blame the owners of accounts and cite weak passwords as the reason - but it's not that simple. It is clear that nobody should use passwords such as "qwertz1234" or "password". It should also be a matter of course to use a different password for each account and to activate two-factor authentication (2FA) wherever possible. Alternatively, you can also use passkeys for more security.

However, the real fail lies in the fact that attackers are not allowed to gain access to the servers of online service providers and the access data stored on them in the first place. Amazon, Facebook & Co. therefore have a duty to secure their systems properly so that offline cracking cannot occur in the first place. However, this is obviously not the case often and lists with millions of entries of copied log-in data from cyberattacks are circulating online.

If an IT breach does occur, the passwords must be adequately secured on the servers. Here, too, the providers have a duty. Hash procedures are used to secure access data. As a password hash is a mathematical one-way street, attackers are generally unable to do anything with it.

The MD5 method, which has long been considered insecure, should, of course, not be used for this purpose. Methods such as bcrypt should be used here. But it gets even worse: there are repeated cases where passwords are even stored in plain text on servers. This is grossly negligent and a slap in the face for customers and users of an online platform. In numerous instances, account holders have therefore done nothing wrong and are lulled into a sense of security that the respective providers are often unable to guarantee.

(des)