News AI Can Crack Most Common Passwords In Less Than A Minute

[Admin]

Home Security Heroes, a cybersecurity firm, shares a study on how fast AI can crack user passwords.

AI Can Crack Most Common Passwords In Less Than A Minute : Read more

 

[zecoeco]

Well if I'm being honest, most of my passwords includes Upper-case, Lower-case Letters, Numbers, Symbols, 12 characters in total
Plus, I often change it every 3 years.
Good luck AI

 

[drivinfast247]

paSsWOrd123!

 

[InvalidError]

You can only "instantly" break password when allowed an infinite number of attempts without time restrictions or lock-outs. If I was in charge of security, I wouldn't allow more than one attempt per 10 seconds and would lock an IP out for 5min after three consecutive failed attempts.

 

[Megangel1]

Another good reason to use 2FA.

But:
the table doesn't mean much without knowing what the metric is. Time is just not good enough, is it maximum time, average time, worst case ??? What compute power has been dedicated to the task? One 8086 processor versus Oak Ridge's Frontier ? ... Or have I missed something?
Also:
are the attempts against real world apps or against an obtained password in it's encrypted form (with the encryption method known)?
And:
It's also normally faster to crack 'any one' password within in a group of accounts/encrypted passwords than it is to crack a given password. (aardvark could possibly be faster to find than lemons ... marginally )

Many systems lockout accounts if a number of wrong attempts are made.

This AI appears to be worse than the table quoted in these articles

This is how long it takes hackers to crack your passwords - Technobaboy
How long will it take to hack your password - Pure Cloud Solutions

and even from Tom's own article, forget AI and just get eight RTX4090s to do it faster

One RTX 4090 Is Faster at Password Cracking Than Three 6900XTs, Eight 1080s | Tom's Hardware (tomshardware.com)

 

[USAFRet]

You can only "instantly" break password when allowed an infinite number of attempts without time restrictions or lock-outs. If I was in charge of security, I wouldn't allow more than one attempt per 10 seconds and would lock an IP out for 5min after three consecutive failed attempts.

The sad thing is...there are far too many clueless people in charge of those policies. And clueless people above them, approving it.

 

[Kenneth Hans]

You can only "instantly" break password when allowed an infinite number of attempts without time restrictions or lock-outs. If I was in charge of security, I wouldn't allow more than one attempt per 10 seconds and would lock an IP out for 5min after three consecutive failed attempts.

Not if you start with a hash you've stolen or captured. Then you've got unlimited attempts to break it.

 

[InvalidError]

Not if you start with a hash you've stolen or captured. Then you've got unlimited attempts to break it.

If someone managed to get your servers' password file, you probably have more urgent things to worry about since the attacker already has elevated privileged access of some sort.

 

[PlaneInTheSky]

• Another good reason to use 2FA.

2FA is completely useless. It is far too vulnerable to phishing. 2FA vulnerabilities have been pointed out so many times.

Phishing is the main way unauthorized access happens, for individuals and in the corporate world. 2FA being so vulnerable to phishing should make it a non-starter.

2FA is never implemented because of security reasons (it is useless at that), but it is implemented because it allows the likes of Google, Microsoft and Apple to link your smartphone/email to you, 2FA is enforced onto users to gather private data on users.

 

[USAFRet]

2FA is completely useless. It is far too vulnerable to phishing. 2FA vulnerabilities have been pointed out so many times.

Phishing is the main way unauthorized access happens, for individuals and in the corporate world. 2FA being so vulnerable to phishing should make it a non-starter.

2FA is never implemented because of security reasons (it is useless at that), but it is implemented because it allows the likes of Google, Microsoft and Apple to link your smartphone/email to you, 2FA is enforced onto users to gather private data on users.

So what do you suggest instead?

 

[PlaneInTheSky]

So what do you suggest instead?

Not using 2FA? It's a security risk, especially when it comes to phishing, there doesn't need to be an alternative to it.

 

[USAFRet]

Not using 2FA? It's a security risk, especially when it comes to phishing, there doesn't need to be an alternative to it.

So just a regular password?

 

[PlaneInTheSky]

So just a regular password?

Passwords aren't the issue, you can't brute force passwords unless you have physical access to the device.

The weakest link is humans. Humans are vulnerable to phishing and humans are often bad actors.

2FA is a gateway to a phishing attack. It's a security risk that exploits human vulnerabilities.

The leak a few days ago on important military and NATO data regarding Ukraine did not happen because there was a data breach because some password was hacked on some server, it happened because of a bad actor. That vulnerable data should have been behind an air gap network and the amount of people who had access to it should have been restricted.

The weakest link in all of these attacks is humans, not passwords.

 

[USAFRet]

The leak a few days ago on important military and NATO data regarding Ukraine did not happen because there was a data breach because some password was hacked on some server, it happened because of a bad actor. That vulnerable data should have been behind an air gap network and the amount of people who had access to it should have been restricted.

And it almost certainly was airgapped, and with limited personnel access.

Leaks like that happen, due to, as you say, a bad actor.
Aside from even stricter checks on the humans, that cannot be prevented.

And here, we're not talking about sensitive military or state secrets.
That is a whole different level than the conversation between you and you bank.

 

[PlaneInTheSky]

The risk in 2FA for the at-home-user are the phishing kits criminals use. Users will check their mail for 2FA, and will be redirected to a phishing site.

 

[USAFRet]

The risk in 2FA for the at-home-user are the phishing kits criminals use. Users will check their mail for 2FA, and will be redirected to a phishing site.

Given a clueless user that would follow such a link, nothing will save them.
2FA or no 2FA.

2FA does can prevent against standard brute forcing of the pwd.

 

[Deleted member 14196]

Use a GUID for pwd and 2fa

good luck brute attacking that

Better yet combine it with a passphrase that only you would know

and, unfortunately, the stupid will always suffer from being stupid

my Safari browser on the phone generates guid- like passwords. Love it

 

[domih]

Do not believe everything you read on the Web.
2FA does much more good than harm. Use it.

 

[Tac 25]

Given a clueless user that would follow such a link, nothing will save them.
2FA or no 2FA.

sadly, there are so many gullible people.

I've watched it on news here in my country, a guy using phising strategy was already able to buy land from all the bank accounts he was able to hack.
and sadly as well, the punishment is only a short prison term. I wish it would be something harsher like a life sentence - these vile people steal money that others worked so hard for.

edit: my aunt is one victim. I don't know the exact details how it happened. But thankfully, she was able to cancel her credit card before the hacker could get some cash from it.

 

[InvalidError]

2FA is completely useless. It is far too vulnerable to phishing. 2FA vulnerabilities have been pointed out so many times.

Without 2FA, if someone somehow manages to get your password, they get into your account and you may never find out that your account has been compromised. With 2FA, you get the benefit of receiving access authorization spam by SMS, email, app or whatever else before the attacker gains access. While there is a risk you may accidentally authorize it, at least you got notified as it happened.

 

[derekullo]

This could still be useful if it was able to crack encrypted .zip or .rar files.

 

[USAFRet]

This could still be useful if it was able to crack encrypted .zip or .rar files.

To gain access to an encrypted .zip, ask the person you got it from.

 

[TechieTwo]

For important security assets it's been recommended that you use a 15-20 character password with lower case, upper case letters, numbers and special characters. Using a user name that is not a word also helps if it's long enough and uses upper and lower case letters and numbers. As the test results show these passwords can take lifetimes to crack. It's also useful when possible to be invisible to hackers.

Yes I recognize that "bad actors" are a key security issue but for those situations where bad actors are not a possibility, then better passwords do help.

 

[kjfatl]

A decade or so ago an article was published by IEEE. A team of experts familiar with electrical power systems was hired to hack into US power generation systems. The security experts were sure their systems would not be compromised. Controls were in place. Systems were air-gapped, etc.
The hackers were able to gain control of every system they attempted to get into except one. Multiple methods were used. Cameras in laptops were used to see the keys being pressed, keylogging software was installed 'maliciously'.. Calls were made by "the IT Department" to employees. In come cases, the security experts walked into the offices to 'service equipment' and installed cameras so they could see the keys being pressed and the associated screens.
The one system they never got into was older and required setting the password by inserting a 3.5 inch floppy disk into the controlled system.

 

[anonymousdude]

The risk in 2FA for the at-home-user are the phishing kits criminals use. Users will check their mail for 2FA, and will be redirected to a phishing site.

But that's not an issue exclusive to 2FA. People not being aware of phishing is going to continue. The question becomes does 2FA do more harm than good and by all accounts it does more good. At the very least you'll be notified of a possibly compromised account and take measures to mitigate it.