Generally, yes.
I would add that the concept of a hash is an important concept that was glossed over. Password hashing is defined as putting a password through a hashing algorithm to turn plaintext into an unintelligible series of numbers and letters. For example "MyPassword123" could have a hash value of "sy2x1396m2" The power of the hash is that it is meant to be a one way process: Easy to get the hash from the password, but (hopefully) extremely difficult to get the password from the hash. If you create a password for a website, then the website stores your hash and not your password. Not even the admins running the website can get your password from the hash. If someone gets your hash, then it (in theory) is worthless to them because they can't just type in the hash. When you type in your password, the website runs the hash process on what you typed and checks to see that the resulting hash matches the hash they have on file for your username. If the website is hacked and somebody gets a list of usernames and hashes this is ideally useless information because, as mentioned, they can't just type in the hash as a password. Now we get the the meat of the article: Someone can use a program such as HashCat to "reverse engineer" any hash that they stole and thus know your password. They can then go online and on the first attempt gain access to your account.
Math. He measured 1x 4090 and multiplied by 8. Password cracking can spread the load across GPUs weather they are in the same system or across the world from each other. E.g. if your key space has 8 billions possibilies, 1 B are sent to each GPU. It does not require communication between GPUs during the cracking operation. Thats one reason why botnets with access to millions of computers are so dangerous.
Just going to a 9th character means it would take 76 days to get the hash for all 9 character passwords using their 48 minutes for 8 character passwords. If you want to go to 10 characters that brings the time up to 20 years. Last year NIST went through and changed their recommendations for passwords. They were saying that length is more important than use of special characters. Don't force password changes after a certain time interval as that leads to password atrophy. If you are required to change your password every 90 days you will do something like Winter2020 then Spring2021, etc... Then they said 2FA, password managers, and pasting in of passwords is the best idea.
The article is talking about user passwords, so maybe up to 12 characters cracked with either a dictionary or brute force methods. Secure encrypted connections are 256 bit encrypted, so this method will crack the encryption in slightly less than 2.29*10^32 years.
Quantum computing will not crack my password of 123@567$ since my account will lock after serveral attempts. However, zip files with passwords, or any other non-locking process, are fair game.
Agree. However the article goes to great lengths to hide the fact that it is talking about offline cracking. Click bait anyone?
The article fails to make it clear it is cracking offline passwords. Like password protected zip files. Your online password is safe as long as the server locks you account after a few failed attempts.
It literally says 'offline assets'. Online assets (a) lock themselves after a number if failed attempts. Try it yourself. (b) online asset crack attempts are over the internet, 1000's of times slower than cracking a password on a file on your local machine.
Facebook
Twitter
Instagram