News Nvidia's flagship gaming GPU can crack complex passwords in under an hour

I don't know a lot about brute force password hacking. But don't most online websites lock you out after a couple failed attempts? How a system check all passwords?

This is only valid for things like encryption on local files, right?
 
I don't know a lot about brute force password hacking. But don't most online websites lock you out after a couple failed attempts? How a system check all passwords?

This is only valid for things like encryption on local files, right?
Yes, if they were trying to hit the actual system with each guess, that would stop it.

This is an offline attempt to create every password, hash it, and see if the hash matches the hash you got from a breach. So all the 'hacking' is done offline and if they find it, they know they have the password (as of the time the hash was leaked).
 
Cybersecurity firm Hive Systems has released its 2024 iteration of the Hive Systems Password Table, which details how long it takes different graphics cards to crack a password.

Nvidia's flagship gaming GPU can crack complex passwords in under an hour : Read more
I also want to strongly urge you to use less climactic Language in your title. A stronger password than 8 characters should be expected It should also make it more clear that this is done offline. Cracking a password online is much more difficult because of the wait times after too many false submissions.
 
I hate that I clicked on this article because that title is click bait. Nobody clicked on this thinking you were talking about cracking the hashed files, in a database that would need to be hacked/stolen first, and be so out of date it's ridiculous.

Please stop posting clickbait Toms. It's making all of us second guess coming here.
 
I don't know a lot about brute force password hacking. But don't most online websites lock you out after a couple failed attempts? How a system check all passwords?

This is only valid for things like encryption on local files, right?
The way this works is that they first have to obtain user database with hashed passwords.

Then they can run bruteforce attack against those hashes to reverse them into text.

The thing is, MD5 (and without a random salt value appended to boot) was never secure enough for password hashing. Think of a big CEO / company owner hiring their nephew who "knows computers" to make a website -- it's that sort of incompetence.

Whoever is not using PBKDF2 or some alternative to transform plaintext passwords for offline storage should be held criminally liable for negligence at the minimum.

All that makes this article totally pointless clickbait.
 
  • Like
Reactions: dalauder
The way this works is that they first have to obtain user database with hashed passwords.

Then they can run bruteforce attack against those hashes to reverse them into text.

The thing is, MD5 (and without a random salt value appended to boot) was never secure enough for password hashing. Think of a big CEO / company owner hiring their nephew who "knows computers" to make a website -- it's that sort of incompetence.

Whoever is not using PBKDF2 or some alternative to transform plaintext passwords for offline storage should be held criminally liable for negligence at the minimum.

All that makes this article totally pointless clickbait.
The 2nd table and following text is based on bcrypt results, so that part is more or less legit. The title and first half is indeed essentially clickbait though.
 
  • Like
Reactions: dalauder
The way this works is that they first have to obtain user database with hashed passwords.

Then they can run bruteforce attack against those hashes to reverse them into text.

The thing is, MD5 (and without a random salt value appended to boot) was never secure enough for password hashing. Think of a big CEO / company owner hiring their nephew who "knows computers" to make a website -- it's that sort of incompetence.

Whoever is not using PBKDF2 or some alternative to transform plaintext passwords for offline storage should be held criminally liable for negligence at the minimum.

All that makes this article totally pointless clickbait.
Thanks. I see that bcrypt table now. Seems like a pretty safe timeframe. Nobody will be spending 2+ weeks just to hack my account, not knowing if it has anything of value in it. Maybe they'll do it for corporate accounts?
 
Thanks. I see that bcrypt table now. Seems like a pretty safe timeframe. Nobody will be spending 2+ weeks just to hack my account, not knowing if it has anything of value in it. Maybe they'll do it for corporate accounts?
Truth is, this kind of password bruteforcing is really not very useful nowadays with the prominence of:

1. MFA / 2FA authentication
2. Hashes not being as easy to obtain as before to begin with

For example, you could have extracted NTLM hashes of all users that ever logged on a Windows PC, but with virtualization based security and the fact that weak hashes aren't really kept around anymore this is a totally pointless exercise.
 
The 2nd table and following text is based on bcrypt results, so that part is more or less legit. The title and first half is indeed essentially clickbait though.
The articles here are mostly written like this:

Title
A man looses 10 pounds in 30 seconds!

Body
A man from Louisville, Kentucky has managed to shave 10 pounds off his weight in less than 30 seconds. He was minding his own business when a runaway alligator, most likely someone's pet, wandered into his backyard. A fight ensued and an alligator bit his leg off clean. The man managed to stop the bleeding and survive but ended weighing 10 pounds less. He also managed to subdue the alligator and turn it into a travel bag. "At least I got my revenge" he said "now I can take my prosthetic leg with me wherever I go in this fancy bag which I made out of alligator's skin".

It's like they trained an AI model to turn non-news into clickbait.
 
The articles here are mostly written like this:

Title
A man looses 10 pounds in 30 seconds!

Body
A man from Louisville, Kentucky has managed to shave 10 pounds off his weight in less than 30 seconds. He was minding his own business when a runaway alligator, most likely someone's pet, wandered into his backyard. A fight ensued and an alligator bit his leg off clean. The man managed to stop the bleeding and survive but ended weighing 10 pounds less. He also managed to subdue the alligator and turn it into a travel bag. "At least I got my revenge" he said "now I can take my prosthetic leg with me wherever I go in this fancy bag which I made out of alligator's skin".

It's like they trained an AI model to turn non-news into clickbait.
It is getting sad how many of these articles are clickbait. The only redeemable part of that is that everywhere else is clickbait too. 🙁
 
It is getting sad how many of these articles are clickbait. The only redeemable part of that is that everywhere else is clickbait too. 🙁
Ars Technica still isn't clickbait, but their commentariat is a liberal echo chamber where any dissenting opinion is downvoted into oblivion no matter whether it is correct or not.
 
Last edited: