Passwords with 8 characters are easy to crack
This is how secure 8-character passwords are in 2024
It is often recommended that a good password should be at least 8 characters long. However, new studies show that the time has come for more.
Passwords with a length of at least 8 characters have been considered secure for years, as long as they are also highly complex. However, a new report by cybersecurity company Hive Systems shows that 8-character passwords can now be cracked in a reasonable amount of time, depending on the hashing algorithm used and the GPU power available.
For example, anyone in possession of an Nvidia RTX 4090 graphics card can reconstruct a randomly generated 8-character password with upper and lower case letters as well as numbers and special characters from the corresponding MD5 hash in just 59 minutes. If bcrypt (with 32 iterations) is used as the hashing algorithm instead, the same process takes a much longer 99 years.
The problem with this is that users generally do not know which algorithm is used by the services they use. Although MD5 has long been considered insecure, the method is still used by many online services. What's more, not every user uses the maximum possible password complexity, unless this is enforced by guidelines.
It can also be faster with bcrypt
Even if the more secure bcrypt algorithm is used, this is no guarantee that the password cannot be cracked within a few days. Hive Systems illustrates an extreme case in this respect: with 10,000 A100 GPUs from Nvidia, the bcrypt hash of an 8-character password with high complexity can be calculated back within 5 days.
For people who have a lot of money for the corresponding computing resources and are hoping for a lot from a password to be cracked, 8 characters are no longer too big a hurdle. With only 12 A100 GPUs, the same process still takes 12 years. The researchers consider this to be reasonable, provided that users generate their passwords randomly and change them from time to time.
People are predictable
However, Hive Systems points out that "people are quite predictable" and often do not create randomly generated passwords. Reconstruction is therefore often much easier and quicker to carry out in reality. The times determined by the security experts are to be understood as a best-case scenario.
In addition, there are other factors that massively reduce the computing time - for example, if a password contains dictionary entries or has already appeared in a known data leak. In such cases, passwords can be cracked immediately, no matter how long or complex they are.
The BSI still recommends on its website that "a good password" should be at least 8 characters long, but "the longer, the better". Hive Systems' research shows that, in view of increasingly powerful GPUs, it may well be worth opting for longer passwords. Many services already recommend12 or more characters.
Recommendation
The RHRZ at RPTU even suggests a minimum length of 15 characters: "The simplest option is to use a password that is at least 15 characters long. In this case, Windows stores an LM hash value that cannot be used to authenticate the user."
Further information on LM hash value at https://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4