Site icon GIXtools

Analysis of user password strength

The processing power of computers keeps growing, helping users to solve increasingly complex problems faster. A side effect is that passwords that were impossible to guess just a few years ago can be cracked by hackers within mere seconds in 2024. For example, the RTX 4090 GPU is capable of guessing an eight-character password consisting of same-case English letters and digits, or 36 combinable characters, within just 17 seconds.

Our study of resistance to brute-force attacks found that a large percentage of passwords (59%) can be cracked in under one hour.

How passwords are typically stored

To be able to authenticate users, websites need a way to store login-password pairs and use these to verify data entered by the user. In most cases, passwords are stored as hashes, rather than plaintext, so that attackers cannot use them in the event of a leak. To prevent the password from being guessed with the help of rainbow tables, a salt is added before hashing.

Although hashes are inherently irreversible, an attacker with access to a leaked database can try to guess the passwords. They would have an unlimited number of attempts, as the database itself has no protection against brute-forcing whatsoever. Ready-made password-guessing tools, such as hashcat, can be found online.

Methodology

Our study looked at 193 million passwords found freely accessible on various dark web sites. Kaspersky does not collect or store user passwords. More details are available here and here.

We estimated the time it takes to guess a password from a hash using brute force and various advanced algorithms, such as dictionary attacks and/or enumeration of common character combinations. By dictionary we understand here a list of character combinations frequently used in passwords. They include, but are not limited to real English words.

Brute force attacks

The brute-force method is still one of the simplest and most straightforward: the computer tries every possible password option until one works. This is not a one-size-fits-all approach: enumeration ignores dictionary passwords, and it is noticeably worse at guessing longer passwords than shorter ones.

We analyzed the brute-forcing speed as applied to the database under review. For clarity, we have divided the passwords in the sample into patterns according to the types of characters they contain.

The time it takes to crack a password using the brute-force method depends on the length and the number of character types. The results in the table are calculated for the RTX 4090 GPU and the MD5 hashing algorithm with a salt. The speed of enumeration in this configuration is 164 billion hashes per second. The percentages in the table are rounded.

Password pattern
Share of passwords of this type in the dataset, %
Share of brute-forceable passwords (by pattern, %)
Maximum password length in characters by crack time

< 60 s
60 s to 60 min
60 min to 24 h
24 h to 30 d
30 d to 365 d
> 365 d
24 h to 30 d
30 d to 365 d
> 365 d

aA0!
28
0,2
0,4
5
0
9
85

9
10

a0
26
28
13
15
11
10
24
11
12
13

aA0
24
3
16
11
0
15
55

10
11

a0!
7
2
9
0
14
15
59
9
10
11

0
6
94
4
2
0
0
0


a
6
45
13
10
9
6
17
12
13
14

aA
2
15
22
11
14
0
38
10

11

a!
1
6
9
11
0
11
62

10
11

aA!
0,7
3
2
12
10
0
73
9

10

0!
0,5
10
27
0
18
13
32
10
11
12

!
0,006
50
9
10
5
6
19
11
12
13

The most popular type of passwords (28%) includes lowercase and uppercase letters, special characters and digits. Most of these passwords in the sample under review are difficult to brute-force. About 5% can be guessed within a day, but 85% of this type of passwords take more than a year to work out. The crack time depends on the length: a password of nine characters can be guessed within a year, but one that contains 10 characters, more than a year.

Passwords that are least resistant to brute-force attacks are the ones that consist of only letters, only digits or only special characters. The sample contained 14% of these. Most of them can be cracked within less than a day. Strong letter-only passwords start at 11 characters. There were no strong digit-only passwords in the sample.

Smart brute-force attacks

As mentioned above, brute force is a suboptimal password-guessing algorithm. Passwords often consist of certain character combinations: words, names, dates, sequences (“12345” or “qwerty”). If you make your brute-force algorithm consider this, you can speed up the process:

Also, for each password, we calculated a best value: the best crack time among all the algorithms used. This is a hypothetical ideal case. To implement it, you will need to “guess” an appropriate algorithm or simultaneously run each of the aforementioned algorithms on a GPU of its own.

Below are the results of gauging password strength by running the algorithms on an RTX 4090 GPU for MD5 with a salt.

Crack time
Percentage of brute-forceable passwords

ngram_seq
3gram_seq
unogram
ngram_opt_corr
3gram_opt_corr
zxcvbn_corr
bruteforce_corr
Best

< 60 s
41%
29%
12%
23%
10%
27%
10%
45%

60 s to 60 min
14%
16%
12%
15%
12%
15%
10%
14%

60 min to 24 h
9%
11%
12%
11%
12%
9%
6%
8%

24 h to 30 d
7%
9%
11%
10%
11%
9%
9%
6%

30 d to 365 d
4%
5%
7%
6%
8%
6%
10%
4%

> 365 d
25%
30%
47%
35%
47%
35%
54%
23%

The bottom line is, when using the most efficient algorithm, 45% of passwords in the sample under review can be guessed within one minute, 59% within one hour, and 73% within a month. Only 23% of passwords take more than one year to crack.

Importantly, guessing all the passwords in the database will take almost as much time as guessing one of them. During the attack, the hacker checks the database for the hash obtained in the current iteration. If the hash is in the database, the password is marked as cracked, and the algorithm moves on to working on the others.

The use of dictionary words reduces password strength

To find which password patterns are most resistant to hacking, we calculated the best value for an expanded set of criteria. For this purpose, we created a dictionary of frequently used combinations of four or more characters, and added these to the password pattern list.

Password pattern
Share of passwords, %
Share of passwords that can be cracked with a dictionary attack (by pattern, %)
Maximum password length in characters by crack time

< 60 s
60 s to 60 min
60 min to 24 h
24 h to 30 d
30 d to 365 d
> 365 d
24 h to 30 d
30 d to 365 d
> 365 d

dict_a0
17
63
15
8
5
3
7
10
11
12

aA0!
14
5
6
5
5
3
76
6
7
8

dict_aA0
14
51
17
10
7
4
11
9
10
11

dict_aA0!
14
34
18
12
10
6
20
7
8
8

a0
10
59
22
6
6
1.8
6
10
11
12

aA0
10
19
13
13
6
7
42
9
10
11

0
6
92
5
1.5
1.3
0
0
15

dict_a0!
5
44
16
10
8
5
17
9
9
10

dict_a
4
69
12
6
4
2
6
11
12
13

a0!
2
31
19
13
9
5
23
9
9
10

a
1.2
76
7
6
3
3
6
11
12
13

dict_aA
1.2
56
15
8
6
3
11
9
10
10

dict_a!
0.8
38
16
10
8
5
23
8
9
10

aA
0.7
26
10
28
7
2
27
9
10
10

dict_aA!
0.5
31
17
11
10
6
26
8
9
9

0!
0.4
53
15
8
7
5
13
9
10
11

dict_only
0.2
99.99
0.01
0.0002
0.0002
0
0
18

dict_0
0.2
89
6
2
2
0
0
15

aA!
0.2
11
8
10
16
3
52
8
9
9

a!
0.1
35
16
10
9
5
25
8
9
10

dict_0!
0.06
52
13
7
6
4
17
9
10
11

!
0.006
50
10
6
8
4
20
8
9
10

The majority (57%) of the passwords reviewed contained a dictionary word, which significantly reduced their strength. Half of these can be cracked in less than a minute, and 67% within one hour. Only 12% of dictionary passwords are strong enough and take more than a year to guess. Even when using all recommended character types (uppercase and lowercase letters, digits and special characters), only 20% of these passwords proved resistant to brute-forcing.

It is possible to distinguish several groups among the most popular dictionary sequences found in passwords.

Non-dictionary passwords comprised 43% of the sample. Some were weak, such as those consisting of same-case letters and digits (10%) or digits only (6%). However, adding all recommended character types (the aA0! pattern) makes 76% of these passwords strong enough.

Takeaways

Modern GPUs are capable of cracking user passwords at a tremendous speed. The simplest brute-force algorithm can crack any password up to eight characters long within less than a day. Smart hacking algorithms can quickly guess even long passwords. These use dictionaries, consider character substitution (“e” to “3”, “1” to “!” or “a” to “@”) and popular combinations (“qwerty”, “12345”, “asdfg”).

This study lets us draw the following conclusions about password strength:

To protect your accounts from hacking:

Source:: Securelist

Exit mobile version