A table shared Wednesday, May 10 on the Twitter account of France Num (a government initiative for the digital transformation of SMEs) offers an estimate of the time required “to a hacker to find your password in 2023”. This is the French translation of a table in English widely shared on the networks for almost a month. According to the data presented, for a sequence of twelve characters, 1 second is sufficient for identification if it is only numbers, but 226 years if it is a mixture of numbers, letters (upper and lower case) and special symbols.
Internet users observe that a similar table, which circulated a year earlier, presented significantly longer durations: “For 10 characters with the most different characters, we went from 5 months to 2 weeks”, thus raises a user of the social network. In fact, such estimates raise their share of questions. What explains such an acceleration? Where will this stop? And when we talk about the time needed for a hacker to find a password, who are we talking about? A little resourceful on his living room PC or determined and over-equipped professionals?
The common source for the 2022 and 2023 tables is an American cybersecurity company, Hive Systems. A first table, based on the same model, was released in 2020 with, in each case, a detailed presentation of the methodology, available on the company’s website.
First of all, we are talking here about a decryption using “brute force”: we are not trying to extort the password or try, haphazardly, a combination of names of old pets and department of birth. Hive Systems assumes – unfortunately trivial – that a company has poorly secured one of its databases, in which we find associated “usernames” and the “hash” of their password.
The hash? The vast majority of computer systems do not keep their users’ passwords “in the clear” in their archives. In fact, when you create your password, its string of characters is subjected to many mathematical operations (a “hash function”) which result in a new sequence of characters, much longer and unique. It is this hashed and reconstructed version of your password that is stored in the servers. Originality of this long hash: the mathematical function which produces it is chosen in such a way that it is impossible to go back to the original sequence. On the other hand, a given password subjected to the same hash function always produces an identical result.
Checking a password means comparing two hashes (the one from the word you entered and the one stored in the servers). Hacking a password does not mean submitting millions of passwords to a computer server (this would certainly trigger an alert), but passing each of these passwords through a known hash function, until the correct one is found. which corresponds to the “witness” hash available to us thanks to a data leak.
Hive Systems assumes that matching millions of hashes with those in a database “requires only a trivial amount of extra calculations and time”. On the other hand, listing all the possible variants of a character string of a given length, and above all calculating the hashes for each of them, requires a lot of computing power, and therefore time.
Low budget hacking
After this technical part, let’s explore the results presented by the cybersecurity company this year and last year.
In 2022, Hive Systems explored several hypotheses. The first was that of“a pirate with a modest budget [utilisant] a desktop computer equipped with a high-end graphics card”, either an RTX 2080 processor or an RTX 3090 – more expensive, but more capable. Difference between the two strategies: a time saving of almost 30% for the same password hash operations (using the most common hash function, MD5).
Second hypothesis explored: that of an equally poor hacker who would rent computing resources on online platforms (a method called “cloud computing”) such as Microsoft Azure or Amazon AWS. Hive Systems then noted that for the equivalent of around thirty euros per hour, Amazon AWS offered the computing power of eight Nvidia A100 Tensor Core processors. Enough to hash a password fourteen times faster than with a PC running RTX 2080 (523 billion hashes per second, compared to 37 billion) The “reference” table for the year 2022 corresponds to the calculation speed for a “standard” rental of eight processors, on the famous MD5 hash function. However, Hive Systems specifies that by doubling the investment, we would divide the time necessary to explore all the possible combinations by the same amount… Ditto if we triple it or quadruple it. It is, in short, only a question of (small) budget.
At a constant budget, piracy 20 times faster than in 2022
In 2023, the company’s engineers updated their assumptions, because the same hacker with a modest budget now has access to more powerful resources… and less expensive. Sites offering individuals the computing power of home computers when their owner is not using them have become more democratic. Enough to compete with cloud computing from Amazon or Microsoft.
Hive Systems notes that, on one of these sites, the price of renting twelve RTX 4090 processors is less than 6 euros per hour. Knowing that an RTX 4090 calculates 164 billion hashes per second (H /s), we are therefore going 3.7 times faster than in 2022 for 5.5 times cheaper. With the same budget, a pirate therefore “axes” 20 times faster than a year ago.
The 2023 edition of Hive Systems’ table estimating “password hacking speed” is based on this economical solution (rental of 12 RTX 4090s at $6 per hour), using the standard MD5 hash function. As said above, if the estimate had been established at a constant budget, the picture would have been even bleaker…
Note a (slight) variation in the method, compared to 2022: for the most complex passwords, Hive Systems previously assumed that all symbols accessible from an English keyboard could be used. “This year, we stuck to the set commonly accepted on most websites and generated by most password generators,” namely the eight symbols ^ * % $! &@#.
In 2022, Hive Systems engineers already noted that while the standard MD5 hash function was calculated relatively quickly, others were resolved much more slowly (calculation tables for other functions were then proposed). An evolution of standards in this area could therefore complicate the task of hackers… and reduce to a few centuries the speed at which a “low budget” hacker can break a digital lock.
For the thrill of speculation, the same engineers sought to estimate how quickly an imaginary hacker with the computers used to train the ChatGPT AI could crack a password. We are talking about 10,000 Nvidia A100 processors here, which can perform 647,178 billion MD5 hashes per second. That is 333 times faster than what our pirate realizes at 6 dollars per hour (and therefore 333 times faster than what is presented in the table of France Num).