Very click baity and not good journalism imho. Starting with a "A GeForce RTX 4090 could be cracking your password at this moment." tag line only to later note:<p>> With bcrypt, the hashing times soared. While the GeForce RTX 4090 only took 59 minutes to crack an MD5 hash, the same graphics card would need 99 years.<p>It's 2024 and if your password is still being hashed with md5, the news are: Your password could have been cracked 10 or more years ago already. Nobody sane uses that anymore and bcrypt still stands the test.
Using an 8 char password for those tests is very weak<p>On my old linux gaming rig with the AMD RX580 I can run through the entire WPA2 keyspace of 8 char lowercase or 8 char uppercase in 3 hours.<p>Md5 and sha1 takes seconds using JTR or hashcat masks or brute force or a straight attack using the Rust super fast Cracken password generator.
If anything, this approach shows how good a system passwords are. The downfall will be cheap quantum computers; it seems like we have some time until those are available.<p>An A100 is about $2/hr, so cracking even a "basic" password hashed with bcrypt is going to cost a cool $24M in GPU alone. Most people concerned about this kind of attack are using a whole lot more chars. Apps should not be using MD5, use pbkdf2 or bcrypt.
I posted this below some comment but it may be worth reading for others:<p>start using very high entropy passwords which contain just about all printable ascii characters, excluding whitespace.<p>If a computer cant guess it, it won't crack the hash, either.<p>Use a password manager and make those suckers 20-40 characters.<p>Use a master key that is just a super long phrase interleaved with special characters. Easy to remember. Like titles of books you like, plus authors, plus something only you know. Stuff like that. Example: `Franz&Kafka$Meta-/morphosis@@3385`. Even better, use such helpers to make a high entropy string of random letters.<p>I use a version of KeePass, with the actual file synced via syncthing to all devices plus a cloud. To me, it has never been an issue to copy paste or auto type a 40 character password -- in fact, I usually dont even notice.
Not quite as unrealistic as it seems - I have colleagues I can’t convince that SHA-256 is NOT good for passwords.<p>They just don’t understand that it’s safe for larger binaries, but absolutely not for short ASCII strings like passwords.
Also they find it convenient since most modern programming languages and databases directly support those hash functions, but not something like bcrypt or Argon2.<p>So I do think there are many passwords out there you can crack easily and quickly nowadays.<p>I’ll try convincing them again…
The label password is terrible. It implies that a single word is sufficient.<p>Something like secret or key would probably have been more appropriate in hindsight.