Hackers Crack 16-Character Passwords in Less than 60 Minutes

| by
article imagearticle image

Though many people think they are secure if they have a long, obscure password for sites, a team of hackers recently revealed the ease with which they can crack even the longest passwords.

The team cracked more than 14,800 random passwords from a list of 16,449 for a tech website.

Each hacker had a success rate ranging from 62% to 90%, but the one hacker who had a success rate of 90% hacked passwords in less than an hour.

They also could hack 16-character passwords, including the confusing and random password "qeadzcwrsfxv1331."

They have published how they cracked the passwords and the methods they used in hacking.

Instead of trying to guess the passwords by entering them into the site, they used a list of hashed passwords which they obtained online.

A hash is essentially a password translated into a unique formula. When a user logs in, the site compares the user's entered password with the hashed password stored in their data base. When these two match, access is granted.

This makes it so the site does not have to store plain-text passwords, and makes it more difficult for a hacker to hack a password.

But just because it is more difficult does not mean it is impossible, as the team of hackers for Ars Technica proved. 

One hacker, Jeremi Gosney, was able to crack the first 10,233 hashes in 16 minutes. He used a "brute-force crack" for the passwords that were one to six characters long.

A brute-force crack is when a computer tries every possible combo of six letters and characters. In just two minutes and 32 seconds, Gosney completed the first round of cracks, which was 1,316 plain-text passwords.

To make guessing passwords even easier, Gosney created a 25-computer cluster that is able to make 350 billion guesses a second.

"Normally, I start by brute-forcing all characters from length one to length six because even on a single GPU, this attack completes nearly instantly with fast hashes," he said in an email.

"And because I can brute-force this really quickly, I have all of my wordlists filtered to only include words that are at least six characters long. This helps to save disk space and also speeds up wordlist-based attacks."

Sources: Daily Mail, Ars Technica