How long does it take to crack a password in 2024?

Password cracking tools improve all the time. With AI entering the game, the time to brute force passwords has been reduced significantly already and continues to be reduced.

Password guidelines and rules have not changed all that much for users in the past ten or so years, however. Pick unique and strong, which means long and complex, passwords, and you are good to go.

While rules are relatively simple, especially when used in combination with a password manager, many Internet and computer users still do not follow them. They use passwords repeatedly or pick weak passwords that allow threat actors to crack them in a matter of seconds.

Brute force and dictionaries: two common attacks against passwords. Dictionary attacks use lists of passwords, often those found in leaks, as it is fast method to crack a percentage of passwords quickly. Brute forcing refers to trying any combination of a character set, say all numbers, upper- and lower-case letters on a password.

Password cracking chart 2024

Researchers at Hive Systems have updated the organization's  password cracking chart to reflect advancements in computing power and security.

It shows how long a system with twelve RTX 4090 graphics cards would need to crack a password. It reveals the information for the cases "numbers only", lowercase letters, upper and lowercase letters, "numbers, upper and lowercase letters, and "numbers, upper and lowercase letters, symbols".

An 8 character password consisting only of numbers is cracked by the setup in 37 seconds. Change that to lowercase letters, and the time increases to 22 hours. With everything included, it is taking the machine 7 years in worst case to crack the password.

To find out how secure, or insecure, a password is, count its characters. Once you have the character count, check its line. Now analyze the composition of the character. Does it have only numbers or lowercase letters? Or a combination? Check the column and read the value. This is the time it would take Hive System's machine to crack the password.

Note: more powerful setups reduce the time it takes to brute force passwords significantly. Even if the time looks fine on this chart, it may not be fine if more powerful machines target the password.

Password recommendations 2024

1. Always include numbers, upper and lowercase letters, and symbols, provided that the app or service supports this.
2. Pick 16 or more characters, again provided that the service or apps support the number.
3. Always use unique passwords.

Since it is impossible for most users to remember lots of unique 16 character passwords, it is recommended to use a password manager. You could give Bitwarden a try, it is open source and there is a free version available. The pro version has extra features and costs only $10 per year.

Improve security further

Certain attacks may reveal passwords without need to brute force or crack them. This is the case for phishing, which attempts to lure users on fake sites or get them to use fake apps to steal their credentials.

Two-factor authentication adds a second authentication step. While it sounds complicated on paper, it is not really.

What you need is an authenticator app and a few minutes to set up the security feature for important accounts. When you sign in next time, you still provide username and password in the first step, and then a code generated by the app in the second step.

If a threat actor steals the username and passwords, either through brute force attacks or other means, access is still prevented thanks to the second layer of security.

What about you? Do you use a password manager and two-factor authentication? How fast would your passwords be cracked?

Source