Hive Systems research finds hackers can still crack passwords quickly

April 23, 2024
While stronger algorithms have made it more challenging to crack passwords, it’s highly unlikely to stay that way.

RICHMOND, Va. –  In its annual audit of hackers’ ability to crack passwords through brute force, Hive Systems found that any password under seven characters can be cracked within a matter of hours. Due to the widespread use of stronger password hashing algorithms to protect data, the time it takes hackers to crack passwords has increased. However, the updated research from the Richmond, Va., cybersecurity company is little cause for celebration.

“Looking at the data and the increase in time it takes hackers to crack passwords, it could be easy to assume that the cybersecurity industry has made great strides in protecting our data,” said Alex Nette, CEO and co-founder of Hive Systems. “Unfortunately, every time we make it harder for hackers, they find new ways around even the strongest protections. The increased times shown in our 2024 Password Table are promising, but we’re likely to see these times come down again in the near future as computing power increases."

Last year, Hive’s research found that some 11-character passwords could be cracked instantaneously using brute force. This year’s findings revealed the effectiveness of newer industry-standard password hashing algorithms - like bcrypt – for encrypting passwords in  databases. Now, that same 11-character password takes longer to be cracked at 10 hours. However, while stronger algorithms have made it more challenging to crack passwords, it’s highly unlikely to stay that way.

“The nice thing about bcrypt is that as computers get faster you just increase the work factor to crack passwords,” said Corey Neskey, VP of Quantitative Risk at Hive Systems. “However at a certain point, the algorithm becomes frustratingly unusable for web applications and websites, and so compromises have to be made - creating opportunities for hackers.”

Each year, more and more personal data is collected and stored in locations that can be breached by hackers. The most effective solutions for data protection are the use of multifactor authentication and a password manager with random, complex passphrases.

Multifactor authentication – a generally free cybersecurity tool that requires a multi-step process to log into online accounts – ensures that any login is approved by the owner of the account. With the advent of publicly accessible artificial intelligence tools, a second step which requires the personal action of a user to confirm their identity is the best way to keep account information safe.

The use of a password manager for creating and storing passwords also significantly increases the safety and security of passwords. However, these passwords will continue to become less and less secure.

The 2024 Hive Systems Password Table – shown and written about in the news, published by universities, and shared by thousands of companies across the globe – is available for download here.

Find out more about the technical methodology behind our research at www.hivesystems.com/password