Cracking or discovering a simple password is not difficult, but it can be time-consuming. It just got a bit quicker. We discuss and demonstrate multiple ways to do that in Learning Tree Course 468 System and Network Security Introduction.
One mechanism we do not demonstrate is the use of graphics cards (GPUs) to do the processing. That is becoming an increasingly popular method for password cracking as graphics cards are becoming more powerful. A case in point is the new Nvidia GeForce RTX 3090. Designed for gaming, the card lists for around USD1500, but comes with a market-topping 10,496 cores and 24GB of GDDR6X memory! The huge number of cores and memory can make tasks such as password discovery very quick. The Passcovery tool already supports the new card.
I haven't seen any password cracking benchmarks for the new card at this writing, but it is expected to support well over a billion guesses per second. That could spell doom for simple passwords not on the haveibeenpwned.com list. The list contains many simple passwords and can, of course, be searched quickly, but the new card will make searching for variants easy.
I have written about the dangers of weak passwords before. The issue is more serious now. What is considered "simple" has been significantly expanded. Sure, a serious attacker could have used a collection of graphics to attack passwords in the past. It could even have been a network of compromised computers. But a fast new card makes it even easier.
What should I do?
Change all your simple passwords, of course. It can be difficult to manage more complex passwords, especially when they need to be longer and use a richer character set than in the past. Let's face it: a random mixture of 12 or 14 upper and lower case characters along with digits and punctuation is difficult to remember. Dozens of such passwords is impossible for all but the memory champions. If you have been procrastinating about getting a password manager, it is time to get to it.
The reality is processing power will continue to increase. The gaming market - and not the password cracking market - is driving the increase. Artificial Intelligence is another driver as AI techniques evolve. These are competitive markets with significant amounts of money.
I hope that as the cards continue to get faster and cheaper, alternative authentication methods will become more viable. Few organizations have moved completely to tokens or biometric devices. Tokens as part of a password are common internally in many enterprises but are rare on the Internet. Unfortunately, it is websites where passwords tend to be vulnerable to disclosure.
It is more difficult to deploy authentication using biometrics or USB tokens over the Internet. As text passwords become less safe, researchers are likely to find a safe method to use a stronger method. Text messages or email as a second factor is a significant improvement, but the password is still a weak link.