A ‘brute-force attack’ is a hacking method that uses trial and error to crack passwords,
login credentials, and encryption keys. Recent studies show that this form of cyberattack
now takes longer than in the past, but, as we’ll see, this should not be a reason to relax
security standards.

Depending on the length of the password and its composition — the mix of numbers,
letters, and special characters — a password can be cracked instantly or take millions of
years to decipher. For example, passwords that are only composed of four, five, or six
numbers can be cracked instantly with today’s computers, while an 18-character
password consisting of numbers, upper- and lower-case letters and symbols, would take
19 quintillion years to break.

In 2023, research found that some 11-character passwords could be cracked
immediately using brute force. This year’s findings revealed the effectiveness of newer
industry-standard password hashing algorithms – the same 11-character password now
takes ten hours to crack.

Websites and companies are increasingly making wise decisions by adopting more
robust password-hashing algorithms, which has led to longer password cracking times.
However, as computer power continues to increase, these times may decrease again as
they have in previous years.
Continued threats

While it may take longer for hackers to crack passwords, the importance of cracking has
diminished for them. Typically, attackers prefer the path of least resistance, which is
often achieved by stealing passwords through phishing (whereby targets are contacted
by email, telephone or text message by someone posing as a legitimate institution to lure
individuals into providing sensitive data) or leveraging passwords stolen from other
attacks. Keylogging malware and credential harvesting through social engineering tactics
are responsible for a significant number of stolen username and password incidents.
As such, the recent findings should be considered a worst-case scenario for a hacker. It
assumes that a hacker was unable to obtain someone’s password through other means
and must resort to ‘brute-forcing’ a password. Other techniques could significantly
reduce the time required to acquire a password, potentially making it instant.
So, the message is clear, password threats remain in spite of recent advances. So stay
vigilant and stay secure.

Tech Gloves: Let us manage IT for you.