CybserSecurity News

Tag: password-cracking

  • New GPUs Make Hacking Passwords Easier. Is Yours Still Safe?

    Researchers at Specops have updated their study on cracking passwords hashed with bcrypt. Two years earlier they published similar findings, but the hardware landscape has shifted dramatically since: the AI boom and surging compute demand have made high-end GPUs more affordable and accessible than ever.

    This shift transcends gaming. Modern GPUs are repurposed to train large language models, and idle cycles are routinely rented out on platforms such as vast.ai. The same hardware can be redeployed for other tasks — including attacks against hashed passwords.

    In the new experiment the team used a cluster of eight RTX 5090 cards — a configuration the researchers describe as the “practical minimum” for today’s adversaries. Renting comparable cloud capacity costs on the order of $5 per hour, rendering such attacks attainable even for small groups; larger rigs with 16 GPUs also appear on the market.

    Password cracking

    Unlike earlier measurements that relied on an antiquated bcrypt cost factor of 5, the Specops team tested with more realistic cost parameters of 10 and above. They generated 750,000 hashes derived from the real-world RockYou password corpus. Higher cost factors extend not only the cracking time but also the time required to produce the test corpus: building a dataset at cost 14 required nearly five hours on a powerful workstation.

    The results are telling: an RTX 5090 is roughly 65% faster than its predecessor when handling bcrypt, yet increased hashing costs partially offset that advantage. Short, trivial passwords such as “123456” or “admin” remain trivial to crack, but long, complex passphrases — particularly those exceeding 12 characters — are effectively immune to brute force.

    Timing data show a stark nonlinearity: very short passwords drawn from limited character sets fall almost instantly — four- or five-digit strings succumb immediately; six-character numeric or alphabetic passwords yield within minutes or hours. But an eight-character secret employing mixed case, digits, and symbols can push brute-force timelines to millennia. Once you reach 12 characters with the full complement of character classes, exhaustive search becomes infeasible within any practical horizon.

    It is important to note that real attacks seldom rely on pure brute force. Adversaries more often use dictionaries, mangling rules, or targeted wordlists assembled from corporate footprints. Yet brute force provides a baseline metric of an attacker’s compute capability and underscores the protective value of length and entropy.

    Specops stresses that hashing strength alone is not a panacea: if a password has already been exposed in a leak, bcrypt offers no salvation — the protection is nullified once the secret is compromised.

    Consequently, the researchers recommend holistic password policies: a minimum length of at least 18 characters, mandatory use of multiple character classes, and support for long passphrases. Organizations should also maintain bespoke blocklists that forbid terms tied to the company — product names, brands and other obvious words — which can be generated using tools like CeWL against the organization’s public assets.

    The study’s verdict is simple: cracking has become more attainable as hardware grows more potent, but robust defenses still work — provided users adopt long, unique, high-entropy passwords. In a world where GPUs can be rented for $5 an hour, entropy and length remain the cornerstones of password security.

  • Hashcat 7.0.0: The King of Password Crackers Returns with Massive Upgrades

    The Hashcat development team has unveiled a major update to its renowned password-cracking tool—version 7.0.0. This marks the first major release in over two years, encompassing hundreds of bug fixes, dozens of new features, and a comprehensive refactoring of core components. In scope and ambition, it far surpasses all interim updates of the 6.2.x branch.

    Over the course of its development, more than 900,000 lines of code were modified, with contributions from 105 developers—74 of them newcomers to the project. All previously undocumented features from the 6.2.x series have been consolidated and thoroughly documented.

    Among the most significant innovations is the Assimilation Bridge system, which enables the integration of external resources into the cracking process, including CPUs, FPGAs, and embedded interpreters. A new Python Bridge Plugin allows developers to rapidly write custom hash-matching logic without recompilation, offering multithreading support and a built-in rule engine. GPU virtualization has also been introduced, permitting a single physical GPU to be divided into multiple logical devices, thus simplifying asynchronous workloads. Moreover, Hashcat can now automatically detect hash types without the explicit -m parameter.

    Support for algorithms has been dramatically expanded: 58 new application-specific formats have been added, including Argon2, MetaMask, Microsoft Online Account, SNMPv3, GPG, OpenSSH, and LUKS2. In addition, 17 new constructs relevant to web services and protocols, 11 new cryptographic primitives, and 20 utilities for extracting hashes from diverse sources—ranging from BitLocker and APFS to VirtualBox VMs and cryptocurrency wallets—are now included.

    Performance optimization was another focal point. The autotuning mechanism has been completely redesigned, improving device utilization. Memory management has been rewritten to remove the 4GB limitation, ensuring full compatibility with modern GPU resources. Popular attack modes such as NTLM, NetNTLMv2, and RAR3 received targeted optimizations. In some cases, performance gains are substantial—for example, scrypt saw up to a 320% speed increase, while NetNTLMv2 on Intel CPUs achieved more than a threefold improvement.

    Hashcat 7.0.0 also introduces support for new backends. AMD GPUs now leverage HIP, prioritized over OpenCL, while macOS gains native support through Metal, bringing compatibility with Apple Silicon chips and significant performance improvements.

    For developers, diagnostic and debugging tools have been enhanced, test coverage expanded, and the rule engine optimized. Additional character sets have been introduced, new output formats—including JSON—are supported, dictionary handling has been refined, and numerous bugs have been resolved.

    This release stands as a testament to the collaborative efforts of the community, dozens of contributors, and dedicated testers. The team acknowledges that the process took longer than anticipated, but they emphasize that the result was worth the wait. Hashcat 7.0.0 is now available for download via the official website and GitHub, with full release notes spanning nearly 10,000 words.