Cracking passwords using Brute Force takes more time, but don’t rejoice!

Although it takes longer to crack passwords than before using Brute Force, cybersecurity experts warn that this is not necessarily good news.

The security level of a password depends directly on its length and composition, including numbers, letters and special characters. The shorter and simpler the password, the easier it is to crack in a short time. In contrast, long and complex passwords, combining many different elements, can take millions of years to decode.

Last year, a study by Hive Systems caused many people to worry when it showed that 11-character passwords can be cracked in just the blink of an eye. However, the good news is that the latest research published this year has demonstrated the superior effectiveness of new industry-standard password hashing algorithms, typically bcrypt, in protecting passwords stored in database. Thanks to the application of the bcrypt algorithm, the same 11-character password now takes up to 10 hours to crack, significantly increasing safety compared to before.

In the past, many companies used MD5 encryption to protect user passwords. However, this method is outdated and no longer guaranteed to be safe. As a result, companies are now turning to bcrypt, a much stronger and more secure encryption algorithm. As explained by Hive CEO and co-founder Alex Nette, the adoption of bcrypt is an important step forward in protecting user data.

Luckily, websites and companies are gradually adopting stronger password encryption algorithms, making it more difficult to crack passwords. However, this expert also warns that with the continuous development of computer technology, the time needed to crack a password will once again be shortened, similar to what happened in the past. .

Encryption trade-offs

While hashing passwords with a strong encryption algorithm is a good security measure, it also comes with certain disadvantages. Nette, a security expert, shares: “Encryption makes everything slower. Bcrypt is a secure password hashing algorithm, but if too many hashing loops are used, it can affect website login speed or cause the website to load more slowly.”

“According to experts, applying optimal encryption can make a website difficult to use for users accessing the internet. Therefore, there often has to be a balance between security and user experience. However, , ‘it is this compromise that can create opportunities for hackers to attack’.”

According to Jason Soroko, Senior Vice President of Product at Sectigo, a global digital certificate provider, Bcrypt offers superior security compared to MD5 thanks to a hash function that is 56 bytes long compared to just 16 bytes of MD5. Thanks to this, Bcrypt can resist brute force attacks much more effectively.

Although many newer encryption algorithms have emerged, MD5 still holds its place, especially in managing large-scale password databases. The reason lies in its compact size and processing efficiency, he shared with Techlade.

However, using MD5 also poses security risks due to discovered vulnerabilities. Therefore, it is extremely important to consider carefully before applying MD5 to applications that require high security.

According to MJ Kaufmann, author, instructor at O’Reilly Media and operator of a learning platform for tech professionals in Boston, the use of stronger encryption algorithms has contributed to the increased difficulty of cracking. password. However, he also pointed out that this benefit is only available to organizations that have updated the source code to apply these advanced algorithms.

Because it is time consuming and can require significant system updates for compatibility, the transition to the new algorithm is slow. Many organizations will likely continue to use legacy algorithms for the foreseeable future.

Worst case scenario for hackers

According to Kaufmann, in recent times, there have been significant advances in data protection. “Organizations are finally waking up to the importance of data protection, in part because of regulations like GDPR, which empower consumers through harsh penalties for companies that violate violation,” she explained.

Therefore, many organizations are enhancing comprehensive data protection measures to prepare for possible future regulations.

Although it may take hackers longer to crack passwords, it is no longer as important to them as it once was. According to cybersecurity expert Kaufmann, “Cracking passwords is no longer a top priority for hackers. They often look for easier ways to attack, such as tricking users into revealing passwords or benefits.” using passwords stolen from other attacks.”

Although cracked passwords remain a significant threat, hackers are increasingly favoring more sophisticated attack methods such as phishing due to the rise of strong password encryption standards. According to Adam Neel, threat intelligence engineer at Critical Start, a national cybersecurity services company, phishing attacks are becoming more attractive due to their ability to trick users into revealing sensitive information. , Including passwords.

According to experts sharing with Techlade, hackers often prioritize attacks using the easiest path instead of spending months or even years to crack regular passwords. Thanks to the support of AI, social engineering techniques have become more accessible to hackers. Thanks to this, they can easily create sophisticated fake emails and messages to deceive users, luring them into revealing sensitive information or installing malware.

According to Stephen Gates, cybersecurity expert at Horizon3 AI, a company that develops automated penetration testing solutions based in San Francisco, hackers currently do not need to illegally penetrate the system, they just need to Use valid accounts to perform attacks.

According to him, stealing login information through phishing, leaking data from third parties (including login information), and reusing passwords is a problem. The most serious security issues that organizations are facing, creating opportunities for hackers to penetrate their networks.

Besides, the habit of using weak passwords or reusing the same password for multiple accounts of administrative users is creating vulnerabilities that hackers have been taking advantage of.

Additionally, he highlighted that some administrative or IT accounts do not strictly comply with password resets and minimum password length regulations. This lack of strict login information management may stem from a lack of understanding of how hackers often take advantage of simple login information to penetrate the system and carry out dangerous attacks. more dangerous.

The password still exists

Although completely eliminating passwords is considered the optimal solution to the problem of cracking, it has many potential risks and is difficult to apply in practice. According to Darren Guccione, CEO of Keeper Security – a company specializing in providing online password storage and management services in Chicago: “Passwords play an essential role in operations on all networks and devices. and account in our modern lives.”

Despite its great potential, passkeys cannot completely replace passwords in the near future. The reason is because currently, only a small portion of websites support passkeys, accounting for an insignificant proportion compared to billions of active websites.

This limited application stems from many factors:

• Platform support: Basic platforms such as web browsers and operating systems need to fully integrate passkey support.
• Website adjustments: Websites need to be updated to be passkey compatible, requiring technical changes.
• User configuration: Using a passkey may require the user to perform initial installation and configuration steps.

Therefore, in the first phase, passkeys will be deployed in parallel with passwords, instead of replacing them completely. Widespread adoption of passkeys will depend on the joint efforts of stakeholders, including platform developers, website owners, and users.

“While the general trend is towards a passwordless future or combining passwords with other authentication methods, this does not mean it applies to all cases,” the expert said. share. “Enterprises need to carefully evaluate factors such as security requirements, regulations and user needs to select and deploy appropriate and effective password replacement solutions.”