Three hackers have demonstrated how easy it is to crack cryptographically hashed passwords, with 90 per cent of a mind-boggling 16,449 passwords successfully deciphered.
The experiment, orchestrated by Ars Technica, tasked the hackers with turning MD5 hashes like “5f4dcc3b5aa765d61d8327deb882cf99” into the viable passwords hidden underneath.
The hackers employed the most basic hardware for the job, with one of them able to crack 62 per cent of the passwords within just one hour, all the while answering interview questions. The most successful hacker took 20 hours to crack 14,734 passwords, a whopping 90 per cent success rate, all with just a single AMD Radeon 7970 graphics card.
While many of the passwords were insanely simple, like “123456,” “password” and “letmein,” others were much more complex, like “qeadzcwrsfxv1331,” calling into question many previous assumptions about the difficulty of identifying longer, random strings of characters.
Brute force password guessing was employed for passwords containing just six characters, with 10,233 passwords cracked in just 16 minutes, but anything above six characters would have required an exponentially longer amount of time, potentially weeks or years for the longer variations. Word lists, which have taken the hackers years to refine, were also employed in the more advanced stages, which took hours to complete, with fewer results in each successive round.
To show that this is not just the realm of experienced hackers, Nate Anderson, deputy editor of Ars Technica, put his password-cracking newness to the test, managing to crack roughly half of the 16,000 passwords in a single work day.