Specops Software, an Outpost24 company, have released new research about bcrypt-passwords – and how easy (or not) they are to crack. This research follows previously released data on how long it takes attackers to brute force MD5 hashed user passwords with the help of newer hardware.
bcrypt is becoming an increasingly popular way to secure passwords, as it uses a strong hashing algorithm. Additionally, to increase security, bcrypt also adds a random piece of data to each password hash, ensuring its uniqueness and making it very hard to guess with dictionary or brute force attacks.
Bcrypt distinguishes itself from other hashing algorithms by incorporating a ‘cost factor.’ This factor indicates the number of password iterations completed prior to hash generation and is appended to the salt. By utilising the cost factor, one can specify the desired number of password iterations and hashing rounds, thereby intensifying the time, effort, and computational resources required to compute the ultimate hash value. This deliberate slowdown significantly impedes the cracking process.
The research found that a bcrypt hash takes time to make but it also takes time to break. A threat actor might give up, lack the computational power, or it might give security teams the time need to notice suspicious activity. Even with higher computer speeds, bcrypt is very time-consuming to hack via brute force thanks to its variable number of password iterations.
However, ultimately, bcrypt hashing cannot prevent password compromise altogether. Short, non-complex passwords can still be cracked relatively quickly, highlighting the huge risks of allowing users to create weak (yet very common) passwords. But once a combination of characters are used in passwords over eight characters in length, the time to crack quickly becomes a near-impossible task for hackers.
This research coincides with an updated to the Breached Password Protection service. This month, over 21 million compromised passwords were added to the list. Recently, Specops announced a new continuous scanning capability for their Breached Password Protection tool.
The post Can bcrypt Passwords Be Cracked? first appeared on IT Security Guru.
The post Can bcrypt Passwords Be Cracked? appeared first on IT Security Guru.