Methodology

In their experiments, the researchers reportedly used the computing power of Nvidia’s current high-end GPU GeForce RTX 4090 to crack passwords offline using a brute force or dictionary attack. The brute force approach involves bluntly trying all conceivable combinations of characters until a password is guessed. The more computing power available, the faster the query. In dictionary attacks, cyber criminals draw on large lists of leaked log-in data and try them out. The researchers used 192 million leaked passwords circulating on the darknet as a basis. In their experiments, they treated the passwords with the hash algorithm MD5, including the salt value, before cracking them. MD5 has long been considered insecure, but this is a theoretical attempt. They state that the computing power available to them can try 164 billion hashes per second. In this scenario, they say they were able to crack 28% of passwords with upper and lower case letters in less than a minute. If numbers are added, the figure shrinks to three percent. And for 55 percent, the process would take longer than a year due to the complexity of the password. With optimized algorithms such as negram_seq, which calculate the probability of the next character, they were able to further increase the success rate.