When hackers released password data for more than 36 million Ashley Madison accounts last week, big-league cracking expert Jeremi Gosney didn't bother running them through one of his massive computer clusters built for the sole purpose of password cracking. The reason: the passwords were protected by bcrypt, a cryptographic hashing algorithm so strong Gosney estimated it would take years using a highly specialized computer cluster just to check the dump for the top 10,000 most commonly used passwords.
|PASSWORD||NUMBER OF USERS|
Exercise in adversity
As Ars has chronicled over the years, passwords have never been weaker and crackers have never been stronger, even when passwords are hashed following industry standard practices and end users choose long, random-appearing passcodes or passphrases with dozens or even hundreds of characters. In short, crackers guess surprising numbers of passwords by exploiting the predictability in the way most end users choose passwords and by using GPU-based computers that in some cases can make billions of guesses per second until the right one is made.