[reify]

Using an 8 char password for those tests is very weak

On my old linux gaming rig with the AMD RX580 I can run through the entire WPA2 keyspace of 8 char lowercase or 8 char uppercase in 3 hours.

Md5 and sha1 takes seconds using JTR or hashcat masks or brute force or a straight attack using the Rust super fast Cracken password generator.

[entuno]

Not to mention that they're using MD5, people have been recommending against for over a decade.

For the Bcrypt results waswas "99 years" even for an 8 character password (and with a work factor of 5, compared to the default of 10 in most libraries) - but that doesn't make for a a very good clickbaity headline, so they don't really talk about it.

[smarm52]

Good spot. My passwords are ~20+ characters, so the title had me worried for a sec.

[charlie0]

This and dice words for the win. God I hate password requirements that need special chars. Just add a min length and be done with it.

[dietr1ch]

To be fair, everytime a privacy leak is reported we may be looking at old code or careless devs that may have used m5d or things like length as a hash function.

But yeah, a big goal here was to be as clickbaity as possible.