[snowstormsun]

Very click baity and not good journalism imho. Starting with a "A GeForce RTX 4090 could be cracking your password at this moment." tag line only to later note:

> With bcrypt, the hashing times soared. While the GeForce RTX 4090 only took 59 minutes to crack an MD5 hash, the same graphics card would need 99 years.

It's 2024 and if your password is still being hashed with md5, the news are: Your password could have been cracked 10 or more years ago already. Nobody sane uses that anymore and bcrypt still stands the test.

[entuno]

And even worse, that's bcrypt with 32 iterations - a work factor of 5. Every Bcrypt implementation I've seen has a default work factor of 10 (1024 rounds), and people often use higher values that that.

So that 99 years is a massive underestimate for any actually secure password storage.

[4death4]

So 99 of them could crack a password in 1 year? That is easily obtainable and not secure at all.

[daveguy]

If your password is only 8 characters. I go with a minimum of 14. That means 99 years turns into heat death of the universe... Or a pipe wrench.

[SebFender]

It doesn't work that way - and if it did - it's absolutely acceptable in most, if not all systems. A year to "break something" is absolutely considered secure in risk management of larger systems.

[4death4]

How does it not work that way? Password cracking is infinitely parallelizable.

[SebFender]

Technically yes - but when it comes to attacks not really. If someone wants it, you have much easier and faster techniques.

[NegativeK]

If you're a provider of some sort and storing passwords with MD5, shame on you. Or rc4. I'm looking at you, NTLM.

If you're a user and you don't assume that some providers are using MD5... That's just excessively risky.

It's not hard to manage passwords that can't be cracked regardless of the hashing algorithm.

[thatguymike]

What should I be doing to make a password that can't be cracked regardless of the hashing algorithm?

[lionkor]

start using very high entropy passwords which contain just about all printable ascii characters, excluding whitespace.

If a computer cant guess it, it won't crack the hash, either.

Use a password manager and make those suckers 20-40 characters.

Use a master key that is just a super long phrase interleaved with special characters. Easy to remember. Like titles of books you like, plus authors, plus something only you know. Stuff like that.

I use a version of KeePass, with the actual file synced via syncthing to all devices plus a cloud.