If you’re still using passwords of eight characters or less, it’s time to change them. Hive Systems has just measured the time needed to recover a password from its MD5 hash, an outdated hashing algorithm unfortunately still too often used by websites.
Assuming your secret code is random and relies on lowercase and uppercase letters, numbers and special characters, it will take five hours to crack with a very good graphics card (Nvidia RTX 3090), and only 39 minutes with eight Nvidia A100 Tensor Core graphics cards (rental cost on Amazon: $20). In short, the level of security of such a password is… nil.
As we can see in this table, we only begin to be correctly protected from 11 characters. But the best is still to be beyond 16 characters.
The pirate will need 92 billion years to make his brute force attack, which leaves time to see. We are also not very far from the ANSSI recommendation which considers that a password is strong from 15 characters. In the event that you use a password manager – and therefore the length of the secret codes does not matter, because you do not have to remember them – the French cybersecurity agency advises to define passwords more than 20 characters.
Sources : Hive Systems, ANSSI