If not, the rate depends on whether the authentication software limits how often a password can be tried, either by time delays, CAPTCHAs, or forced lockouts after some number of failed attempts.
[10] Graphics processing units can speed up password cracking by a factor of 50 to 100 over general purpose computers for specific hashing algorithms.
As an example, in 2011, available commercial products claimed the ability to test up to 2,800,000,000 NTLM passwords a second on a standard desktop computer using a high-end graphics processor.
Hardware acceleration in a GPU has enabled resources to be used to increase the efficiency and speed of a brute force attack for most hashing algorithms.
In 2012, Stricture Consulting Group unveiled a 25-GPU cluster that achieved a brute force attack speed of 350 billion guesses of NTLM passwords per second, allowing them to check
[14] In 2017, leaked documents showed that ASICs were used for a military project that had a potential to code-break many parts of the Internet communications with weaker encryption.
Research detailed in an April 2015 paper by several professors at Carnegie Mellon University shows that people's choices of password structure often follow several known patterns.
[22] Some of the key findings were: In June 2011, NATO (North Atlantic Treaty Organization) suffered a security breach that led to the public release of first and last names, usernames, and passwords of more than 11,000 registered users of their e-bookshop.
The data were leaked as part of Operation AntiSec, a movement that includes Anonymous, LulzSec, and other hacking groups and individuals.
[23] On July 11, 2011, Booz Allen Hamilton, a large American consulting firm that does a substantial amount of work for the Pentagon, had its servers hacked by Anonymous and leaked the same day.
"The leak, dubbed 'Military Meltdown Monday', includes 90,000 logins of military personnel—including personnel from USCENTCOM, SOCOM, the Marine Corps, various Air Force facilities, Homeland Security, State Department staff, and what looks like private-sector contractors.
For example, on the Unix operating system, hashed passwords were originally stored in a publicly accessible file /etc/passwd.
[31]: 5.1.1.2 Modern Unix Systems have replaced the traditional DES-based password hashing function crypt() with stronger methods such as crypt-SHA, bcrypt, and scrypt.
For instance, the Cisco IOS originally used a reversible Vigenère cipher to encrypt passwords, but now uses md5-crypt with a 24-bit salt when the "enable secret" command is used.
[34] Many hashes used for storing passwords, such as MD5 and the SHA family, are designed for fast computation with low memory requirements and efficient implementation in hardware.
Multiple instances of these algorithms can be run in parallel on graphics processing units (GPUs), speeding cracking.
Other algorithms, such as scrypt are memory-hard, meaning they require relatively large amounts of memory in addition to time-consuming computation and are thus more difficult to crack using GPUs and custom integrated circuits.
Solutions like a security token give a formal proof answer[clarification needed] by constantly shifting password.
There are many password cracking software tools, but the most popular[37] are Aircrack-ng, Cain & Abel, John the Ripper, Hashcat, Hydra, DaveGrohl, and ElcomSoft.
[38] The increased availability of computing power and beginner friendly automated password cracking software for a number of protection schemes has allowed the activity to be taken up by script kiddies.