The so called researchers at Hive systems are at it again! Using scare tactics to gain cheap publicity and revenue! Last year they published something similar and gained widespread publicity (and no doubt revenue). They used MD5, an obsolete hashing algorithm that has been completely broken since 2008, to hash the passwords. No wonder the passwords were quickly cracked by modern everyday hardware. After taking a backlash, this year they upped the hashing algorithm to bcrypt, which is secure and has not yet been broken. But since they needed publicity using scare tactics, they implemented bcrypt in a very weak manner, using just 32 iterations/rounds, a work factor of just 5, which is laughable for today standards, and no one in their right mind will implement it like that. The default work factor of bcrypt is 10, i.e. 1024 iterations/rounds. However, most sensible people will implement a work factor of at least 12 (4096 rounds) or higher. Here are some quotes from their research https://www.hivesystems.com/blog/are-your-passwords-in-the-green There is a deliberate/accidental typo in the above paragraph. The work factor used is just 5, the number of rounds/iterations are 32. The correct number of iterations are mentioned under the graphics of the cracked passwords. Here is another titbit under "limitation of their work" Again dumbing-down a hash algorithm to make it easier to crack the passwords, and then saying that this is not how this algorithm is actually used in real life! . So what does all this mean? While I will certainly do not recommend using an 8 character password nowadays, but if you do have a randomly generated 8 character password, using a combination of alpha-numeric uppercase/lowercase letters and symbols, it will take a lot longer for such a password to be cracked then this research suggests, provided you use a good secure hashing algorithm with recommended settings.
