Nation State Password Cracking: What We Know

TL;DR

Estimating nation state password cracking abilities is extremely difficult due to secrecy. However, we can infer capabilities based on known resources (computing power, budget), observed attacks, and publicly available research. They’re *far* beyond what individuals or even most companies can achieve, using custom hardware, advanced algorithms, and dedicated teams. This guide outlines what’s realistically possible for them and how to defend against it.

Understanding the Landscape

Nation states aren’t just running off-the-shelf cracking tools. They have access to:

• Massive Computing Resources: Think dedicated data centres, cloud infrastructure (potentially compromised), and custom ASICs (Application Specific Integrated Circuits) designed specifically for password hashing algorithms.
• Significant Budgets: Allowing them to hire top cryptographers, software engineers, and hardware specialists.
• Zero-Day Exploits & Malware: To steal hashes directly from systems without needing to guess.
• Advanced Algorithms: Beyond standard dictionary attacks; they develop custom rulesets based on target profiles (language, job title etc.).

Estimating Cracking Power

Password cracking speed is measured in hashes per second (H/s). Here’s a rough idea of what different actors can achieve:

• Individual: A powerful gaming PC might crack 10-100 million H/s.
• Large Company: Dedicated hardware and software could reach 10 billion – 1 trillion H/s.
• Nation State (Low End Estimate): 10 trillion – 100 trillion+ H/s. This is a conservative estimate; actual figures are likely much higher.
• Nation State (High End Estimate): Exceeding 1 quadrillion H/s is plausible, especially with custom hardware and distributed attacks.

These numbers depend heavily on the hash algorithm used (see section below).

Hash Algorithm Strength

The time it takes to crack a password depends *massively* on the hashing algorithm used. Here’s a comparison:

• MD5 & SHA1: Considered broken; can be cracked almost instantly with readily available tools (rainbow tables, precomputed hashes). Do not use these!
• SHA256: Still widely used but increasingly vulnerable. Cracking takes longer, but is achievable with sufficient resources.
• bcrypt & Argon2: Significantly more secure due to salting and adaptive work factors (increasing computational cost). These are the recommended algorithms.

Example of hash strength comparison using John the Ripper:

john --hash sha256 hashed_passwords

This will attempt to crack SHA256 hashes. The time taken demonstrates its relative difficulty.

What Nation States Target

1. High-Value Targets: Government officials, military personnel, critical infrastructure employees, CEOs of major companies.
2. Compromised Systems: Targeting systems with large databases of credentials (e.g., Active Directory).
3. Specific Data: Intellectual property, trade secrets, sensitive personal information.

Defending Against Nation State Attacks

While completely preventing a determined nation state is nearly impossible, you can significantly raise the bar:

1. Strong Password Policies: Enforce long, complex passwords (minimum 12 characters, mixed case, numbers, symbols).
2. Multi-Factor Authentication (MFA): Essential. Even if a password is cracked, MFA adds another layer of security. Use strong MFA methods like hardware tokens or authenticator apps. Avoid SMS-based MFA where possible.
3. Modern Hash Algorithms: Migrate to bcrypt or Argon2 with appropriate work factors. Regularly review and increase these factors as computing power increases.
4. Salting: Always use unique, randomly generated salts for each password.
5. Password Rotation: Encourage (or enforce) regular password changes, though this is less effective than strong passwords and MFA.
6. Account Lockout Policies: Limit the number of failed login attempts to prevent brute-force attacks.
7. Intrusion Detection & Prevention Systems (IDS/IPS): Monitor for suspicious activity, such as repeated failed logins or unusual access patterns.
8. Regular Security Audits & Penetration Testing: Identify vulnerabilities and weaknesses in your systems.
9. Credential Monitoring: Use services to check if your credentials have been exposed in data breaches.

Example of checking Argon2id parameters:

python -c "import argon2; print(argon2.low_level.Argon2id(password='your_password', salt='your_salt', hash_len=64, time_cost=3, memory_cost=102400).hash())"

This demonstrates the parameters used in Argon2id hashing.

Conclusion

Nation state password cracking capabilities are substantial and constantly evolving. A layered defence approach, focusing on strong passwords, MFA, modern hash algorithms, and proactive monitoring is crucial to mitigate the risk. Accepting that complete prevention isn’t possible and focusing on detection and response is a realistic strategy.