Vulnerabilities / Threats
10/16/2013
06:52 PM
Connect Directly
RSS
E-Mail
50%
50%

User-Selected Passwords Still Getting Cracked

Educating people about good password selection has largely failed as graphics-processor-enabled cracking crunches through billions of possibilities every second

The case against passwords has never been stronger.

While easily guessed passwords have made media headlines, today's password-cracking systems can make short work of passwords, even those created using seemingly complex mnemonic devices. Current cracking techniques, fueled by cheap parallel computation using off-the-shelf graphic processors, can guess trillions of combinations every hour.

The hashed password list stolen from global intelligence service Stratfor's website, for example, contained more than 630,000 passwords randomly generated by the site and consisting of eight alphanumeric characters. Cracking efforts took less than 24 hours to completely recover that portion of the 815,000 hashes in the stolen file, in part because the company had not added a random seed to the hashing algorithm known as "salt," says Steve Thomas, president of PwnedList, a subsidiary of InfoArmor that tracks compromised accounts.

"It has never been easier," Thomas says. "Being able to do 23 billion password possibilities every second ... when you get a dump of hashes, you can very quickly get most, or maybe even all, cracked in a number of hours."

During the past half-decade, three factors have fueled a renaissance in password cracking. While password-recovery programs have gained immense computational power by offloading the intensive calculations of dictionary-based and brute-force guessing to off-the-shelf graphics processors, users continue to use the same mnemonics to create passwords that seem secure while being easily memorized. Yet the insecurity of websites -- from LinkedIn to Stratfor and from RockYou to Sony -- has given researchers real-world lists of millions of hashes from which to uncover the systems that people use to create their passwords.

The result is that, at the same time that the power of cracking programs has skyrocketed, researchers are smarter at guessing the ways that users might create passwords, whittling down the lists of possible passwords. By creating better word lists and more intelligent methods of mangling real words and phrases, hackers and researchers can make an untenable computational problem much more feasible, said Olga Koksharova, spokeswoman for password-recovery firm ElcomSoft, in an e-mail interview.

"Smart guessing is relevant when passwords are not totally random but when there was used some technique to create a password," she says. "In case of totally random passwords, only brute-force attack can help and that is when speed" becomes most important.

[A Black Hat talk discusses shortcomings of the latest technical evolution of hashing passwords for safe storage in databases and proposes a competition to design something better. See Moving Away From Rash Hashing Decisions.]

Yet password crackers have garnered a speed boost as well. Using a single computer with a single graphics card, the oclHashcat-plus program, for example, can check anywhere from hundreds of thousands to tens of billions of combinations each second, depending on the hashing algorithm used to encrypt the entries in the password file.

"The technology is used is graphics cards because they are really good at doing parallel calculations," Robert Graham, CEO of security consultancy Errata Security, said in an e-mail interview. "The current top-of-the-line video card, the Radeon 7970, can do over a billion guesses per second for several popular hashing algorithms."

Yet whether the advances in cracking pose a danger to users is another question. While some attacks rely on guessing a small number of passwords, such as attacks on WordPress and Joomla earlier this year, hackers generally do not spend the time doing offline cracking of passwords, Elcomsoft's Koksharova says. Instead, they use social engineering techniques to gain access to victims' accounts.

Still, users can take a few easy steps to get the most security out of passwords and foil any catastrophic hack. Users should not just use word combinations or phrases with some letters replaced with numbers or symbols; researchers and hackers attempt to attack those types of passwords first.

Choosing an extremely secure password is less important than most people think, Errata Security's Graham says. The most important sites, such as banks and e-mail providers, have rarely had their password files stolen, so it's typically more important for users to ensure they do not the same password on different sites.

"For each site you really care about protecting, make sure it's unique and not shared with any other website," he says. "Otherwise, when those lesser websites get hacked and those passwords get stolen, hackers will be able to break into your important accounts."

Using a password manager may be the best approach because it produces randomized passwords while minimizing reuse. In the end, most passwords just need to defend against a few guesses per second, not a billion, according to Graham.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Peter Fretty
50%
50%
Peter Fretty,
User Rank: Apprentice
11/5/2013 | 9:18:28 PM
re: User-Selected Passwords Still Getting Cracked
The need to improve passwords is one of the core components of security-based best practices. This Sophos blog post does a great job of digging deeper into exactly how big of a mess this password blunder is for Adobe user base.

Peter Fretty
TerryB
50%
50%
TerryB,
User Rank: Ninja
10/18/2013 | 5:36:25 PM
re: User-Selected Passwords Still Getting Cracked
I think we are dealing with a fundamental law: anything which can be used with legitmate access can be used without legitimate access.
One of my favorite Dilbert's has Mordac installing a new security system which tells user to complete logon procedure by staring directly into the sun.
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
10/18/2013 | 5:07:50 PM
re: User-Selected Passwords Still Getting Cracked
Important point about attackers using social engineering to gain access to accounts; that seems like the bigger threat.
OzzyM119
50%
50%
OzzyM119,
User Rank: Apprentice
10/18/2013 | 4:51:02 PM
re: User-Selected Passwords Still Getting Cracked
Please see my response to David. It applies to your question as well.
OzzyM119
50%
50%
OzzyM119,
User Rank: Apprentice
10/18/2013 | 4:49:06 PM
re: User-Selected Passwords Still Getting Cracked
This is mostly for "offline attacks" where you have the hashed value of a password and are looking to get the value of the actual password. If a site was using SHA-1 as their hashing algorithm and you entered in the password "S3@_M0nk3y", the hash would be "f84d76b7b7b0b62e007689720e19feff1c0ee580". If someone only has the hash, there is no way to figure out what the password is unless they try all possible passwords until they find the password that generates that hash. There are also things called "rainbow tables" that are basically a table of pre-computed hashes so you can look up the password quickly, but that's a different topic.

Edit: I forgot to add that most people use the same password on multiple sites, so if you've figured out what password someone used at a site where the password database was stolen, there's a pretty good chance that that same password will work on another site they use. I may not care if I get your password to log into your favorite car talk forum that just got hacked, but if you use that same password for your banking site, then I've got something I want.
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
10/18/2013 | 2:17:41 PM
re: User-Selected Passwords Still Getting Cracked
Is it not effective to limit the number of login attempts any client can try before being locked out? Trying a bizillion combinations only works if the automated password cracker is allowed to keep trying new combinations. Maybe there is some simple subterfuge attackers use to prevent that kind of defense from being effective, but I don't understand what it is.
dkerber028
50%
50%
dkerber028,
User Rank: Apprentice
10/18/2013 | 1:30:27 PM
re: User-Selected Passwords Still Getting Cracked
Can someone please explain why supercomputer password cracking is relevant to the real world? It's doesn't seem relevant how fast random passwords can be cracked by supercomputers, because it doesn't help the cracker know when he has the correct one so he can actually use the password for something. There's no way he can test a million tries per second against the site he's trying to break into, and any site that allows unlimited login attempts on a user ID deserves whatever bad things happen to it as a result.
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
10/17/2013 | 7:37:41 PM
re: User-Selected Passwords Still Getting Cracked
>>"Just seems to me that we need to find a better way of doing this."

Yes, please. Obviously, passwords are dead. (Or should be.)
InfoSec_Candy
50%
50%
InfoSec_Candy,
User Rank: Apprentice
10/17/2013 | 6:01:23 PM
re: User-Selected Passwords Still Getting Cracked
I'd just like to ask; WHY are we still struggling with old solutions and safeguards that a) always were a problem b)continue to be a problem c)will always be a problem.

Just seems to me that we need to find a better way of doing this. Are we not able to meet this challenge? I know lots of really smart people that probably can meet the challenge from a technical stand point - but we all know that security has to be easy if we want people to use it/apply it. Somewhere out there - there is the perfect combination of increase security (removing username/passwords) and simple to use.

I think there may be a couple of companies to keep an eye out for in this area.... WWPass to name one.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6335
Published: 2014-08-26
The Backup-Archive client in IBM Tivoli Storage Manager (TSM) for Space Management 5.x and 6.x before 6.2.5.3, 6.3.x before 6.3.2, 6.4.x before 6.4.2, and 7.1.x before 7.1.0.3 on Linux and AIX, and 5.x and 6.x before 6.1.5.6 on Solaris and HP-UX, does not preserve file permissions across backup and ...

CVE-2014-0480
Published: 2014-08-26
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL ...

CVE-2014-0481
Published: 2014-08-26
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a d...

CVE-2014-0482
Published: 2014-08-26
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors relate...

CVE-2014-0483
Published: 2014-08-26
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.