Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/16/2013
06:52 PM
50%
50%

User-Selected Passwords Still Getting Cracked

Educating people about good password selection has largely failed as graphics-processor-enabled cracking crunches through billions of possibilities every second

The case against passwords has never been stronger.

While easily guessed passwords have made media headlines, today's password-cracking systems can make short work of passwords, even those created using seemingly complex mnemonic devices. Current cracking techniques, fueled by cheap parallel computation using off-the-shelf graphic processors, can guess trillions of combinations every hour.

The hashed password list stolen from global intelligence service Stratfor's website, for example, contained more than 630,000 passwords randomly generated by the site and consisting of eight alphanumeric characters. Cracking efforts took less than 24 hours to completely recover that portion of the 815,000 hashes in the stolen file, in part because the company had not added a random seed to the hashing algorithm known as "salt," says Steve Thomas, president of PwnedList, a subsidiary of InfoArmor that tracks compromised accounts.

"It has never been easier," Thomas says. "Being able to do 23 billion password possibilities every second ... when you get a dump of hashes, you can very quickly get most, or maybe even all, cracked in a number of hours."

During the past half-decade, three factors have fueled a renaissance in password cracking. While password-recovery programs have gained immense computational power by offloading the intensive calculations of dictionary-based and brute-force guessing to off-the-shelf graphics processors, users continue to use the same mnemonics to create passwords that seem secure while being easily memorized. Yet the insecurity of websites -- from LinkedIn to Stratfor and from RockYou to Sony -- has given researchers real-world lists of millions of hashes from which to uncover the systems that people use to create their passwords.

The result is that, at the same time that the power of cracking programs has skyrocketed, researchers are smarter at guessing the ways that users might create passwords, whittling down the lists of possible passwords. By creating better word lists and more intelligent methods of mangling real words and phrases, hackers and researchers can make an untenable computational problem much more feasible, said Olga Koksharova, spokeswoman for password-recovery firm ElcomSoft, in an e-mail interview.

"Smart guessing is relevant when passwords are not totally random but when there was used some technique to create a password," she says. "In case of totally random passwords, only brute-force attack can help and that is when speed" becomes most important.

[A Black Hat talk discusses shortcomings of the latest technical evolution of hashing passwords for safe storage in databases and proposes a competition to design something better. See Moving Away From Rash Hashing Decisions.]

Yet password crackers have garnered a speed boost as well. Using a single computer with a single graphics card, the oclHashcat-plus program, for example, can check anywhere from hundreds of thousands to tens of billions of combinations each second, depending on the hashing algorithm used to encrypt the entries in the password file.

"The technology is used is graphics cards because they are really good at doing parallel calculations," Robert Graham, CEO of security consultancy Errata Security, said in an e-mail interview. "The current top-of-the-line video card, the Radeon 7970, can do over a billion guesses per second for several popular hashing algorithms."

Yet whether the advances in cracking pose a danger to users is another question. While some attacks rely on guessing a small number of passwords, such as attacks on WordPress and Joomla earlier this year, hackers generally do not spend the time doing offline cracking of passwords, Elcomsoft's Koksharova says. Instead, they use social engineering techniques to gain access to victims' accounts.

Still, users can take a few easy steps to get the most security out of passwords and foil any catastrophic hack. Users should not just use word combinations or phrases with some letters replaced with numbers or symbols; researchers and hackers attempt to attack those types of passwords first.

Choosing an extremely secure password is less important than most people think, Errata Security's Graham says. The most important sites, such as banks and e-mail providers, have rarely had their password files stolen, so it's typically more important for users to ensure they do not the same password on different sites.

"For each site you really care about protecting, make sure it's unique and not shared with any other website," he says. "Otherwise, when those lesser websites get hacked and those passwords get stolen, hackers will be able to break into your important accounts."

Using a password manager may be the best approach because it produces randomized passwords while minimizing reuse. In the end, most passwords just need to defend against a few guesses per second, not a billion, according to Graham.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
InfoSec_Candy
50%
50%
InfoSec_Candy,
User Rank: Strategist
10/17/2013 | 6:01:23 PM
re: User-Selected Passwords Still Getting Cracked
I'd just like to ask; WHY are we still struggling with old solutions and safeguards that a) always were a problem b)continue to be a problem c)will always be a problem.

Just seems to me that we need to find a better way of doing this. Are we not able to meet this challenge? I know lots of really smart people that probably can meet the challenge from a technical stand point - but we all know that security has to be easy if we want people to use it/apply it. Somewhere out there - there is the perfect combination of increase security (removing username/passwords) and simple to use.

I think there may be a couple of companies to keep an eye out for in this area.... WWPass to name one.
TerryB
50%
50%
TerryB,
User Rank: Ninja
10/18/2013 | 5:36:25 PM
re: User-Selected Passwords Still Getting Cracked
I think we are dealing with a fundamental law: anything which can be used with legitmate access can be used without legitimate access.
One of my favorite Dilbert's has Mordac installing a new security system which tells user to complete logon procedure by staring directly into the sun.
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
10/17/2013 | 7:37:41 PM
re: User-Selected Passwords Still Getting Cracked
>>"Just seems to me that we need to find a better way of doing this."

Yes, please. Obviously, passwords are dead. (Or should be.)
dkerber028
50%
50%
dkerber028,
User Rank: Apprentice
10/18/2013 | 1:30:27 PM
re: User-Selected Passwords Still Getting Cracked
Can someone please explain why supercomputer password cracking is relevant to the real world? It's doesn't seem relevant how fast random passwords can be cracked by supercomputers, because it doesn't help the cracker know when he has the correct one so he can actually use the password for something. There's no way he can test a million tries per second against the site he's trying to break into, and any site that allows unlimited login attempts on a user ID deserves whatever bad things happen to it as a result.
OzzyM119
50%
50%
OzzyM119,
User Rank: Apprentice
10/18/2013 | 4:51:02 PM
re: User-Selected Passwords Still Getting Cracked
Please see my response to David. It applies to your question as well.
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
10/18/2013 | 2:17:41 PM
re: User-Selected Passwords Still Getting Cracked
Is it not effective to limit the number of login attempts any client can try before being locked out? Trying a bizillion combinations only works if the automated password cracker is allowed to keep trying new combinations. Maybe there is some simple subterfuge attackers use to prevent that kind of defense from being effective, but I don't understand what it is.
OzzyM119
50%
50%
OzzyM119,
User Rank: Apprentice
10/18/2013 | 4:49:06 PM
re: User-Selected Passwords Still Getting Cracked
This is mostly for "offline attacks" where you have the hashed value of a password and are looking to get the value of the actual password. If a site was using SHA-1 as their hashing algorithm and you entered in the password "[email protected]_M0nk3y", the hash would be "f84d76b7b7b0b62e007689720e19feff1c0ee580". If someone only has the hash, there is no way to figure out what the password is unless they try all possible passwords until they find the password that generates that hash. There are also things called "rainbow tables" that are basically a table of pre-computed hashes so you can look up the password quickly, but that's a different topic.

Edit: I forgot to add that most people use the same password on multiple sites, so if you've figured out what password someone used at a site where the password database was stolen, there's a pretty good chance that that same password will work on another site they use. I may not care if I get your password to log into your favorite car talk forum that just got hacked, but if you use that same password for your banking site, then I've got something I want.
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
10/18/2013 | 5:07:50 PM
re: User-Selected Passwords Still Getting Cracked
Important point about attackers using social engineering to gain access to accounts; that seems like the bigger threat.
Peter Fretty
50%
50%
Peter Fretty,
User Rank: Moderator
11/5/2013 | 9:18:28 PM
re: User-Selected Passwords Still Getting Cracked
The need to improve passwords is one of the core components of security-based best practices. This Sophos blog post does a great job of digging deeper into exactly how big of a mess this password blunder is for Adobe user base.

Peter Fretty
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.
CVE-2020-7222
PUBLISHED: 2020-01-18
An issue was discovered in Amcrest Web Server 2.520.AC00.18.R 2017-06-29 WEB 3.2.1.453504. The login page responds with JavaScript when one tries to authenticate. An attacker who changes the result parameter (to true) in this JavaScript code can bypass authentication and achieve limited privileges (...