Thursday, December 6, 2012

Follow up Regarding Password Security

I'd like to follow up on my earlier post about Password Security and what companies can do to keep their users safe. Security Ledger just posted about a computer that can attempt up to 348 billion passwords per second, cracking any 8 character password in as little as 5.5 hours. I'm not talking about a super computer in some university lab, this machine looks like something anyone could build. Meaning any person or organization with a big incentive to crack passwords could build something like this. 

I can't think of a better reason to change your passwords to something long, ideally a sentence made up of many words. Such a passphrase (rather than password) would be quite difficult for even a computer such as this one to crack.

Notice in the article which hashing types can be cracked the fastest. PBKDF2, which will be available in Real Studio 2012 r2, is not specifically mentioned. However, it is almost certainly one of the "slow hash" algorithms that were tested.


Thom McGrath said...

The makers of 1Password have some additional insight on this particular cracking system.

john said...

For my important acounts like gmail, my bank, hosting, amazon etc, if I enter an incorrect password a few times I get locked out for a while or have to enter a captcha etc. So why would I have to worry about something that can run through all possible permutations in 5 hours?
It's not goint to get the chance.

Geoff Perlman said...

@ John - Because often the information in one, less important account (your Netflix account for example) can provide the hacker with information that will help them hack into your more important accounts. For example, if they can get to the answers to your password reset questions and they are similar questions and answers to those on your bank account, one account helps the hacker access the other. I believe that's what happened to that journalist that was hacked.

Thom McGrath said...

John, that works fantastically if the attack is coming through an official piece of software. But the majority of these attacks do not. The attacker starts by breaking into the database, then attacking the hashes themselves.

The goal of these attacks is generally not the source of the database. Since attackers know that most users reuse passwords, if they can find your password in a system with weak security, they've got a good chance of using it to get into your gmail (or hotmail, yahoo, etc). Once they're into your e-mail, they can start resetting passwords on all sorts of services, such as Amazon, PayPal, etc. That's where the real danger is.

So if you're storing user passwords, you have a responsibility to take extra special care of their password. Because although security experts tell users to never reuse passwords, to make passwords longer, and to use a password manager, the fact of the matter is users don't.

john said...

@Geoff and Thom

Good points. I knew I had to be missing something.
It's quite scary really.

Brent Huston said...

Keep in mind that breaking the hashes often occurs after the data is captured in an OFFLINE attack. To the person who referenced online account lockout, that is NOT the the treat model here.

The attacker obtains the database or a dump of it from another attack (SQL injection, malware, etc.), then cracks those passwords offline (where account lockout does NOT apply) using a either a hash calculation mechanisms such as described in the referenced article or by using a mechanism such as a rainbow table (for unsalted, pre-generated hashes). Such attacks yield large swaths of compromised accounts. Those accounts can then be traced across the web and if the user makes the common mistake of password resuse, then the attacker (or the person they sold the data to) gains access.
This is a very common threat.