1 / 17

Why passwords have never been weaker - and crackers have never been stronger

Why passwords have never been weaker - and crackers have never been stronger. Thanks to real-world data, the keys to your digital kingdom are under assault. by Dan Goodin , IT Security Editor at Ars Technica Aug 20 2012, 9:00pm EDT. State of the “art”.

anne
Download Presentation

Why passwords have never been weaker - and crackers have never been stronger

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Why passwords have never been weaker - and crackers have never been stronger Thanks to real-world data, the keys to your digital kingdom are under assault. by Dan Goodin, IT Security Editor at Ars Technica Aug 20 2012, 9:00pm EDT

  2. State of the “art” • In the past 5 years, the art of password cracking has advanced further than it did in the previous several decades combined. • At the same time, the dangerous practice of password reuse has surged. • The result: security provided by the average password in 2012 has never been weaker.

  3. The Gawker Breach • In December 2010, anonymous hackers penetrated various Gawker web servers and exposed cryptographically protected passwords for 1.3 million of its users – and then bragged about it online. • Within hours, botnets had cracked the passwords and were using them to login to Twitter accounts and send spam. Over the next few days, the sites advising or requiring their users to change passwords expanded to include LinkedIn, Amazon, and Yahoo. • Even though these sites had not been breached, they recognized that a security breach that was outside their systems can still create a vulnerability within their networks. Why?

  4. Password reuse • According to a landmark study conducted by Microsoft Research in 2007, the average Web user maintains 25 separate online accounts but uses just 6.5 passwords to protect them. • As the Gawker breach demonstrated, password reuse means that once hackers have login credentials from one site, they can compromise dozens of other accounts as well.

  5. Hash Values • Like many password breaches, almost none of the Gawker credentials contained human-readable or plaintext passcodes. • They had been converted into "hash values" by passing them through a one-way cryptographic function that creates a unique sequence of characters for each plaintext input. • When using a hash algorithm, even minor changes to the plaintext result in very different hash values. • For example, using the SHA1 algorithm, the plaintext passcodes "password“, "password1", and "Password" result in "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", "e38ad214943daad1d64c102faec29de4afe9da3d", and "8be3c943b1609fffbfc51aad666d0a04adf83c9d" respectively.

  6. Cracking the hash • In theory, once a string has been converted into a hash value, it's impossible to revert it back to plaintext using cryptographic means. • Password cracking, then, is the practice of running plaintext “guesses” through the same cryptographic function that was used to generate the hash. • When the two hash values match, the plaintext guess has been identified as the password.

  7. GPUs • Newer hardware and modern techniques have helped to contribute to the rise in password cracking. Graphics processors - or GPUs - allow password-cracking programs to work thousands of times faster than they did just a decade ago on PCs that used traditional CPUs alone. • For example, a PC running a single AMD Radeon HD7970 GPU can try on average 8.2 billion password combinations each second, depending on the algorithm used to scramble them. • PCs equipped with multiple GPUs can achieve speeds two, three, or more times faster. • Plus, hackers running these machines often work in tandem in online forums to crack lists of 100,000 or more passwords in just hours.

  8. Leaked Passwords • Most importantly, a series of leaks over the past few years of more than 100 million plaintext passwords have provided crackers with important new insights about how people choose passwords. • The ever-growing list of leaked passwords allows programmers to write rules that make cracking algorithms faster and more accurate. • The single most important contribution to cracking knowledge came in late 2009, when an attack against the online gaming service RockYou.com exposed 32 million plaintext member passwords, which came to 14.3 million once duplicates were removed. The passcodes were posted online, and almost overnight changed the way hackers cracked passwords.

  9. RockYou like a hurricane • After the RockYou breach, everything changed. • Gone were lists compiled from Webster’s and other dictionaries, which had been used in hopes of mimicking the words that people actually used to access their e-mail and other online services. • In their place were a collection of letters, numbers, and symbols - including everything from pet names to cartoon characters - that could be used for future password attacks. • The RockYou attack was the start of a much larger cracking phenomenon. It put 14 million of the most common passwords into the public domain, allowing hackers to crack the weakest cryptographically protected passwords. • Cracking the weak passwords first made it possible to devote more resources to cracking the stronger ones.

  10. What did they learn? • For most people, the goal in choosing a password is to make it easy to remember and hard for others to guess. The RockYou breach and others since then have revealed to the cracking community how people often construct a passcode: • Nearly all capital letters come at the beginning of a password, and almost all numbers and punctuation show up at the end. • There is a strong tendency to use first names followed by years, such as Julia1984 or Christopher1965. • Adding numbers or non-alphanumeric characters such as "!!!" to them, usually at the end, but sometimes at the beginning. • A technique known as "mangling" which transforms words such as "super" or "princess" into "sup34" and "prince$$." • Appending a mirror image of the chosen word, so "book" becomes "bookkoob" and "password" becomes "passworddrowssap."

  11. Better cracking • This knowledge has led to better cracking. Prior to the RockYou breach, using brute-force techniques to crack the password Julia1984 would require 629 possible combinations in between aaaaa0000 and ZZZZZ9999. This "keyspace" is calculated by the number of possible letters (52) plus the number of numbers (10) and raising the sum to the power of nine (the maximum number of password characters a cracker is targeting). This would take about 19 days to cycle through all the possibilities. • By understanding the patterns that were learned from RockYou, hackers can now significantly reduce cracking time by intelligently reducing the guesses to those most likely to match a pattern. • Rather than trying all 629 possible combinations, a hacker algorithm can now try a lower- or upper-case letter only for the first character, and try only lower-case characters for the next four characters. It then appends all possible four-digit numbers to the end. The result is a drastically reduced keyspace of about 237.6 billion possible combinations ( 52 * 26 * 26 * 26 * 26 * 10 * 10 * 10 * 10). Using this “mask attack”, the same password Julia1984 can be recovered in about 90 seconds.

  12. Over 100 million exposed • Within days after the Gawker breach, a large percentage of those password hashes had already been converted to plaintext, giving crackers an even larger group of real-world passcodes to use in future attacks. • That collective body of plaintext passwords has only snowballed since then, and it grows ever larger with each passing breach. • Just six days after the leak of 6.5 million LinkedIn password hashes in June 2012, more than 90% of them had been cracked. • In the past year alone, more than 100 million passwords have been published online, either in plaintext or in ciphertext that can be readily cracked. • What can be done?

  13. A little salt goes a long way • A technique known as salting can significantly increase the work required to crack passwords. It appends several unique characters to each account password before running it though a cryptographic function. • The salt must be saved for each user and is usually stored beside the user name and password hash, so that the information is available during each user login. • Even if two users choose the same identical password, the salt makes each stored hash unique, in which case each hash would have to be cracked separately. • However, despite the benefit of salting and the relative ease of implementing it, a surprising number of websites - including LinkedIn, Yahoo and eHarmony – did not use it when they were recently breached.

  14. Secure hashing • A large percentage of the sites that fall prey to password breaches use algorithms that were never designed to protect passwords. That's because SHA1, DES, and MD5 were designed to convert plaintext into hashes extremely quickly using minimal computing resources - which is exactly what people running password cracking programs want most! • For example, SHA1 uses a single cryptographic iteration to convert plaintext. • By contrast, algorithms like SHA512crypt, bcrypt and PBKDF2 are engineered to require significantly more time and computation to convert plaintext into hashes. • Of course, these functions require increased server processing. But the benefit in improved security largely outweighs the investment. • For example, according to an independent security researcher, if the LinkedIn engineers had used bcrypt, it would have taken literally centuries to finish cracking all of the passcodes.

  15. The exponential wall • The RockYou dump demonstrated that the typical person is notoriously sloppy when choosing a passcode. A full 70 percent of RockYou passwords contained eight characters or less. Plus only 14 million of the 32 million total were unique, showing that a large percentage of passwords are duplicates. • Even powerful computers have trouble cracking longer passwords using brute force. • It takes a matter of hours for a desktop computer to brute-force crack any five character password. • Increasing the password length by just one character requires about a day. • Bumping the length by one more character, though, dramatically increases the cracking time to more than 10 days. This limitation has been referred to as the "exponential wall of brute-force cracking.”

  16. This graphic demonstrates the exponential wall of brute-force cracks, which work well against shorter passwords. The technique can take days or months for longer passcodes, even when using Amazon's cloud-based EC2 service.

  17. Good password hygiene • The most important attribute of any passcode is that it be unique to each site. • It should be randomly generated by a computer, and have a minimum of nine characters to make brute-force cracks infeasible. • Use a program such as 1Password or PasswordSafe, which allow users to create long, randomly generated passwords and to store them securely with a single master password. • Passwords should be changed at least once every six months, and more often for your most sensitive accounts . • When signing in to websites, use a login URL that begins with "https."

More Related