Crackers getting stronger, passwords still weak

Every few months, it seems like another major website gets hacked. User accounts are often compromised, releasing millions of passwords into the darker corners of the Internet. Sometimes those passwords are stored in plain-text form, but even if they’re hashed, it doesn’t take crackers long to work their way back to the original passwords. Ars Technica has published a fascinating article on the strength of modern crackers and the relative weakness of the passwords they’re trying to decipher. Turns out the growing compute horsepower of modern graphics cards is making passwords much easier to uncover with brute-force attacks.

Newer hardware and modern techniques have also helped to contribute to the rise in password cracking. Now used increasingly for computing, graphics processors allow password-cracking programs to work thousands of times faster than they did just a decade ago on similarly priced PCs that used traditional CPUs alone. A PC running a single AMD Radeon HD7970 GPU, for instance, can try on average an astounding 8.2 billion password combinations each second, depending on the algorithm used to scramble them. Only a decade ago, such speeds were possible only when using pricey supercomputers.

As the article points out, brute force alone isn’t enough for longer passwords. Even with the power of a thousand GPUs, it would take about 10 days to bust an eight-character password. Add another character, and the time required rises exponentially.

Crackers aren’t using brute-force methods alone, though. They have massive word lists generated not only from dictionaries, but also from the 100 million actual user passwords that have reportedly been released online already. Cracking algorithms are getting smarter, and special "rainbow tables" have reduced the storage footprint of potential character combinations dramatically.

Websites can make life difficult for crackers by "salting" stored passwords with unique characters or by using more computationally intensive hashing algorithms. If crackers are using faster hardware, the encryption side of things needs to keep up. Really, though, it’s up to users to employ strong passwords.

Comments closed
    • pogsnet
    • 7 years ago
    • Krogoth
    • 7 years ago

    The problem only affects users with weak passwords and falling for social engineering/phishing schemes.

    Brute forcing isn’t usually worth it for crackers, unless they want something badly from the victim in question.

      • pedro
      • 7 years ago

      They cracked 90% of the LinkedIn DB in 5 days. Doesn’t matter if your password is strong, they’ll still get it. One of the crackers mentioned that they’ll normally stop at 90 or 95% of passwords tho’ so perhaps the best advice is to aim for the 5th percentile.

    • glacius555
    • 7 years ago

    I use two not so popular foreign languages and add slang in my passwords. Depending on my mood, it is a sentence somewhere between 20 to 40 characters.

    They can crack it all they want, I doubt they’ll succeed until the next Big Bang.

    • blastdoor
    • 7 years ago

    Yet another example of how the Internet is not remotely ready for prime time, and yet we are heavily dependent on it. How did we manage to build a system in which ordinary, non-Rainman people have to remember a large number of complex passwords in order to avoid having their identity stolen? Imagine if you had to lock your car with a combination lock, and the combination had to be different for every store you visited, and if you didn’t do it and were robbed, everyone would blame *you* and not the thief? It’s nuts.

    Another great example is how something like 99% of all e-mails sent are spam.

    But hey, it’s “open”, so whoopie — yay freedom.

      • Krogoth
      • 7 years ago

      You know that locks can broken and picked.

      It is a matter of risk versus reward for the thief in question.

      Internet reduces some of the risk because it has more attack vectors (most don’t involve direct physical access). The only problem is that there’s so much noise that is hard for the attackers to find something that is worthwhile to go after. The obvious targets have intrusion detection systems designed to log, audit and to keep track of any connection. It is makes it tricky to crack into the system without leaving “digital” footprints behind.

      • Anomymous Gerbil
      • 7 years ago

      Brilliant analysis. What alternatives do you offer?

      If you don’t like using a system where you “have to remember a large number of complex passwords…”, then you’re free to stick to the non-internet world.

        • blastdoor
        • 7 years ago

        Thank you doctor Pangloss.

    • ShadowTiger
    • 7 years ago

    I have to say that this article is very disappointing. I realize that TR often reposts another article and then provides summary and commentary, but usually its meaningful.

    You basically just gave us a very generic overview of the state of passwords from the last 15-20 years and failed to address the most important aspects of password security.

    The length of the passsword alone regardless of characters used adds lots of security, for example “ILikeCheese” is a better password than random letters and symbols because you won’t forget it and its secure “enough.”

    Using strong passwords is not nearly as important as using memorable passwords. Recently it was uncovered that using social engineering you could gain access to peoples accounts because people often forget both their password and the answer to security questions.

    If forgetfullness wasn’t such a big problem, and sites used a rainbow table to block commonly used passwords from being used in the first place, then those 2 things alone would solve many account breaches.

    In addition, its really up to the website storing your data to secure it properly otherwise no amount of effort spent on designing a good password will help. There are still websites storing passwords in plain text, which should be illegal IMO.

      • Deanjo
      • 7 years ago

      Ya pass phrases are usually good enough for users (although I would recommend a longer one then you provides such as “Sweat Shop King loves Macs and iEverything because Win 8 Metro sucks monkey b****!”), for administration however I would still prefer a stronger type password.

    • ALiLPinkMonster
    • 7 years ago

    Yeah, I should probably go through and re-do all my passwords. They’re all too simple and similar.

    • demani
    • 7 years ago

    So how are the forum/posting passwords on Techreport protected?

      • blastdoor
      • 7 years ago

      In the form of several thousand post-it notes on Damage’s monitor.

        • Deanjo
        • 7 years ago

        That’s why I always love his hi-res pictures of Damage Labs.

        • bean7
        • 7 years ago

        So that explains why he uses those 30″ monsters – he needs the space!

    • squeeb
    • 7 years ago

    Different passwords for every login + keepass + 2factor when available = sleep easy at night.

    • Grigory
    • 7 years ago

    “Crackers getting stronger, passwords still weak”

    I am absolutely SHOCKED at this racist headline! This is despicable!

      • ALiLPinkMonster
      • 7 years ago

      I took it the other way. All I could think of was breaking a tooth while biting into a Ritz.

    • Ryhadar
    • 7 years ago

    My passwords are all slightly different, but I think it’s enough to make them unique to fool crackers from using my password against my other accounts. I’d like some input on the way I build my passwords from someone who’s more knowledgeable though.

    My passwords are usually constructed as follows:
    [something that sticks out about the account] + [one of my strong base passwords]

    Example:

    Techreport account:

    pctechreportC00l+bAsEp@ssword!?

    Is this an effective tactic?

    [spoiler<]Not my actual password, guys. Nice try.[/spoiler<]

      • Firestarter
      • 7 years ago

      [quote<]I'd like some input on the way I build my passwords from someone who's more knowledgeable though.[/quote<] Don't. When you 'build' a password, you are using familiar terms and words, probably with some relevance to the account that you use the password for. If I were to find one of your passwords (database got jacked with your plain text password in it, happens more often than you'd like), then I'd have a good pointer on what your other (more valuable) passwords might be. If I were determined to hack your Battle.net account for example because you might have valuable items, I could program whatever tool I use to bruteforce your passwords to try everything related to Battle.net first, so that it looks like the password I already got from you. In other words, because you made that password yourself, as a human, it is very likely flawed. If it's easy enough for you to remember, it is probably a lot easier to crack than you think. Use a program like Keepass to generate truly random passwords and store them. Use a long and random passphrase to encrypt the password database.

        • Ryhadar
        • 7 years ago

        Thanks for the feedback.

        Also, I should have mentioned that for very serious things (banking, etc) I do use keepass to auto generate passwords. Great program, that I highly recommend everyone use.

      • cynan
      • 7 years ago

      You don’t seriously keep track of 30 odd character passwords for sites like TR do you? Does TR even allow passwords that are that long?

        • Firestarter
        • 7 years ago

        My TR password is 20 characters long and looks like this: 9cVu9ANDSI7WYcug9jEa

          • cynan
          • 7 years ago

          Impressive. I’ve got some socks to pull up then. At least mine’s not “password” or “123456”

          Can you actually memorize a list of passwords that look like that?

            • destroy.all.monsters
            • 7 years ago

            I can’t at all remember those. For MMOs (not the actual account but game passwords) I use something I can remember. For everything else I suggest using Keepass or LastPass.

            • Firestarter
            • 7 years ago

            Keepass.

            • gigafinger
            • 7 years ago

            “So the combination is… one, two, three, four, five? That’s the stupidest combination I’ve ever heard in my life! That’s the kind of thing an idiot would have on his luggage!” – Dark Helmet

    • Deanjo
    • 7 years ago

    Banning a connection witha time out after so many authentication failures weeds out brute force attacks very easily.

      • Spotpuff
      • 7 years ago

      This. Computers get faster but a 5s delay per failed login attempt seems trivial to users but is an immense amount of time for computers.

      I guess the problem then is if the hackers get ahold of the actual stored hashed passwords. Then connection delays are irrelevant.

      • Firestarter
      • 7 years ago

      Right up until your database gets downloaded through an SQL injection attack.

        • Deanjo
        • 7 years ago

        Different can of worms entirely.

          • Firestarter
          • 7 years ago

          Well, no. Seeing as how we are discussing password strength here, mostly I’m assuming of our personal passwords, I think it’s important to know that just having a rate limited authentication (tried 3 times? Wait 5 minutes) does not make it any less important that you use seperate and strong passwords. That site that you can’t bruteforce directly might have had its database leaked without you or the site’s admins knowing. So if you have to make a password for such a site, that does not mean that you can slack off and use an easy one.

          And from the perspective of an admin, it’s only another layer of defense. It’s good to have, but you cannot depend on it.

            • Deanjo
            • 7 years ago

            I never said it wasn’t important to have a strong password nor did I say it is the only solution needed. That is important but even with a weak password in place limiting the amount of invalid attempts with a time out does nullify the using of a GPU assisted brute force attack. Personally, even 5 minutes of a timeout is to short IMHO (I usually go an hour at a time, with repeated failures resulting in longer blocks). Bruteforce password attacks however are the easiest to thwart especially when you administer a strong password policy to begin with your users.

            • Washer
            • 7 years ago

            You’re preventing the vector of attack being your login mechanism. If the attacker has your database you’re still at risk of a GPU assisted brute force attack cracking your hashed passwords.

            • Deanjo
            • 7 years ago

            Yes if they have your dbase then that is a different story. The root of that problem however lies more with poor administration in the first place. It “shouldn’t” even get to that point.

            • Anomymous Gerbil
            • 7 years ago

            Irrelevant. It *does* get to that point, far too often. Hence whilst password-try timeouts are a nice-to-have layer of defence, it’s far from being enough.

            • BobbinThreadbare
            • 7 years ago

            I wish the timeout things were smarter so if you guess the exact same password as a previous guess it doesn’t count against you.

            I’ve been locked out typing in the same misspelling 3 times because I’m bad at typing.

    • gigafinger
    • 7 years ago

    So how soon before there’s a national registry for high-end graphic card owners?

      • Grigory
      • 7 years ago

      Don’t give the control freaks any ideas, please!

        • Jive
        • 7 years ago

        Edit: Whoops, not meant to be in reply to post #47

        After Google Mail notified me that my account (16 character sentence password, all lower case, all text) was accessed by some jerk from Romania, I redid all of my passwords on my most important accounts. I button mashed my keyboard until I came up with something i thought was pretty damn hard to hack. It now includes a completely random assortment of upper and lower case letters, numbers and symbols. For example: e7*b3_9!H5Wx4@78d

        Hopefully that’ll take a while to crack, that is until quantum computing comes along.

      • kvndoom
      • 7 years ago

      If there was ever a justifiable reason to bring back S3, this is it! 😀

    • Firestarter
    • 7 years ago

    Use 2-factor authentication if at all possible! Gmail SMS codes, Battle.net authenticator (app), etc, it will help protect your accounts when the password gets cracked some way or another!

    • jacquestrapp
    • 7 years ago

    I’ve started using sentences for passwords (passphrase is a better word, it encourages people to use an actual phrase), they’re much easier to remember (which I expected), but unexpectedly, they’re also faster and easier to type, even if they’re 3x the number of characters as a “strong” password. I’m guessing it’s because my brain and fingers are wired to type in a language and not in random strings of characters. Anyway, if you’ve been putting off switching to a passphrase because you don’t want to type 30 character passwords every day, give it a try anyway.

      • Wirko
      • 7 years ago

      Yes, the idea is old but still little known today.

      [url<]http://news.netcraft.com/archives/2004/10/21/microsoft_blogger_replace_windows_passwords_with_passphrases.html[/url<]

    • absinthexl
    • 7 years ago

    bCrypt reduces a typical cracking platform from 10-33 million to 10-20 guesses per second, making all but the most common passwords impossible to crack. Even a more common algorithm like SHA-256 iterated 100,000 times will reduce it to similar levels.

    Blame management or development at a company (your choice) for not putting in a small amount of time into researching security at the early stages of a project – or changing them later on. The up-front and continuing costs of using slow hashing algorithms are nearly nothing.

      • Firestarter
      • 7 years ago

      This. Increasing the cost for computing a single hash by just doing that hash a ton of iterations is a pretty effective way to twart this attack vector.

    • superjawes
    • 7 years ago

    So basically you’re saying…[url<]http://www.xkcd.com/936/[/url<]

      • superjawes
      • 7 years ago

      The other thing you can do to survive with a weaker password is to change it often. It does take time to brute-force guess anything, so if a password can be easily changed (and remembered) you basically reset all of their work.

      • indeego
      • 7 years ago

      Nope. The comic is missing the lack-of-hashing issue, which [i<]keeps happening[/i<]. Your password security don't mean jack shiznizzle if it ain't hashed. Also this password policy doesn't help you with the hundreds of sites you likely have passwords on, all of which should ideally be different and unique. Even usernames should be unique, because that is one portion of the puzzle. For that you'd need a password management application, like keepass or lastpass. Finally, if using keepass or lastpass, why not just let them pick the most complex passwords for you, since you can use the near maximum complexity allowed, and it manages them far better than your brain does?

        • derFunkenstein
        • 7 years ago

        Because then Lastpass gets hacked and all your shit is fucked.

          • dmjifn
          • 7 years ago

          … which inspired me to prank my friend and tell him Lastpass had been hacked. So I went to google up an authoritative-sounding url – just to help give him a minor heart attack before he uncovered my ruse – and it turns out they [url=http://news.cnet.com/8301-1009_3-20060464-83.html<]probably were already[/url<].

          • absinthexl
          • 7 years ago

          Lastpass is smart enough to salt and hash. A seven-word passphrase with at least one uncommon word should be good to at least 2050, even with offline attacks.

        • superjawes
        • 7 years ago

        So are you saying..[url<]http://www.xkcd.com/386/[/url<]?

          • indeego
          • 7 years ago

          So are you saying you communicate through a webcomic? Have any PA comics for me, those are freaking HEELARIOUS!

    • Srsly_Bro
    • 7 years ago

    I guess I’ve been working out a bit, I must say….

      • Mourmain
      • 7 years ago

      “Too many puny passwords in other team.”

    • MadManOriginal
    • 7 years ago

    My worry about website hacks is that there’s some old user account which I don’t keep up with somewhere and don’t even remember I have that gets hacked. I never use the same exact password twice and vary them much more now but for accounts I don’t even know I have any more *shrug*

      • CasbahBoy
      • 7 years ago

      You’re already in good shape if you use different [i<]enough[/i<] passwords for every single account. The single point of failure is your e-mail account password[s] - make sure you use an entirely unique, 12+ character long, nonsensical (as in gibberish words, nothing dictionary) string that is interspersed with special characters...and you'll be about as safe as you can reasonably be.

        • Firestarter
        • 7 years ago

        I accidentally downvoted you, didn’t mean to do that!

          • superjawes
          • 7 years ago

          YOU JERK!

          Good thing I’m here to erase your downvote 😛

            • Firestarter
            • 7 years ago

            upboat to you! 😀

          • CasbahBoy
          • 7 years ago

          [vader]NOOOOOOOOOO![/vader]

      • dmjifn
      • 7 years ago

      Me too. I started using KeePass just for the ability to easily use complex passwords.
      But I’ve found its use as a database of websites/apps where I have accounts to be just as nice.
      Recommended!

        • Firestarter
        • 7 years ago

        Highly recommended! You can trade some security for convenience if you keep your Keepass file on Dropbox or something similar. Don’t worry about Dropbox being hacked, assume it already has been. Instead worry about whether you used a strong enough passphrase on the database and set the iterations so that your computer needs at least a second to compute the hash.

    • yogibbear
    • 7 years ago

    I read this article… saw the “Sup3rThink3rs” comment…. started freaking out that all my passwords were now weak… e.g. they’re basically Sc1isS0rsPAp3RR0cK0W1ns or something just as pathetic as that…. then realised he GOT LUCKY and it still took him a year with a thousand other dudes helping.

    Realised that they HAVEN’T created a way to quickly decipher hashed and salted passwords as long as your password isn’t in one of these “most popular passwords”.

    Long story short, if your password is smarter than 2/3’s of the population you are safe. But your family members probably are not, and you won’t be able to convince them otherwise. Though personally I don’t want to hack into their facebook account and the only accounts that are important to me are email & banking (& maybe steam). But all 3 of those use double confirmation when you’re on a new PC. (i.e. SMS & password)

Pin It on Pinterest

Share This