May 29, 2013
Sophisticated Hackers Can Crack Even The Most Secure Passwords
Michael Harper for redOrbit.com — Your Universe Online
In the wake of last year´s password dumps and this year´s Twitter hacks, many have been paying extra attention to their passwords. The most common advice doled out is to use separate passwords for each website and service. Additionally, these passwords are supposed to be “strong,” meaning they combine letters, numbers and symbols and stay away from dictionary words.
Yet as the old adage goes, a fence can only keep out the good people. Criminals or trespassers who want to crack into your digital figurative backyard will always find a way, and according to a challenge posed by Ars Technica, to three hackers, even the strongest passwords — such as “qeadzcwrsfxv1331” — can be hacked if one has the proper amount of computing power behind them.
As it is with any numerical sequence, like a telephone number, guessing it requires a certain amount of trial and error. While it could take a human many years to correctly guess a long random number, computers were built to mindlessly hash through these sort of computations at a dizzying speed, and what took a person years to calculate could take a modern machine but seconds to solve. To put it plainly, password crackers set their computers to churn through the seemingly infinite number guesses until they reach the right answer. Depending on the hardware used, this could take minutes or months, but with enough tries and enough experience, password crackers are able to unlock a frightening number of even the most complex passwords.
To put this to the test, Ars Technica recruited three “cracking experts,” including a security consultant, a developer of a popular password cracking software, and a member of the Anonymous hacktivist collective. This crew was given a list of 16,449 passwords which were hashed using the MD5 cryptographic hash function. When websites and services store passwords, they run them through a hashing function which turns plaintext passwords like “password” into something that looks like “5f4dcc3b5aa765d61d8327deb882cf99.” The MD5 cryptographic hash has been found to be something less than rock solid and easily cracked with relatively basic hardware.
The recruited hackers set about cracking the list of hashed passwords and, according to the report´s author Dan Godin, “To put it mildly, they didn't disappoint.”
The least successful of the hackers, an Anonymous hacker who goes by the moniker “radix” was able to crack 62 percent of the list of hashed passwords in one hour using a machine with a single AMD Radeon 7970 GPU. And, as Godin points out, he was also quite distracted as the Ars reporters “peppered” him with questions about his process while he worked. The most successful of the three, Jeremy Gosney with Stricture Consulting Group, used the same GPU as radix and cracked 90 percent of the password list in about 20 hours.
These hackers use software which can not only use brute-force attacks against passwords but also combine random words and dictionary-like compilations which have been previously cracked. Gosney explained his process in an email to Ars Technica, saying that he starts with a brute-force crack, then moves on to his more nuanced dictionary cracks.
“And because I can brute-force this really quickly, I have all of my wordlists filtered to only include words that are at least six (characters) long. This helps to save disk space and also speeds up wordlist-based attacks,” explained Gosney.
“Our goal is to find the most (plain text passwords) in the least amount of time, so we want to find as much low-hanging fruit as possible first.”
The general public has no control over which hashing process websites use and therefore are at the mercy of an algorithm which they may know nothing about. It´s been recommended to use a password generator and storage service like 1Password to create the most secure passwords for each site and service. One strong and complex password could then be used to access the other passwords stored with the service. While hackers will always try to find ways to crack even the most secure passwords, this appears to be one of the best options currently out there.