Jump to content



Photo

The Easiest Ways Not to Get Hacked

passwords ars technica brute-force crack salting security

  • Please log in to reply
16 replies to this topic

#1 Hum

Hum

    totally wAcKed

  • 62,539 posts
  • Joined: 05-October 03
  • Location: Odder Space
  • OS: Windows XP, 7

Posted 29 May 2013 - 21:47

It took three hackers less than a day to decipher the majority of a list of 16,000 encrypted passwords, all because of the laughably easy-to-crack passwords most of us pick to protect our online lives. The most successful guy got 90 percent of the "plains," as hackers call deciphered passwords in 20 hours; the least successful guy just 62 percent of them in about an hour. Yes, it's really that easy. But, rather than sit there, shocked at how little security passwords provide, we should use this Ars Technica article as a lesson in password security. And, the first lesson learned therein is: Never, ever use a six character password.

Rule 1: Six characters is too always too short. The very easiest and the first thing all of Ars's hackers did was guess your super weak six character passwords, via what's called a "brute force" attack. See, the most successful of the hackers, Jeremi Gosney, a password expert with Stricture Consulting Group, hacked 62 percent of the list in sixteen minutes because that's how easy it is to guess a code that's just six letters long:

Gosney's first stage cracked 10,233 hashes, or 62 percent of the leaked list, in just 16 minutes. It started with a brute-force crack for all passwords containing one to six characters, meaning his computer tried every possible combination starting with "a" and ending with "//////." Because guesses have a maximum length of six and are comprised of 95 characters—that's 26 lower-case letters, 26 upper-case letters, 10 digits, and 33 symbols—there are a manageable number of total guesses. This is calculated by adding the sum of 956 + 955 + 954 + 953 + 952 + 95. It took him just two minutes and 32 seconds to complete the round, and it yielded the first 1,316 plains of the exercise.

"Normally I start by brute-forcing all characters from length one to length six because even on a single GPU, this attack completes nearly instantly with fast hashes," Gosney told Ars.

Rule 2: So is a seven- and eight-character password, probably. After doing almost nothing to guess six-character passwords, it gets a tiny bit harder for hackers, but not much. For example, Gosney then did more of these types of guessing attacks with different permutations of longer possibilities, trying seven or eight character passwords with only lower case letters, for example. That technique takes mere seconds, and in this case revealed many additional "plains."

Rule 3: "Salting" doesn't make six character passwords strong. Many sites boast that their password protection technology uses "salting," meaning it adds random numbers to password hashes thus making it harder for hackers to figure out the original code of these shorter passwords using those brute force attacks. Turns out that's not really that true:

But the thing about salting is this: it slows down cracking only by a multiple of the number of unique salts in a given list. That means the benefit of salting diminishes with each cracked hash. By cracking the weakest passwords as quickly as possible first (an optimization offered by Hashcat) crackers can greatly diminish the minimal amount of protection salting might provide against cracking.

Plus, a lot of sites don't use salting. So, again: See rules 1 and 2.

Rule 4: Don't use real words. The least successful of the hackers, who goes by the handle Radix, guessed 62 percent of the list in about an hour, using a custom compiled dictionary of popular passwords. Just by using a publicly available list of plain text passwords, called the Rock You list, he got 30 percent of the insecure codes and all because a lot of people use the same, common words in their passwords.

Rule 5: Just make an 11 character password already. Those first few hacks done by Gosney and Radix are basically password hunting for amateurs. With a couple slightly more sophisticated techniques, bigger graphics cards, and a little more experience, even codes that follow some of the "best practices" get hacked. The very best way not to fall prey to that, however is to create super long, strings of gibberish. As this chart below shows, it gets exponentially harder to crack a code after 8 characters. Ars says use 11 just to be safe: "Readers should take pains to make sure their passwords are a minimum of 11 characters, contain upper- and lower-case letters, numbers, and letters, and aren't part of a pattern."

source


#2 Draconian Guppy

Draconian Guppy

    LippyZillaD Council

  • 14,319 posts
  • Joined: 22-August 04
  • Location: Neowin

Posted 29 May 2013 - 21:50

My hotmail password was grandfathered with 4 characters until the outlook.com move which forced me to upgrade to 6 or more... Never had an issue, but then again, i'm probably nobody in the cyberworld :p

#3 +imachip

imachip

    Neowinian

  • 1,029 posts
  • Joined: 22-June 04
  • Location: England

Posted 29 May 2013 - 21:56

The easiest way of making a password long and very difficult to crack as well as memorable is to use a sentence with spaces and punctuation. Annoyingly some sites do not support this approach but most do.

#4 +warwagon

warwagon

    Only you can prevent forest fires.

  • 26,180 posts
  • Joined: 30-November 01
  • Location: Iowa

Posted 29 May 2013 - 21:57

Lastpass / Roboform with HeZz2N5sNMldD passwords FTW.

#5 n_K

n_K

    Neowinian Senior

  • 5,367 posts
  • Joined: 19-March 06
  • Location: here.
  • OS: FreeDOS
  • Phone: Nokia 3315

Posted 29 May 2013 - 22:20

First sign this is by someone that doesn't know anything about security;
'Rule 3: "Salting" doesn't make six character passwords strong. Many sites boast that their password protection technology uses "salting," meaning it adds random numbers to password hashes thus making it harder for hackers to figure out the original code of these shorter passwords using those brute force attacks. Turns out that's not really that true:

But the thing about salting is this: it slows down cracking only by a multiple of the number of unique salts in a given list. That means the benefit of salting diminishes with each cracked hash. By cracking the weakest passwords as quickly as possible first (an optimization offered by Hashcat) crackers can greatly diminish the minimal amount of protection salting might provide against cracking.'
Two hashes, one of 'thepassword' and another of 'thepassword#*(U%*YU(HQA&EY', yeah, I'd like to see him cracking the second in a reasonable time. Plus, rainbow tables don't work.

#6 OP Hum

Hum

    totally wAcKed

  • 62,539 posts
  • Joined: 05-October 03
  • Location: Odder Space
  • OS: Windows XP, 7

Posted 29 May 2013 - 23:28

123xyz has never failed me. :p

#7 +Nik L

Nik L

    Where's my pants?

  • 34,084 posts
  • Joined: 14-January 03

Posted 29 May 2013 - 23:32

Apparently "monkey" is a very common password. So I was sneaky, mine is now "m0nk3y". That'll show em, they'll never get that!

#8 +Brando212

Brando212

    Neowinian Senior

  • 6,610 posts
  • Joined: 15-April 10
  • Location: Omaha, NE
  • OS: Windows 8.1
  • Phone: Sony Xperia ZL, Nokia Lumia 925

Posted 29 May 2013 - 23:35

it's kind of ironic

yes short passwords are easier to crack than long ones, but by limiting passwords to be longer and have certain characters in them it's actually making them even easier to crack as there's a lot that gets ruled out just by having those extra password rules

#9 Raa

Raa

    Resident president

  • 12,554 posts
  • Joined: 03-April 02
  • Location: NSW, Australia

Posted 29 May 2013 - 23:37

I thought this was all common sense... oh wait. :/

#10 LaP

LaP

    Forget about it

  • 5,754 posts
  • Joined: 10-July 06
  • Location: Quebec City, Canada
  • OS: Windows 8.1 Pro Update 1

Posted 29 May 2013 - 23:43

And how do they know the passwords are right or wrong ?

It's a myth that you can brute force an online account unless the password is 123. For one you need to factor in the time it takes for the web site to answer (this is not local where you can try millions of password every sec). And then the web site should lock the account (and send an email to an alternate address) if too much failed tries are done in a not humanely possible time frame.

If the account is not locked before it is brute forced then it's not user fault at all.

I really can't stand this blame on users when so many companies fail at protecting their users account. People need to start asking companies to not fail at security too.

#11 ingramator

ingramator

    Hacker

  • 1,819 posts
  • Joined: 04-July 12
  • OS: Windows 7/8, OSX 10.8, Linux/UNIX/BSD
  • Phone: Lumia 920, iPhone 5, GS3

Posted 29 May 2013 - 23:46

Two hashes, one of 'thepassword' and another of 'thepassword#*(U%*YU(HQA&EY', yeah, I'd like to see him cracking the second in a reasonable time. Plus, rainbow tables don't work.


What do you mean rainbow tables don't work? My rainbow tables with all sorts of other nasty shortcuts could bruise down that second password in less than a second. If there are other passwords in the same table its possible to pick up on patterns and exponentially increase the cracking speed.

#12 primexx

primexx

    Neowinian Senior

  • 12,738 posts
  • Joined: 24-April 05

Posted 29 May 2013 - 23:51

First sign this is by someone that doesn't know anything about security;
'Rule 3: "Salting" doesn't make six character passwords strong. Many sites boast that their password protection technology uses "salting," meaning it adds random numbers to password hashes thus making it harder for hackers to figure out the original code of these shorter passwords using those brute force attacks. Turns out that's not really that true:

But the thing about salting is this: it slows down cracking only by a multiple of the number of unique salts in a given list. That means the benefit of salting diminishes with each cracked hash. By cracking the weakest passwords as quickly as possible first (an optimization offered by Hashcat) crackers can greatly diminish the minimal amount of protection salting might provide against cracking.'
Two hashes, one of 'thepassword' and another of 'thepassword#*(U%*YU(HQA&EY', yeah, I'd like to see him cracking the second in a reasonable time. Plus, rainbow tables don't work.


yea i didn't understand that either. salting isn't supposed to do anything except for one thing: make pre-compute impossible. what's this mumbo jumbo about multiples of unique salts?

#13 ingramator

ingramator

    Hacker

  • 1,819 posts
  • Joined: 04-July 12
  • OS: Windows 7/8, OSX 10.8, Linux/UNIX/BSD
  • Phone: Lumia 920, iPhone 5, GS3

Posted 29 May 2013 - 23:54

And how do they know the passwords are right or wrong ?

It's a myth that you can brute force an online account unless the password is 123. For one you need to factor in the time it takes for the web site to answer (this is not local where you can try millions of password every sec). And then the web site should lock the account (and send an email to an alternate address) if too much failed tries are done in a not humanely possible time frame.

If the account is not locked before it is brute forced then it's not user fault at all.

I really can't stand this blame on users when so many companies fail at protecting their users account. People need to start asking companies to not fail at security too.


I think the problem is stealing the hashes because, as you said, the companies are incompetent and always 10 steps behind hackers. 100 hackers for every 1 security expert that knows what the bloody hell is going on. Wouldn't matter if it was a 1 character password of "M" you wouldn't be able to bruteforce via computer (unless you are routing across different IPs and have some neat JS that can read and respond to captchas) Outlook.com passwords because there are numerous safeguards in place. IF however some pro (or infinitely more likely- an inside worker) got a hold of the password "base" my password of "M" would be demolished AND potentially void the security of a 40 character password. As someone above me noted, its actually safer (if you could circumvent password restrictions) to use a 2 character passwords because when pluggin in parameters for your attack, the hacker will specify not to bother with bruteforcing passes under 6 Chars. :D

Anyway some of that stuff is wrong, moral of the story- if you don't think your provider will be able to protect your password and data,

a) don't use them
b) if you have to use them, don't be in a position where losing that data or access is going to lead into bigger problems

#14 firey

firey

    F͎̗͉͎͈͑͡ȉ͎̣̐́ṙ͖̺͕͙̓̌è̤̞͉̟̲͇̍̍̾̓ͥͅy͓̍̎̌̏̒

  • 7,995 posts
  • Joined: 30-October 05
  • Location: Ontario, Canada
  • OS: Windows 7
  • Phone: Android (4.1.2)

Posted 29 May 2013 - 23:56

I use "racecar" because they never write it the right way (I write it backwards).

#15 LaP

LaP

    Forget about it

  • 5,754 posts
  • Joined: 10-July 06
  • Location: Quebec City, Canada
  • OS: Windows 8.1 Pro Update 1

Posted 30 May 2013 - 00:09

I think the problem is stealing the hashes because, as you said, the companies are incompetent and always 10 steps behind hackers. 100 hackers for every 1 security expert that knows what the bloody hell is going on. Wouldn't matter if it was a 1 character password of "M" you wouldn't be able to bruteforce via computer (unless you are routing across different IPs and have some neat JS that can read and respond to captchas) Outlook.com passwords because there are numerous safeguards in place. IF however some pro (or infinitely more likely- an inside worker) got a hold of the password "base" my password of "M" would be demolished AND potentially void the security of a 40 character password. As someone above me noted, its actually safer (if you could circumvent password restrictions) to use a 2 character passwords because when pluggin in parameters for your attack, the hacker will specify not to bother with bruteforcing passes under 6 Chars. :D

Anyway some of that stuff is wrong, moral of the story- if you don't think your provider will be able to protect your password and data,

a) don't use them
b) if you have to use them, don't be in a position where losing that data or access is going to lead into bigger problems


Even if you consider the hacker had access to the password table (he should not) it should be very hard to hack a well protected account. For one the account should be locked if the hacker try to access it from a different country. Then the user needs to access his alternate email account and unlock it and only then it can be accessed from this new country. It's not always possible to know what the country the user is from. My iTune account was locked last year cause someone from russia tried to access it (anyway this is what Apple told me). Even if he had the right password (unlikely since my password is 12 random letters, numbers, symbols with uppercases and lowercases) he still could not access it.

An account can even be locked if accessed from a different internet connection or PC. I know my Guild Wars account was instantly locked when i tried to play it on my friend's computer. I had to unlock it and add his computer to the "safe list".

My bank account can't be accessed online from an unknow computer. Even with the right password. If the computer is unknown to the web site (and the right password is provided) then it will ask all my secret questions (and my secret questions are dumb things like Question: "What is my favorite color?"/ Answer: "A Beaver" and it's impossible to know them even if you know me).

There's no excuse to day for the lack of security we see on some web site. It's not a problem if it's a web site like Neowin. But it's a problem when it's a web site storing your credit card number and where you can buy things.