As password habits stagnate, password hackers thrive
21 August, 2012
category: Corporate, Digital ID
Password cracking has forever been a reality in the digital world, but with surges in password reuse and advances in hacking methods password security has never been more vulnerable.
As reported by ARSTechnica.com, the rampant practice of password reuse has drastically weakened the strength of security associated with online identity. As of 2007 the average Web user was maintaining 25 separate accounts protected by an average 6.5 passwords.
The danger associated with password reuse is simple, if a hacker obtains login credentials for one account he very likely has obtained credentials for other accounts. Password reuse is a transparent and predictable habit that hackers are keen to and can exploit to great effect.
The reason for hackers’ success is partly a result of advances in technology. Graphics processors, for example, enable password-cracking programs to operate exponentially faster than they did a decade ago on comparably priced PCs. Today, a PC with one GPU can run 8.2 billion password combinations each second depending on the algorithm—a volume and speed previously reserved for supercomputers.
To compound the problem PCs can employ multiple GPUs at a time enabling for double or even triple the speed of a password-cracking program. Cracking operations can also work with online forums allowing for access to larger masses of credentials and passwords.
Password cracking operations rarely yield readable passwords, instead hash values are identified and are then run through a cracking algorithm to identify the plain text. Password cracking is process of running the plain text “guesses” through the same algorithm in the hopes of matching the hash values.
Just as dangerous as hackers are the habits and patterns in password selection. For example, capital letters are commonly placed at the beginning of a password while punctuations are commonly placed at the end. Though this information may seem irrelevant to some, it is invaluable to tech-savvy hackers.
More concerning is that common hashing algorithms like SHA1, DES and MD5 use minimal computing resources, which is ideal for a password hacker. To illustrate the weaknesses of SHA1, independent security researcher Jeremi Gosney targeted the popular site LinkedIn. It took Gosney roughly six days to crack 90 percent of the 6.5 million SHA1 hashes—recovering a fifth of the plaintext passwords in just 30 seconds.
It is clear that as technologies advance the speed and effectiveness of password cracking increases. It is for this reason that programs like 1Password and PasswordSafe exist. These programs randomly generate safe passwords and securely stores them in cryptographically protected files unlocked only with a master password. Employing password managers to regularly change passwords could also be an effective security measure.
See the full ARSTechnica article here.