Password cracking goes into hyperdrive

Dan Goodin's Ars piece on the state of password security is a must-read overview of the way that the password cracking landscape has changed in surprising ways. It's not just that computers have gotten faster -- it's the confluence of several factors, including: more sites that require passwords, which encourages password re-use; sites that use weak password hashing, unsalted hashing, or no hashing at all; and titanic dumps of real-world passwords that provide insight into how users choose their passwords. Put them all together and you get a situation like the LinkedIn dump, where 90 percent of the encrypted passwords were extracted in short order -- and where many of those passwords could be used to take over other user accounts, thanks to password re-use.

The RockYou dump was a watershed moment, but it turned out to be only the start of what's become a much larger cracking phenomenon. By putting 14 million of the most common passwords into the public domain, it allowed people attacking cryptographically protected password leaks to almost instantaneously crack the weakest passwords. That made it possible to devote more resources to cracking the stronger ones.

Within days of the Gawker breach, for instance, a large percentage of the password hashes had been converted to plaintext, a feat that gave crackers an even larger corpus of real-world passwords to inform future attacks. That collective body of passwords has only snowballed since then, and it grows ever larger with each passing breach. Just six days after the leak of 6.5 million LinkedIn password hashes in June, more than 90 percent of them were cracked. In the past year alone, Redman said, more than 100 million passwords have been published online, either in plaintext or in ciphertext that can be readily cracked.

"Now, it's like once a quarter you get another RockYou," Redman said.

In the RockYou aftermath, everything changed. Gone were word lists compiled from Webster's and other dictionaries that were then modified in hopes of mimicking the words people actually used to access their e-mail and other online services. In their place went a single collection of letters, numbers, and symbols—including everything from pet names to cartoon characters—that would seed future password attacks.

"So it's no longer this theoretical word list of Klingon planets and stuff like that," Redman said of the RockYou list. "It's literally 'dragon' and 'princess' and stuff like that, and [the list] may crack 60 percent of a newly compromised website. Now you have 60 percent of the work done and you haven't done any thinking at all. You've just used your previous knowledge."

I wrote a novella about where all this stuff ends up, called Knights of the Rainbow Table, for Intel's Tomorrow Project. I don't believe sf writers predict the future, but I sure feel like that one predicted the present.

Why passwords have never been weaker—and crackers have never been stronger


  1. So what should a good password look like? Is it time for the passphrase? Passparagraphs? Retina scans?

    1. I guess something as simple as a password manager and randomly generated passwords would be enough if you only could convince non-technical people to use them. _That’s_ the hard part.

      1. “Password Manager” simple?
        If you can suggest one that allows easy access from PC/MAC/Android/iPhone and is generically accessible from browsers out on the internet (i.e. machines I don’t own and can’t install software on) and cope properly with the huge range of login mechanisms then I can probably come up with a handful of other features it lacks (to make it as easy as having a password in your head).

        I think that a decently uncrackable source for ID and authentication could be something for governments to look at instead of fartling around trying to prevent kids from downloading porn and the like. 
        (Except that like any government IT project it would be doomed to be a massive failure from inception till about 5-10 years later when everyone realises they’ve ironed out the bugs and it’s actually not bad.)

        1. True – the password manager would need to be easy enough for a non-tech to use.   And it would need to be that same ease on every system.  Even at work.  Otherwise, a randomly generated password just means I can’t get to any of my accounts on certain computers. 

          1. Lastpass comes close, I have a browser plug (Dolphin for Android) in on my phone as well as on the desktop, plus a phone app, so I can almost always copy-paste. Plus I use Google Authenticator on my phone. You do want to have your one time passwords written down though, so you can get in if you loose or wipe your phone.

        2. 1Password mostly fits the bill: Mac, iOS, PC, Android clients. You can get a lovely read-only look at your passwords if you store your database online. The only criticism is some Ajax-y log-in forms can confuse it.

          As to how easy it is, I’ve got my (admittedly slightly techie) retiree parents using it.

    2. Use a password manager (LastPass, 1Password, Keepass, etc.)

      Generate a unique, random password for every site. The longer the better (as many characters as the field allows) . This is doubly true for your email accounts.
      Do the same for “Security Questions”, which are notoriously weak. Don’t even try to answer them, just fill in the answers with another randomly generated password.

      Use two-factor authentication whenever available, and pressure any and all sites you use to implement two-factor authentication if they haven’t already (Facebook and Gmail both implement two-factor authentication, so activate that and when possible use one of those to log in to other sites).

    1. Yeah, that’s pretty much why I could never get exited about online services for this purpose. I prefer offline software with a locally stored database as a password manager.

    1. If you choose a weak password, meaning it happens to be one of the millions of common ones, then any site anywhere that has a breach can lead to your account being compromised, even if your account is not on the breached site. All because you chose a weak password.

      Suppose you choose one common English word out of a list of, say, 1000. Then you can be almost certain that your password is in the list of common passwords.

      If, however, your password is, say, four English words out of that same list of 1000, then that list of common passwords would have to be 10^12 items long in order to contain your password with certainty. Or it would have to do an O(N^4) search, which is ludicrous. Use five words to be sure, though — 10^12 items is probably within reach real soon now. Using a 40-bit code for each entry, you’d only need 5 terabytes for that list.

      So I do think the strength of your password is key (ha ha), and you can’t hope that every site everywhere is secure.

  2. As a developer, I believe not only that password security is not very good in the best case, but also that if I attempted to implement my own password storage scheme, I’d almost certainly screw it up.

    So I use OpenID for authentication whenever possible.

  3. The biggest problem, of course, is the number of sites that have totally stupid password policies.  For instance, one of our banks (Bank of Montreal) insists that we must use a password of exactly 6 characters, no more, no less (and no symbols allowed).  So, insofar as they let you, the best practice is to use long (over 12 characters) passwords with symbols, mixed case, and spaces.  Use internal punctuation, capitalization, and numbers (not just appended at the beginning or end), but don’t go overboard if you’re planning on memorizing it. A short sentence, or the initial letters of a long sentence, can form the basis for something that’s secure but easy to remember.  Length is far more important than complexity when it comes to making a password hard to crack. 

    Never re-using any passwords ever is fine advice, but then you are stuck using a password manager, which means you won’t be able to access your accounts from a public computer, or when using a borrowed phone.  And circumstances in which you find yourself without a computer/phone of your own (ie, your house burned down, you’ve been robbed, your hard disk has crashed, etc) may be exactly the circumstances in which you will need to access your accounts.  

    Fundamentally, when it comes to password re-use, you have to balance security and convenience, the safety of nobody being able to hack your accounts with the possibility you’ll find yourself unable to access your accounts when you need them.  You also need to balance just how horrible it would be if someone hacked into each account — you may not particularly care if your Facebook is hacked, or you might regard that as almost as bad as having your bank account hacked. 

    The other huge problem is how your email is the key to unlocking your entire online life — since almost every site allows password resets via email, if someone can hack into your email account, that gives them access to everything you’ve linked to that account, regardless of whether or not your password was unique.  Using one email for social media logins and a different email for your banking is a start (and then set the backup email address for resetting those accounts to yet a third email), but fundamentally there’s no good solution for this.

  4. Wow, four pages to say: “Passwords are a weak security and identification mechanism.” The time and effort would be better spend on discussing full alternatives: biometrics, token, certificates, etc.

    Alternatives to password identification are required now.

  5. My strategy is to use a few unique and pretty difficult passwords for high value sites like banking and email and pretty much a single 8 character password for e/thing else that won’t affect me very much if it gets stolen. Go ahead and compromise my BoingBoing login. Not really a big whoop.

    Is there a problem with this strategy that I’m missing?

Comments are closed.