Ultra password cracking- are you safe?

[BritishSword]

 What are the long-term consequences of the many massive password leakages which have occurred.  The upshot?  Hackers are getting MUCH better at cracking passwords, and "clever" techniques can no longer be regarded as safe.

There has never been an article that received so much tweeting to my attention as a recent article in Ars Technica.  Their cybersecurity guy, Dan Goodin, did a very nice, very comprehensive, four-page piece about sort of a snapshot on where we stand with password hacking.
Now, he didn't really draw any conclusions.  We will,
Well, it turns out having access to more than 100 million actual in-use passwords, which is what are now available, freely downloadable over the Internet, having those actual passwords has changed the complexion of password-cracking.  All of those things that we sort of "wink, wink" about doing, like changing alphabetic characters into the numbers that they resemble, or those sorts of things - and we'll talk about what those are because they've all been analyzed now.  What's happened is, and this is another thing you would expect, over time there's evolution of the technology.  The cracking is really getting better.

If anybody still thinks that they're being cute with the way they're designing passwords, I hope to be able to increase their security further by putting them off of those habits because they're just not working any longer.


I started, after reading article, more religiously using the generator built into LastPass, and I set it for 12 characters and special characters mixed and everything.  Although I'm a little disappointed.  I opened an account at a new bank the other day, and I was actually quite disappointed.  First of all, I could only use, I can't remember what it was, 12 or 13.  After that it stopped.  I couldn't use more characters, which I know means that they're not hashing passwords, or it wouldn't matter.  And second, that they wouldn't allow me to use special characters.

So Dan's article, or his security blog posting, was "Passwords Under Assault."  Anyone who wants to read the entire four-page piece can just Google "Passwords Under Assault," and it's the first link that comes up.  And he titled it, "Why passwords have never been weaker and crackers have never been stronger."  Which sort of reminds us of the famous Bruce Schneier quote, where he noted years ago that attacks never get weaker, they only get better.  And Dan said, "Thanks to real-world data, the keys to your digital kingdom are under assault."

So essentially what's happened is there have been consequences, there's evolutionary effects that we would expect, that is, passwords are very tasty fruit for hackers to try to grab.  And, unfortunately, websites have proven themselves surprisingly inept at managing user logon credentials.  We're routinely, actually, covering the major breaches in passwords.  It was just a couple months ago, in June, that LinkedIn famously lost control of 6.5 million passwords.  What's happened is, as a consequence of those and other breaches - there was another major gaming site that lost, I think it was 32 million of their user passwords all at once.  And so what's happened is it's moved the hackers' understanding of what passwords people are using from theoretical, like the planets of the Klingon universe, to the actual.  And we've learned weird things, like "monkey" is used unusually often.

For some bizarre reason, lots of people chose the word "monkey."  Well, nobody would guess that.  So it's only by looking, doing statistical analysis of actual password databases, that these sorts of things come out.  Another thing that is often occurring is that people capitalize words, instead of them being all uppercase or all lowercase.  They tend to - first character is capital, then the rest of them are lowercase.  Many times people create passwords which are word followed by four numbers, like their date of birth, for example, or 1492, something that is memorable to them, but they think, oh, this is clever.

So the problem with patterns, like the idea of eight characters where the first one is uppercase and the other ones are lowercase and then, for example, a four-digit number, if you made it five digits, that is, if you broke the pattern, then you get security.  If you don't, what analysis of databases have shown hackers is that, in the same way that for some bizarre reason the password "monkey" gets chosen way more often than randomly,  people are using eight-character alphabetic words followed by four-character numbers, I mean, exactly that pattern.  And so what happens is, if that's known, or even just believed, that is, if it's tried for, then it completely changes the math.

For example, say that you didn't know what a 12-character password was, and that it could use the full alphabet and special characters and numbers.  Well, any one character, as we've talked about many times, could have approximately 96 different possibilities.  So 12 of those would be 96^12, since it's 96 for the first character, 96 for the second character, 96 for the third.  But we also know that that really only applies if the 12 characters are really random.  They could be anything.  And 96 raised to the power of 12 is 612.7 times 10^21.  Huge number.  That's 612,700 billion billion possibilities for 12 characters.

But people don't choose their 12 characters randomly.  And what statistical analysis of these captured online databases have shown hackers is that, as I was saying, for example, there's a huge preponderance of first letter is capitalized, the next seven are lowercase alpha, and then they're followed by four digits that is, like, a year.  It's something generally in the 20th Century.  So what that does is that dramatically changes the math.  Now that means you only have 26^8 power since you have only - you know you're going to have capital A through capital Z, then lowercase A through Z for the next seven characters.  Then say that you didn't even constrain it to a modern-era year, but you just did 0000 to 9999, so now you're at 26^8 times 10,000.  Well, that's only 2.08 million possibilities, compared to 612,700 billion billion possibilities.

So the point is that, what hackers have done is, by analyzing the actual databases of captured passwords, they have found all of these tendencies.  It is absolutely no longer the case that we can do anything clever.  We cannot use, like, "Prince$$," where we change the S's into dollar signs.  They got that.  You can't use...

You can't turn your E's into 3's.  They got that, too.  I mean, all of the kinds of things that people typically do, thinking that they're being clever, trying to sort of - essentially we're trying to compromise.  We're trying to come up with something that's sort of ours and that we think nobody else is going to do.  Well, surprisingly, because we're all human, and we have similar experience, we're generally doing the same things, it turns out.  When you statistically look at 100 million passwords, there aren't that many possible things that people can do that meet these criteria.  And of course there's certainly some communication among people.  Not everyone is coming up with these things on their own.  They're talking to their friends about, oh, what do you do, how do you make passwords?  And so they share some of their ideas.

Oh, the site was RockYou.com which, in 2009, through a SQL injection attack, lost their 32 million plaintext passwords, which all went into this huge 100 million-plus hopper for statistical analysis.

So the other thing that has happened is, and this is the evolutionary part, not only are hackers really focusing on this, but as we know, there's been huge movement in technology over time.  We've talked about how GPUs, the graphic processing units that are now powering our graphics cards in order to give us the 3D realism and high frame rate performance that we want for gaming, those can be repurposed to create essentially cryptographic pipelines which are able to run cryptographic algorithms at very high speed.

[BritishSword]

One of the takeaways from all of this is that hashing was never the right thing to do.  Hashing was better than leaving things in plaintext, certainly.  But hashes were designed, as we have said before, for speed.  They were designed to be efficient.  But efficiency is exactly what you don't want in password security because it allows brute-forcing to run at tens of millions of guesses per second.  So while it's certainly better that sites have been hashing their passwords than not, it turns out that we no longer should consider that very useful.  Certainly not if they are unsalted hashes.

The LinkedIn breach that we talked about in June, where 6.5 million passwords were lost, to give you some sense for this, for what this really means in the real world, independent security researcher Jeremi Gosney took the leaked LinkedIn unsalted but hashed, it was hashed with SHA-1, database.  He applied it against his 500 million strong word list of common words, using a block of GPUs, which are able to make 15.5 billion guesses per second.  This is not the NSA.  This is some guy in his bedroom who can do 15.5 billion guesses per second.  Against LinkedIn's 6.5 million passwords, he cracked the first 20 percent in 30 seconds.  He had one out of every five of that 6.5 million passwords cracked in 30 seconds.  The next 33 percent took two hours, so in two hours and 30 seconds he had 53 percent of them cracked.  It began to slow down exponentially so that, after a day, 24 hours, he was at 64 percent of the 6.5 million passwords cracked.  And after five days, he had an additional 24 percent.

So we're not talking long-term protection here, if a database gets loose, even if it is salted.  That's no longer the case. The other interesting thing to Google is a new, open source, free, GPU-based cracking facility called Hash Cat.  You should bring it up onscreen, H-a-s-h and then space, Cat, Hash Cat, calls itself "advanced password recovery."  It's the first result in Google, and it's just HashCat.net, also.  And it says, "Download the latest version."  The requirements are, for NVIDIA users, you need to have their ForceWare 290.40 or later; for AMD users, you need to have Catalyst 12.4 or later.  And it looks like a very nice, professional piece of work.  Under features they claim the world's fastest md5crypt, phpass, mscash2 and WPA/WPA2 cracker; the world's first and only GPGPU rule-based engine.  Its multi-GPU support can run 16 graphics processing units in parallel; has native binaries for both Linux and Windows.


 What we're seeing is the standard evolution in password-cracking technology that once truly was rocket science.  Now it's turnkey.

[BritishSword]

 Now, it is still the case, and I think on maybe the last page of Dan's four-page piece he shows a very interesting chart which you should put on the screen if you can find it there, where it goes exponential.  There is still the so-called "password cracking wall," which means, if none of these dictionary attacks work, if your password isn't something, a normal word where the E's are changed into 3's or three exclamation points are added to the end, or if it's not something where you have been clever, but in fact the password you're using doesn't fail in any of those ways, and you have to assume now clever is broken, clever is no longer good enough, if it doesn't match that, then you're back to brute-forcing.

And it doesn't matter if you use a GPU or if you use CloudCracking or anything.  So to put a number on it, there's a picture shown of a homebrew, $12,000 machine containing eight AMD Radeon HD7970 GPU cards, running Hash Cat.  It requires 12 hours to brute-force the entire eight-character password keyspace.
That's upper and lower, digits and symbols.  The whole thing.

But now remember, you add one character to that and it's 96 times longer.  One more character, 96 times again.  One more character, 96 times again.  So that's why this thing still exponentiates.  It goes straight up because, if you really have very high entropy, if you have not - if your password hasn't crumbled because you did something that you thought was clever - oh, another one that is mentioned here I thought was interesting, that apparently, again, lots of people think, oh, I'm being tricky, no one's going to think of this.  It is to spell a word forwards and then concatenate that word backwards.  Whoops.  They know about that, too.

What has been learned is that we're just not very good at coming up with something really clever.  The classic was transposing the keys on the keyboard.  Yeah, they know about that, too.  There are dictionaries of all the words shifted one up and over to the left, or one down and over to the right and so forth.  All of that.  So the idea is that what we as users need to appreciate is that this day and age, this is the low-hanging fruit.  The hackers are just having a ball, literally spending their time thinking, okay.  They'll look at a password that was captured and think, that looks random.  Where did that come from?  And they'll realize, oh, look, that's shifted down and to the right from a normal word in the English language.  So they add that strategy to their cracking library, and suddenly all passwords of that form fall to the addition of that strategy.  And this is only going to get better in the future.  So if you haven't yet switched to something that will not fall to this kind of attack, the sooner you do, the better.

And one other piece of analysis showed that the typical web user is logging onto - I'm trying to find the number here.  I just saw it.  I think it's 26 different sites, but only using 6.5, on average, that is, between six and seven different passwords.  So it is still the case that we're seeing cross-site - oh, it's 25, 25 separate accounts, but uses between six and seven passwords for protection.  So there is still a substantial amount of password reuse going on.  And we know why that's not safe because, if a site like LinkedIn, with its 6.5 million passwords and associated email addresses, if those passwords get cracked, and 90 percent of them have been now after a couple months, and you use the same credential elsewhere, then you're very vulnerable to impersonation, which is of course all of what this is supposed to be protecting us from.

So the argument is that, yes, over time, we are moving to multifactor authentication.  But unfortunately, today, in this day and age, we're still being forced to authenticate with passwords.  And this is where the action is.  People are having fun just with the idea that a GPU has this much computing power, and all these resources are available on the Internet.  You no longer need to be a rocket scientist in order to play these games and play with this stuff.  And the consequence is that more and more people are going to be doing so, and freely downloadable software is going to be getting more and more clever.  So that anything that you've thought of that you think is like your trick, your tricks have gotten loose, or people like your tricks have gotten loose.  They've been analyzed and added to the strategy.  So that it's no longer just simple, try every possible password, aaaaaa, aaaaab, aaaaac and so forth.

So what we need to do is abandon this and just use entropy, ultra-high-entropy passwords, and something then to manage them, like LastPass of course is what I use, 1Password, and there's a collection of great utilities to help people remember.  I haven't looked at any of the others, that is, the security of any of the others other than LastPass.  So that's the one, as we know, that I've looked at closely.  And as far as I can tell, they've done everything right.

But I would say, from this point on, and as you have the chance, you really want to migrate away from things you did that you felt were clever because, if those get loose - and unfortunately that is the attack model today, it's not somebody logging in through the web interface, guessing your account.  No.  It's that a database on the backend escapes, and then millions of credentials are being cracked in parallel.

Who would have guessed that everyone would choose "monkey"?  We weren't telling each other.

Anything you can think of, they can, too.  But more importantly, you thought of it, and you used it.  And then some website where you used it got cracked.  What happens is the hackers look closely at the ones they could not crack, and they go, hmm, why couldn't we crack...

They zero in on the ones they couldn't crack, and that leads them to strategies they don't yet have crackers for, and so they add crackers for those strategies.

And this is why you need regular wars so that people like this can go to places like Bletchley Park and use their genius for good, not ill.

LastPass has a security, a password security audit feature I'm seeing.
So try that.  It finds duplicate passwords, I think, is mostly what it does.

Well, I'm more and more using that Generate from LastPass to generate passwords. I resisted it at first because it was like, oh, this just looks like total noise.  But that's the point.  You want something that looks like noise and trust LastPass to remember it for you.

Post adapted and pracied from GRC which is licensed under creative commons.