Cracking of passwords has moved from an esoteric exercise for geeks to something that any kid can do.
Three developments in cracking passwords for fun and profit:
- Hash Cat, a new open-source GPU-based cracking program has become available for free download at HashCat.net. It’s available in both Windows and Linux versions and can run 16 graphics processing units in parallel.
- Do you recall last June’s theft of 6.5 million password / email pairs from LinkedIn? Those passwords weren’t in plaintext — they had been hashed by Linkedin using the (now discredited) SHA-1 hashing algorithm, so were presumably still pretty secure. Hash Cat was let loose on the purloined Linkedin hashed passwords by Jeremi Gosney. Using a homebrew PC with multiple GPUs, he was able to crack 20 percent of the 6.5 million hashed passwords within thirty seconds. He used a dictionary attack with a 500 million word dictionary. His machine makes 15.5 billion guesses per second. Two hours later, he had cracked an additional 33 percent of the passwords. After one day, he had cracked 64 percent of the passwords. After five days, he had cracked 88 percent of the passwords.
- Jeremi benchmarked Hash Cat on his $12,000 machine containing eight AMD Radeon HD7970 GPU cards. He ran a brute force attack on an 8-character password, trying all 96 characters for each character, in twelve hours. Add one more character, and it will require 96 times as much time to crack, or 1,152 hours. Add another character (making a ten-character long password) and it will require 110,592 hours to crack by brute-force.
And the conclusion is?
- Use completely random passwords whose characters are drawn from the a-z, A-Z, 0-9 and punctuation mark character set (which contains 96 characters).
- Use passwords that are at least ten characters long.
The best way to create and manage strong passwords is with a password management program. I like Keepass.
- Graphics Processor Unit: restricted instruction set single-chip processor that’s dedicated to graphics functions. GPUs may be used for other dedicated tasks, such as decryption.
Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695