Cracking of passwords has moved from an esoteric exercise for geeks to something that any kid can do.
Three developments in cracking passwords for fun and profit:
Hash Cat, a new open-source GPU-based cracking program has become available for free download at HashCat.net. It’s available in both Windows and Linux versions and can run 16 graphics processing units in parallel.
Do you recall last June’s theft of 6.5 million password / email pairs from LinkedIn? Those passwords weren’t in plaintext — they had been hashed by Linkedin using the (now discredited) SHA-1 hashing algorithm, so were presumably still pretty secure. Hash Cat was let loose on the purloined Linkedin hashed passwords by Jeremi Gosney. Using a homebrew PC with multiple GPUs, he was able to crack 20 percent of the 6.5 million hashed passwords within thirty seconds. He used a dictionary attack with a 500 million word dictionary. His machine makes 15.5 billion guesses per second. Two hours later, he had cracked an additional 33 percent of the passwords. After one day, he had cracked 64 percent of the passwords. After five days, he had cracked 88 percent of the passwords.
Jeremi benchmarked Hash Cat on his $12,000 machine containing eight AMD Radeon HD7970 GPU cards. He ran a brute force attack on an 8-character password, trying all 96 characters for each character, in twelve hours. Add one more character, and it will require 96 times as much time to crack, or 1,152 hours. Add another character (making a ten-character long password) and it will require 110,592 hours to crack by brute-force.
And the conclusion is?
Use completely random passwords whose characters are drawn from the a-z, A-Z, 0-9 and punctuation mark character set (which contains 96 characters).
Use passwords that are at least ten characters long.
The best way to create and manage strong passwords is with a password management program. I like Keepass.
Graphics Processor Unit: restricted instruction set single-chip processor that’s dedicated to graphics functions. GPUs may be used for other dedicated tasks, such as decryption.
Users can learn from this breach, and Yahoo! can, as well.
Last week, a group of allegedly benign attackers downloaded about 450,000 Yahoo! users’ passwords. (To see if your Yahoo! password was compromised, go to labs.sucuri.net.) This worries me: did Yahoo! store unencrypted passwords on its servers, and they were simply downloaded intact? I sure hope not! Or were the 450,000 password hash keys downloaded, attacked with cracking programs, and the passwords were recovered from the password hash keys?
How sites should handle passwords:
diagram showing how a hashed password is used by companies to secure user details
Trustworthy sites will, when you create a password, submit your password to a one-way algorithm to create a “password hash key”, and then discard your password. The site stores this password hash key — not your password. When you next attempt to login to your account, the password that you type on your keyboard is submitted to the one-way algorithm to create a password hash key, and that is compared to your account’s stored password hash key. The beauty of this system is that even if someone steals your password hash key, they still don’t have your password. To recover it from your password hash key, they’ll try three methods:
The most popular way to obtain the original password from a password hash key is the dictionary attack: common words are tried until the password hash keys match. (This is why you shouldn’t use common words for your password. If you have, it will be discovered within seconds.)
Next, the crackers will try an attack that exploits known weaknesses in older hashing algorithms. This succeeds only if the site has used a weak hashing algorithm.
If the first two attacks fail, the cracker next tries a brute force attack. This just tries every character in every position, sequentially, until the password hash keys match. If your password is 3 characters in length, this won’t take long. Each time you increase your password length by just one character, you exponentially increase the time required by the cracker.
After stealing the 450,000 password hash keys, did the crackers then crack all of the password hash keys? Or <shudder> did Yahoo! store the unencrypted passwords on its servers? I find that hard to believe. Maybe Yahoo!’s password hashing algorithm was weak. I don’t know. In any case, this breach isn’t good for Yahoo!’s public relations.
Of the 450,000 compromised passwords, the most popular were:
Don’t use these easily guessed passwords! They’re like leaving your house key under the door mat. And use a different password on each site. That way, if your email password is compromised, it can’t be used to login to your bank account. To manage all of my passwords, I use Keepass. Roboform and LastPass also have plenty of fans.
Update, 21 July: My worst fears confirmed
Apparently all of these passwords remained in clear text and were stored in a Yahoo! SQL database. This is a real no-no. No wonder Yahoo! has replaced its CEO.
I guess that all 450,000 passwords were associated with a Yahoo! voice service. A well-known SQL injection attack “liberated” them.
We’re used to Facebook’s violations of users’ privacy. LinkedIn has joined the fun.
Yesterday, I became aware of two LinkedIn privacy concerns:
Users of LinkedIn’s 6-month old LinkedIn app for iPhone and iPad have been, without their knowledge, uploading their entire calendars to LinkedIn’s servers.
A Russian hacker announced that he had downloaded usernames and passwords for 6.5 million LinkedIn accounts. To prove it, he published the passwords on the web.
LinkedIn presents itself as a site where professionals meet, unlike the unwashed slobs on Facebook. Its business model is similar to Facebook’s: collect every byte of information about its users and sell that data to advertisers. I wonder if LinkedIn’s professional users will be as unconcerned by LinkedIn’s lack of diligence as Facebook’s naïve users seem to be?
Organize and secure your passwords and account info.
Lately I’ve been helping clients improve their SEO (Search engine optimization). A large part of this involves submitting information about each client to numerous directories. Some automated solutions exist, but SEO still involves hundreds of account creations, validations, and data entry. It’s not especially difficult — just tedious . . . and requires creating, storing, and recalling hundreds of account names, email addresses, and passwords.
I’ve been using Keepass to organize all of these clients, directories, account user names, and passwords. I can’t imagine a better tool for the job. Every time that I say, “I wish that Keepass did this“, I discover that in fact that feature is already built-in — I just hadn’t discovered it. I’ve been adding date of account creation to each account record, as well as notes about that particular account. Since I’m working with multiple clients, I often need to duplicate account info for one client and use the duplicate as a template for a new client. Keepass has all that functionality built-in.
I resisted using Keepass at first, since it had a learning curve, but now it’s my favorite tool, one that I open first thing in the morning and close only at the end of the workday. I use Keepass on multiple computers at multiple sites and store its database in my dropbox (Use Dropbox plus Keepass to store your passwords.)
As long as you can connect to the web, you’ll always have all of your passwords.
A while ago I wrote an article about Dropbox and its competitors. Recently, Dropbox has been criticized for having compromised too heavily in favor of convenience rather than security. Used prudently, Dropbox can be safe. (Periodically, use the Dropbox web interface, go to Account, then My Computers, and delete the names of any computers that you neither recognize nor use any longer.) If you store 2 GB or less, Dropbox is free of charge. I use it with Keepass Password Safe to store my dozens of passwords.
Keepass stores your user names and passwords in a single encrypted file (which it calls your password safe). If you save this file to your Dropbox folder, your passwords are protected by both your Keepass password and your Dropbox password. Be sure to use strong passwords to protect both Dropbox and Keepass. Don’t forget your Keepass password; there’s no way to recover it if you forget it, and it holds the keys to your kingdom.
It works on Linux, too.
Dropbox has several Linux install packages available for download on their website. Keepass works flawlessly when launched with Wine 1.2.3. Dropbox for Linux integrates with the gnome file manager, so on an Xubuntu machine (which replaces the gnome desktop with the Xfce desktop) I’ve had to tweak the Dropbox install to work. I’m still working on this: it seems to be working, but I’m not sure what I did to make it work!
The Android version works, also.
August 2012 update: I installed both Dropbox and KeepassDroid on my new Android phone. They work nicely. My passwords remain synchronized across my Windows and Linux PCs, and now my Android phone.
Use for hundreds of passwords
I use Dropbox + Keepass to store not only my dozens of passwords, but the passwords of many clients, as well. Within Keepass, you may create groups and sub-groups, as shown below, to organize all of your passwords in easy-to-understand hierarchies:
Attackers breach commercial sites at hosted web service.
Network Solutions has notified 4,343 of its clients that their ecommerce sites were compromised between March 12, 2009 and June 8, 2009. This exposed the credit card data of 573,928 cardholders who used their cards on those sites during this period. Network Solutions states that the data was apparently captured by unknown third-parties during credit card transactions. Who captured the data? That’s unknown. Network Solutions states that credit card data are encrypted before they’re stored on their ecommerce servers, so the breaches occured only during credit card transactions.
The 4,343 Network Solutions client ecommerce site owners are expected to notify the 573,928 cardholders of the breach. Network Solutions has employed TransUnion to both notify cardholders and provide one year of free credit monitoring to help consumers detect the possible misuse of their information.