Jump to content

Effectiveness of password cracking


Recommended Posts

Ars ran a piece where they had a few people attempt to crack a password database; the crackers were quite successful:

 

http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

 

I guess I've been vaguely aware of this for a bit, but have been a little wilfully ignorant, but it's more or less impossible to ignore this sort of thing now. If every site were using bcrypt with proper salting, the risk wouldn't be too bad, but we all know that's not the case.

 

Any recommendations for a good password management solution? I'm thinking Keepass + Dropbox, but I don't know if that's the best option.

  • Like 3
Link to post
Share on other sites
  • Replies 41
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

Ars ran a piece where they had a few people attempt to crack a password database; the crackers were quite successful:   http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-

Me too. Paranoid litigation clients

That's a scary article, taion. Thanks for sharing it.

 

I've tried to use a combination of intentionally mis-spelled words, plus numbers and symbols over the years. I figure that the combination of a mis-spelled foreign word, and the mid-expression would be enough to throw anybody but the Mossad. Take away the dictionary look up and you've made the job harder. Unless they crack the financial institution's database. Which they have.

 

For a while, I used Italian pasta names, so "stroza4?7pretty" was used for a few weeks. And I've limited online outflows or wires from financial accounts.

Link to post
Share on other sites

I believe most of the rulesets actually cover mis-spelled words and random insertions. Unclear whether their dictionaries would be likely to include foreign words, but not necessarily something to bet against.

Link to post
Share on other sites

I believe most of the rulesets actually cover mis-spelled words and random insertions. Unclear whether their dictionaries would be likely to include foreign words, but not necessarily something to bet against.

 

Oh, well.

 

Maybe mis-spelled foreign words would get a pass? Or Citi would leave the passwords out on their front steps again....

Link to post
Share on other sites

I haven't looked at this stuff for a while, but in the old days (we're talking pre-shadowed passwd files), the crack utility would include a dictionary, a predefined set of rules c0ver1ng silly things people tend123 to do, as well as any personal info that could be learned about a particular account (back then using finger). On a normal unix system without any password rules we'd get about 30% hit ratio, on somewhat secure ones that enforced some basic rules it'd be lower. One US school used to set password = username1 for its staff by default.

 

Choosing a relatively strong password is easy &PC9!d0#f or something like that and you're done for now. The trouble starts (as taion points out) when you use it on multiple sites and one of them is hacked (or you're led to a phishing page).

 

Foreign words sound like they should be better (esp. in Chechen!) but then an attacker could be clever enough to figure out which dictionary they need to load based on user name.

Link to post
Share on other sites

Oh, what I meant to say was that the key difference is that one can go through hashes much much more quickly with GPUs now, whereas CPUs are not well suited to that sort of thing.

Link to post
Share on other sites

Passwords are obsolete. You just have to be lucky. And so many people don't make a serious effort with passwords, if you do, you'll probably be okay.

 

Sure, a very long password with many strange characters may be relatively hard to crack, but most of us would have to write it down to remember it. And most of us need at least forty or fifty passwords (just start counting). You could use the same (difficult) one with something like LastPass and hope the database doesn't get hacked (after all).

 

Researchers have shown that brute force attacks can crack any eight character password composed on a standard keyboard in a fairly short time. And there are plenty of other horror stories.

 

AB's right to mention phishing. I'd like to add social engineering. If you're the kind of person who puts place of birth, date of birth, pet's name, and a few other facts like that on your Facebook page--or elsewhere online--chances are anyone can call Amazon or Apple or even a bank and get a password reset by pretending to be you. The security question system is...pathetic.

Link to post
Share on other sites

Your statement was, uhh, somewhat liberal with respect to correctness, no offense. The viability of the brute force attacks above all come from the incorrect use of cryptographic hashes rather than password hashes. Otherwise you'd be correct in that something like LastPass or KeePass would be pointless - except they're not.

Link to post
Share on other sites

Taion, everything I've read suggests passwords of 11-15 characters are very resistant to brute force solutions. That's why so many crackers are moving toward phishing to get passwords, names, etc.

 

FWIW I regularly get emails at my various addresses telling me there's a serious problem with my Discover account, my Morgan Stanley account etc. None of which I have or have ever had. I'm sure they're phishing for sign-in opportunities.

Link to post
Share on other sites

today, i got a phone call phishing for passwords. the call came on my time warner phone line telling me that my verizon account had won a $140 credit. all i needed to do to get my credit was sign into my verizon account. i got that call 3 times today. i wonder how many people with verizon accounts got that call and immediately went to the website and gave their password and username. it's a good phish because most people established these accounts before people were so careful about passwords to pay bills and probably have the same password username for the bank account they use for online pay to their utility bills. because people are lazy and tend not to change older user names passwords or use the similar conventions that are enough to give a phisher with a good program enough to work with

Link to post
Share on other sites

AB's right to mention phishing. I'd like to add social engineering. If you're the kind of person who puts place of birth, date of birth, pet's name, and a few other facts like that on your Facebook page--or elsewhere online--chances are anyone can call Amazon or Apple or even a bank and get a password reset by pretending to be you. The security question system is...pathetic.

 

Right, also you see a lot of password cracking (in the sense of trying passwords via public websites, not of obtaining hashes) and phishing in tandem - crack the easy ones, get gullible friends to give up hard ones.

 

RP - still depends on the password. For example, the universe three word 11 character passwords made of lower case letters (we call it "mongo") is only about 2^42 large, and that's without considering dictionaries.

Link to post
Share on other sites

I've been reading along here and have been unpleasantly impressed with the effectiveness of cracking programs. That said (and perhaps I've missed it) but isn't that effectiveness somewhat blunted by systems that restrict unsuccessful login attempts to three of four in a row? Other systems actually lock the account if a specific number of failed attempts is reached.

Link to post
Share on other sites

I've been reading along here and have been unpleasantly impressed with the effectiveness of cracking programs. That said (and perhaps I've missed it) but isn't that effectiveness somewhat blunted by systems that restrict unsuccessful login attempts to three of four in a row? Other systems actually lock the account if a specific number of failed attempts is reached.

 

Yes, that does help, unless the problem is hackers accessing the database and exporting the passwords.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...