Just when you thought your password was safe...

Joined
14 August 2003
Messages
2,401
Location
Toronto, Canada
Good layman's level article explaining the current state of the art on advanced dictionary based attacks using easily available equipment. The scary part is how they describe a $12k box using 8 of the GPU's that my company designs for compute and high end graphics are used to crunch through 74 BILLION MD5 hashes every SECOND!

What this means is that all manner of advanced dictionary attacks using 100M+ entry dictionaries are now computationally feasible:

http://arstechnica.com/security/2012/08/passwords-under-assault/

The bottom line is if you thought putting two common words together, and throwing a capital and a few numbers or punctuation at the end of a word was enough to thwart brute force attacks, you need to think again.
 
Last edited:
Thanks for the link. Here's the takeaway at the end of the article for those that don't have the desire to read through all 4 pages:

So what can the average person do to pick a passcode that won't be toppled in a matter of hours? Per Thorsheim, a security advisor who specializes in passwords for a large company headquartered in Norway, said the most important attribute of any passcode is that it be unique to each site.

"For most sites, you have no idea how they store your password," he explained. "If they get breached, you get breached. If your password at that site is unique, you have much less to worry about."

It's also important that a password not already be a part of the corpus of the hundreds of millions of codes already compiled in crackers' word lists, that it be randomly generated by a computer, and that it have a minimum of nine characters to make brute-force cracks infeasible. Since it's not uncommon for people to have dozens of accounts these days, the easiest way to put this advice into practice is to use program such as 1Password or PasswordSafe. Both apps allow users to create long, randomly generated passwords and to store them securely in a cryptographically protected file that's unlocked with a single master password. Using a password manager to change passcodes regularly is also essential.

Given the sophistication of the crackers, anything less simply means your password is trivial to break.

"The whole password-cracking scene has changed drastically in the last couple years," said Weir, the Florida State University post-doctoral student. "You can look online and you can generally find passwords for just about everyone at some point. I've found my own username and passwords on several different sites. If you think every single website you have an account on is secure and has never been hacked, you're a much more optimistic person than I am."
 
What I don't understand is how they can use brute force attacks on websites. It is pretty easy for a site to lock an account if too many failed login attempts are made. Even if a website allowed an unlimited amount of attempts the lag of sending each request through the internet would stop most brute force attempts to take too long to be feasible.

When Zip files are encrypted and they have a copy of the file I can understand how it is easy to use a brute force attack and come up with the password if it isn't a long or complicated password. I imagine this would be a way to crack just about any encrypted file that you had access.
 
Most likely, you would not attack a single user on a website. Using the "login" page, there are all those security measures you listed.

Instead, you attack the admin (or root) account on the server itself or a web service that requires a login.
 
What I don't understand is how they can use brute force attacks on websites. It is pretty easy for a site to lock an account if too many failed login attempts are made. Even if a website allowed an unlimited amount of attempts the lag of sending each request through the internet would stop most brute force attempts to take too long to be feasible.

They don't attack the web sites directly, instead hackers steal the password files and then try to decrypt the data on their own machines. The blame really lies on the site owners who fail to take appropriate measures to protect their password files properly.
 
Last edited:
So if they go after the password file for the website once they crack that file they have all of the usernames and passwords. So it really doesn't matter whether or not you use a long or short password.

I guess the moral of the story is to use a different password for websites so that if one site is compromised they can't use your username and password on other sites to gain access.
 
So if they go after the password file for the website once they crack that file they have all of the usernames and passwords. So it really doesn't matter whether or not you use a long or short password.

I guess the moral of the story is to use a different password for websites so that if one site is compromised they can't use your username and password on other sites to gain access.

Yes, although it's not just a simple matter of "cracking the file". The passwords in the files are usually individually encrypted, but unless they use a highly secure method to perform the encryption, hackers can crack the passwords pretty easily.

Anyway, per the quote from my post above:

"For most sites, you have no idea how they store your password," he explained. "If they get breached, you get breached. If your password at that site is unique, you have much less to worry about."
 
Last edited:
So if they go after the password file for the website once they crack that file they have all of the usernames and passwords. So it really doesn't matter whether or not you use a long or short password.

I guess the moral of the story is to use a different password for websites so that if one site is compromised they can't use your username and password on other sites to gain access.

Having different passwords for different sites certainly helps, but this article goes to show that the problem is much bigger. Length of the password and the structure of the password is actually very important.

The way these attacks work is that someone uses an SQL injection attack or some other method to get access to a large number of user/password combinations. Usually these passwords are stored in encrypted form as a hash. Think of a hash as a one-way encryption. When you type in your password to login, it uses the same hash function on your input and then compares the encrypted results to authenticate.

So now that a hacker has a large database of users and hashed passwords, he uses a dictionary attack on the encrypted password because a brute force attack where you try every possible combination of letters, numbers, punctuation, etc is generally not computationally feasible.

Now imagine that dictionary is VERY large, eg. 100 million or more entries. This dictionary is not just a dump of the english language, but a dump of all common passwords that people use based on previous password lists that have been reversed or retrieved in plaintext. So if someone used crazyG00d, now that is entered into their dictionary. More common ones like Jason123 are obviously all in there. Every birthday is already in there. etc.

Now when you have something that is extremely fast, like our GPU's where some guy built a rig that can do 75 billion of these hashes every second, you can imagine a scenario where you can start doing more advanced attacks. Like use two word combinations from words in your dictionary. Or capitalize the first letter of every word in your dictionary and try that. Or append a single digit number to every word in your dictionary. Then double digit number. Then triple digit. Then punctuation marks. etc.

When you look at millions of common passwords, you also start to see common themes. People usually use punctuation at the end, eg. putting a exclamation mark at the end. Or they typically capitalize the first letter only. Using this, you can really narrow down the number of combinations you have to try.

So the bottom line is... if you use longer passwords, if you are more careful about where you put the numbers and punctuation and capital letters, the more random the letters are, the more likely you are to be safe from this type of dictionary based attack.
 
<iframe width="560" height="315" src="http://www.youtube.com/embed/a6iW-8xPw3k" frameborder="0" allowfullscreen></iframe>
 
Back
Top