Long, but very useful - thanks.
TL;DR:
Human-generated passwords are consistently poor. For real security, you need a password manager (e.g. 1Password, LastPass). You access this with a passphrase of, say, 7 randomly generated words; it then generates passwords for any site you wish. These will be truly random, and thus both hard to crack and hard to remember - but you don’t need to remember them.
Great article jovan. I note, though, that part of the problem was the use of MD5–if passwords are stored poorly then nothing much is going to help. Also, BM’s password is much longer than those that were cracked.
Thanks for that link. I found it very interesting, and I learned a lot about how passwords are stored, what hashes are, etc.
I am hoping someone can explain something in the artical though. It looks like the hashes they cracked only contained a list of passwords. How is that useful without the corresponding login information (such as usernames)?
And as alluded to in this thread and the article, how does one obtain such hash files? It seems that would be the more difficult part of the whole password cracking endeavor.
ETA: Of course, I am not asking for a step-by-step, just in general terms, how are these ever available to a hacker to begin with?
Well, they seemed to be saying that using a decent password manager addressed this (all too common) issue.
When people get their hands on the hashes, they typically get their hands on all the user info, including user name and e-mail. Even if all they had were passwords it would still be valuable; the more passwords that are cracked, the more the crackers can refine their tools.
People can get their hands on password data in a number of ways. One is to exploit weaknesses in the architecture of the system. The textbook example of this is an SQL injection. On any dynamic web site, such as this one, the web server typically communicates with another program, the database. So when I try to login, the server asks “give my the password hash for user ‘jovan’.” But, what if my user name isn’t “jovan” but rather “jovan’ and when you’re done set the administrator password to 'letmein”. (Not actual SQL code ;)) Protecting your site against this sort of attack is straightforward and yet, shockingly, these sorts of weaknesses are still somewhat common. This happened to the game company RockYou!, resulting in the biggest password breach yet: 32 million passwords, which had been stored in plain text, were released in the wild. There are various other ways in which hackers can get a server to execute malicious code, either relying on bugs or architectural weaknesses in the programs.
People can get passwords through old-fashioned means: theft, insider access, social engineering, etc. Wikipedia has a list of some famous data breech incidents but I think it’s fair to say that some breeches may have never been reported. Either because the victims never realised they had been hacked or they decided to hush things up to avoid very hard consequences.
Thanks to this thread and that article, I have signed up for lastpass and changed all my passwords everywhere to extremely long random strings of alphanumeric characters, and my lastpass master password is very long containing words and numbers and lastpass ranks it as 100% secure, so I think I’m good to go now. The password I had been using for nearly everything was ranked as 11.6% secure by lastpass, lol. I think a cracker would have gotten it in less than an hour from a poorly hashed leak.
It’s kind of a funny feeling knowing that I don’t know my straight dope password, or my banking password, or facebook or anything, but now they are all unique uncrackable passwords and if any one of them gets compromised, I’m fine across the board.
I guess I just have to trust lastpass not to get hacked and cracked. I know that they run theirs through 5000 iterations of hashing with a much more advanced hashing algorithm than MD5 though, so I think I trust them.
Easy for the night cleaning crew too.
(emphasis added)
What’s your user ID, Chronos? Or would you rather not say?
It’s the same as my e-mail address. Which I’d rather not say in the thread for the simple reason that I don’t want to get on roboticized spam e-mail lists, but it’s visible in my profile.
My login is my username, for pretty much everywhere.
How about special characters? What happens if I type a unicode character in another language as a password, or an Alt + number code? Or even more common special characters, like accented characters or £? Aren’t those more secure (to manual guessing)?
Processing power has advanced a lot - are there any cases where passwords that initially took centuries to crack became crackable due to increased processing power?
Yes. But did you ever try to type one of these in your phone?
I am gravitating towards phone-typeable passphrases: a lot longer than I used to use.
sustainabledentalballoonfilament46395881
To me this is just five elements and not too difficult to remember. And if I needed a mnemonic, it is not too hard to write something cryptic in plain sight that is meaningful only to me. (Green Dr Smithers bubbles tungsten in Paeroa)
To someone who finds my mnemonic written, have fun. If you get it, then I am impressed. To a brute force hacker – good luck. I am not going to even count the length. To someone using a rainbow table or other hacking dictionary method, there is a chance that four of these elements may be found, but combination with that last one is exceedingly unlikely
I have a lot of numbers that I have memorised over the years. Decades old phone numbers, addresses, photocopier PINs from seven workplaces ago, expired ID numbers, that kind of thing. They are great as parts of a password since they are already memorised, have a high degree of entropy and are not likely to be either brute-forced or be harvested in hacks. It is not even possible to tell from the number alone what the source of the number is, and if there is any doubt, it is easy to truncate a couple of digits. Therefore the numbers cannot be readily traced back to me.
Accented characters and £, etc. are easy on a phone. Easier than on a computer, in fact. Actually I was wondering about this before this thread.
I think I posted this before, but in case I didn’t.
I read an article once that suggested that one can make very secure passwords that are easy to remember.
Put them together, capitalizing the first letter of each string in step 1 and separating the strings with the special characters. For example, if I wanted to log into Google, my password might be ClotGoog4908. I could split the number string if I wanted to, as well: Clot49Goog08.
Use that formula every time you have to come up with a password. According to various strength checkers, that is a very viable password. Here’s the result from one checker:
HOW SECURE IS MY PASSWORD?
It would take a desktop PC about
26 million years
to crack your password
Breaking into the bank? It’s not as hard as you would think. Despite how much information they hold about you, and how ruinous it would be for that financial information to be compromised, lots and lots of financial institutions are ridiculously cavalier about security.
Fidelity (and Etrade) both do not allow special characters in passwords. This is the case with many MANY financial institutions, but I highlighted a couple of big ones here.
Many banks don’t actually honor case sensitivity, and often you can use your account number as your user ID. The same account numbner that’s on every check you write…
But by far the easier thing to do is for a someone to compromise a really easy site, like the PlayStation Network, or the Frilly Tablecloth Message Board. Sites where the security is lower and the attack vectors are more likely to work. Once they get those password lists, they typically also get an e-mail account. Lots of people are dumb enough to use the same password on their e-mail as their chat board, so now your e-mail account is compromised. Then they use automated programs to slupr across the itnernet clicking the “Forgot password” link on every financial institution they can, and they put in your e-mail address. From there it is relatively easy to transfer your money somewhere else, or see what credit cards you have set up to auto-pay and move on to doing bad stuff there. Or ordering a bunch of stuff from Amazon and having it shipped to their PO box.
And those strength checkers would be wrong. Let’s look at how big the password space is for that method:
You start with four letters, the first of them capitalized. They’re not even random, since an attacker might know your name, and even if they don’t, some combinations of letters are much more common than others, but let’s assume that they are random. That’s a factor of 26[sup]4[/sup].
Then you have a special character. I count 32 of those available on my keyboard (assuming they’re all acceptable in a password, which they might not be). Again, they’re not random, since people are probably going to be picking *$% etc than ~`\ , but let’s assume that they are. That’s another factor of 32, then.
Then there’s the first four letters of the website’s name. There’s no way that an attacker could not know this, so that’s a factor of 1.
Finally, we’ve got the four-digit number. That’s a factor of 10[sup]4[/sup].
Multiply all of these together, and this method only allows for abut 146 billion passwords. If a computer can test a hundred million per second (realistic for a home desktop with a GPU), that means that they’ll get it in 24 minutes.
But it gets worse than that, even. Suppose the attacker sets up a website called SillyGames.com, and requires you to set up an account to play their games. Now suppose that they see your password (that you gave to them, so this takes no effort at all) is ClotSill4908 . They’re going to immediately figure out what rule you’re using, and try it all over the Internet: ClotGoog4908 at Google, ClotFace4908 at Facebook, ClotCiti4908 at Citibank, and so on. Computer time required: Essentially zero, and they didn’t even need leaked password files from the bank.
Chronos did a great job explaining why Clothahump’s method doesn’t work so I’ll just add that password strength checkers are pretty much worthless. They’ll catch the passwords that are really, really easy to guess. However, the only way to know if a password is truly secure is to try and crack its hash. Any service that gives you an answer in less than several hours didn’t really try.
Really, the consensus among security researcher is that passwords should be long, * thoroughly* random, and completely different on every site. In practice, the best way to manage this is with password managers. You protect your password list with a random passphrase. Any easy recipe just makes crackers’ job that much easier.
Oh, and in case Clothahump objects that the attackers might not know what technique he uses: You saw that technique in an article somewhere. Lots of other people saw the same article, and took the same advice. The attackers saw that article too. Now, that’s not the only method of generating passwords out there. Maybe it’s, say, one of the top ten used methods. OK, then, the attackers will try generating passwords according to all ten of those methods. Now, instead of taking 24 minutes to crack your password, you’ve gotten it up to 4 hours. It still sucks.
Chronos beat me to it (by only a day …) Plus, he did the math, where I wouldn’t have bothered.
If an article recommends any kind of pattern that’s easier for you to remember, it becomes a great source of a pattern for a hacker to add to his list of good things to try.
The exceptions are when the recommendation isn’t a pattern and doesn’t recommend anything that anyone who knows all your personal info might guess.
The LAST thing to put in a password is any part of your user ID or any part of the site name or anything anyone who knows a lot about you might guess.
Dang. I use that site*, too, and now it has no credibility for me. Fortunately, I’ve switched most of my important passwords over to randomly-generated ones from KeePass.
*Or one that uses that exact wording, at least.