Why passwords have never been weaker—and crackers have never been stronger

hugsy · Aug 21, 2012

Why passwords have never been weaker—and crackers have never been stronger

source: -http://arstechnica.com/security/2012/08/passwords-under-assault/-

"Within days of the Gawker breach, for instance, a large percentage of the password hashes had been converted to plaintext, a feat that gave crackers an even larger corpus of real-world passwords to inform future attacks. That collective body of passwords has only snowballed since then, and it grows ever larger with each passing breach. Just six days after the leak of 6.5 million LinkedIn password hashes in June, more than 90 percent of them were cracked.

For example, as noted above, many website users have a propensity to append years to proper names, words, or other strings of text that contain a single capital letter at the beginning. Using brute-force techniques to crack the password Julia1984 would require 629 possible combinations, a "keyspace" that's calculated by the number of possible letters (52) plus the number of numbers (10) and raising the sum to the power of nine (which in this example is the maximum number of password characters a cracker is targeting). Using an AMD Radeon HD7970, it would still take about 19 days to cycle through all the possibilities.

But with few exceptions, the exponential wall rarely impedes most password crackers. As demonstrated by the RockYou dump, the typical person is notoriously sloppy when choosing a passcode. A full 70 percent of them contained eight characters or less. Only 14 million of the 32 million total were unique, showing that a large percentage of passwords are duplicates.

A key part of his success—besides his 500-million-strong word list and a computer equipped with four AMD Radeon HD6990 graphics cards—was the decision by LinkedIn engineers to hash passwords using SHA1. The algorithm uses a single cryptographic iteration to convert plaintext, allowing Gosney's system to cycle through more than 15.5 billion guesses per second.

But with few exceptions, the exponential wall rarely impedes most password crackers. As demonstrated by the RockYou dump, the typical person is notoriously sloppy when choosing a passcode. A full 70 percent of them contained eight characters or less. Only 14 million of the 32 million total were unique, showing that a large percentage of passwords are duplicates. Atom, the Hashcat developer and password-cracking expert, estimates that 66 percent of entries from the typical unsalted hash list can be cracked by a single person in less than two days."
Click to expand...

Awesome read (entire article). I agree with everything, apart advice for "good password hygiene". If you use password manager with master password, than you repeat the error why you use it in the first place, to have truly strong and unique passwords for everything. Master password beats the purpose of "uniqueness"

Log in or Sign up

Why passwords have never been weaker—and crackers have never been stronger

hugsy Registered Member

Log in or Sign up

Why passwords have never been weaker—and crackers have never been stronger

hugsy Registered Member

Useful Searches