How Safe Is Your Password?

Posted by Unknown in , on -


Most people feel their passwords are relatively safe; after all, they are at least six characters long, probably with some numbers and special characters thrown in for good measure. For a long time, this was actually true, as the computing power required to crack such passwords was either unavailable or prohibitively expensive. Well, not any longer. The art of password cracking has advanced more in the last five years than in the last five decades combined. In my last post, I talked about how bitcoin miners use very fast processors such as GPUs and ASICs to handle the billions of calculations required. Password cracking is a similar pursuit.



There are different ways passwords are stored on a computer, but they all involve translating plain text into code using mathematical formulas. A common method used by Microsoft is known as NTLM cryptographic algorithm. If a hacker has access to the location on a computer or server where the passwords are stored, all he has to do is take each password hash, and run a software that will run through all possible combinations of characters, until it finds one that generates the same hash as the one obtained. However, this technique doesn’t apply to online attacks, as most websites limit the number of guesses that can be made for a particular password.So what the hackers do is to copy the entire password hash table to an external storage device, and run their cracking hardware/software until every single one of those password hashes is revealed as plain text. According to the Bergofsky Principle, this is guaranteed to happen.

The main problem associated with this method of finding passwords (called a brute force attack) is that for each digit that is added to the password, the number of possible combinations increases exponentially. For example, based on a set of 95 allowable characters (lowercase and uppercase alphabets, numbers, and symbols), an 8 character password will have 958(95x95x95x95x95x95x95x95=6.63 million billion) possible combinations, while a 20-character password will have 9520 (3.6 x 1036) possible combinations. Therefore a computer tasked with generating this many different combinations in the shortest possible time has to be able to handle a large number of simultaneous calculation. This is where GPUs step in.

A GPU (Graphics Processing Unit) is a computer chip which is dedicated to graphics related tasks, which require a lot of calculations to be carried out simultaneously and repetitively. However, with some good C programming, a GPU can be reconfigured for other purposes. Password crackers can use these GPUs to generate, and cross-check billions of hashes in a very short time. For example, a computer equipped with four AMD Radeon HD6990 GPUs can generate up to 88 billion guesses in one second. ONE SECOND. At these insane rates, any weak password can be cracked within a couple of hours; the lower the number of characters, the easier it is to crack. The point at which most passwords begin to become difficult to crack is currently around 9 characters. However, this could also be mincemeat for the processors of the near future.

Anyone familiar with the Dan Brown book, Digital Fortress, might recall a powerful computer named TRANSLTR, which could break any code in the world. Well, someone called Gosney has come up with something approaching that; a cluster of 25 GPUs which can generate up to 350 billion guesses per second. This is achieved by running five servers on a Linux platform that allows the GPUs to behave as if they were all mounted on the same computer. Using this beastly set-up in tandem with ocl-Hashcat Plus, which is a freely available password cracking suite, the machine runs at an amazing speed, and can crack any 8-character password (958 possible combinations) in just 5.3 hours. Seven characters would take just 200 seconds,and six characters; a measly 2.1 seconds. Only from 9 characters (500 hours) and above do we begin to see any significant times taken to find passwords.

What all this means is that we are now in an era where any one with a few hundred dollars can crack a password. Unfortunately, a series of leaks over the past few years containing more than 100 million real-world passwords have provided crackers with important new insights about how people in different walks of life choose passwords on different sites or in different settings. The ever-growing list of leaked passwords allows programmers to write rules that make cracking algorithms faster and more accurate; password attacks have become cut-and-paste exercises that even script noobs can perform with ease.

While this is, quite frankly, worrying news, there is still a glimmer of hope for us. First of all, new algorithms have been introduced that make brute force attacks quite difficult, for example a technique known as salting. In a nutshell, salting involves adding a sprinkling of random characters to a password, at locations only known by the computer/server. Therefore, even if the password hash is obtained and decoded, the hacker will not be able to know which characters belong to the original password and which ones were introduced by the salting process. We can also be smarter in our selection of passwords. As we have seen, 9 characters should be the minimum length. And adding symbols and special characters makes it significantly more difficult to crack your password.

I hope I haven’t scared you too much, but this is an important issue relating to security of our online accounts. Sadly, with the number of different website login credentials we have to remember (Twitter, Facebook, Gmail, Tumblr, Path? Etc.), it’s difficult to keep track of, say six or seven different 9 character passwords. So like the legend of the phoenix, I end with the beginning (Get LUCKY!!), and ask “How safe is your password?”

#Note: The author does not claim ownership of any information contained in these posts. Any similarity with real-life articles is purely coincidental.

Author: Ope Akapo



Leave a Reply