[LINK] Why passwords have never been weaker—and crackers have never been stronger

Robin Whittle rw at firstpr.com.au
Sun Aug 26 12:39:12 AEST 2012 

Hi Kim,

Thanks for mentioning this:

> http://arstechnica.com/security/2012/08/passwords-under-assault/

I think this is a fascinating discussion of a number of developments
which mean that password security depends very much on using long and
genuinely unique passwords which are not based on simple word combinations.

I knew that password reuse was a significant problem.  It means that if
hackers get a password nnnn for user xxx whose email address is known
then they can easily try nnnn as the password for that user, via their
email address as an account name, on other popular websites with a high
rate of success.

The article's first page doesn't state the following (it is on page 2):
when someone gains root access or similar to a site, they can retrieve a
file of password hashes - each consisting of an account name (which
often is, or can be linked to an email address and/or the user's full
name or nom-de-Net) and the hash of their password using a hash
algorithm which would be known to the hackers.  The hash is a
goggledegook-like string of characters.  Their computational task then,
for each such entry, is to find a piece of text which when hashed,
produces this same string of gobbledegook-like text.  That piece of text
is the password.

With a list of thousands of hashes, each such result can be compared
with all the hashes, so this is "brute-force" method of finding
passwords for thousands of accounts.  The hash function and the
comparison with thousands of hashes are both computationally highly
intensive, though there would be ways of speeding up the comparison
stage to make it much faster than slavishly comparing each one.

What I hadn't realised is that modern graphics processing cards are
extraordinarily good at doing these computations.  The article mentions
the AMD Radeon HD 7900 graphics card.  This comes with 3GB of RAM and
according to the specs,

http://www.amd.com/us/products/desktop/graphics/7000/7970/Pages/radeon-7970.aspx#3

its numerous processors (I am not sure how many) can perform 3,790
billion floating point calculations a second, with a memory bandwidth of
264GB/sec.

The article states that a single HD 7900 can try 8.2 billion passwords a
second.  This means trying 8.2 billion different potential passwords by
hashing them and comparing the hash to one or more hashes from the
stolen file.

Someone spent $12k to build a PC with 8 of these cards.  The article
states that it takes 12 hours to try every 8 character combination of
upper and lower case letters, numbers and punctuation characters.

Hacker's typically wouldn't bother going to this sort of expense.  They
typically have botnets of thousands to hundreds of thousands of hacked
PCs (all, or almost all, of them Windows machines I think) and many of
these machines are fitted with fancy graphics cards for gaming, which
can be put to work cracking passwords!

This "password cracking" is only possible if the hacker has the
presumably stolen "shadow password" file or its equivalent - containing
user names paired with the hash of their password.  This may be hard or
impossible to to get from eBay or PayPal, but it may be very easy to get
from smaller sites with poorer security.  This wouldn't help the hackers
get passwords for PayPal and the like except for the combination of
high-speed password cracking and many people using the same passwords
for multiple sites.

Hackers now know the most commonly used passwords, so it is easy to try
these first, rather than slavishly stepping through every combination of
7 characters, every combination of 8 characters etc.

  "Just six days after the leak of 6.5 million LinkedIn password hashes
   in June, more than 90 percent of them were cracked. In the past year
   alone, Redman said, more than 100 million passwords have been
   published online, either in plaintext or in ciphertext that can be
   readily cracked."

I am still reading this article, though I not trying to fully understand
every technical principle it discusses.

  - Robin

More information about the Link mailing list