October is National Cybersecurity Awareness Month, and where better to start than the debate over passwords. Recent breaches at LinkedIn, TalkTalk, DropBox, Yahoo, MySpace, and others have stoked new vigor in the password and authentication debate. This year alone has witnessed breaches of more than two billion credentials, and we’re only in October.
Some advocates have used headlines to argue that we should be reconsidering the password as our main form of authentication. It seems no matter how complex we make them, hackers find ways to steal them from databased and crack their hashes, then re-use them to compromise accounts at other sites. Mark Zuckerberg, for instance, was caught in a hack of his personal Twitter account earlier this year when hackers re-used his LinkedIn password—stolen from the large LinkedIn breach in 2012—to get access.
Adding to the criticism of the age old password is the ability to crack password hashes quickly using powerful machines, dictionary attacks and databases from other password breaches that can be found online.
A few months ago YouTube channel ComputerPhile sat with Dr. Michael Pound, an associate professor at the University of Nottingham, who demonstrated how easy it can be to crack lots of passwords really quickly. The university has a computer armed with four powerful graphics processors, which are much better at processing large data sets in parallel.
With the four combined, Pound said, they can analyze about 40 billion simple password hashes per second. Per second.
Aptly named “Beast,” Pound used the computer, a popular software program called Hashcat, and a database of about 6,000 password hashes. When the passwords were only six characters, all lowercase, using MD5 hashing, it took the machine about one second to crack every possibility. At seven characters, it took a few seconds.
Pound said MD5 should never be used again. “Maybe developers are thinking, ‘Well it’s already in SHA1. Users might not be able to log in for a while. Let’s probably not.’ — Yes, do. Change your hashes to something like SHA128, quickly.” As a user, he said, you have to have a password that is much harder to crack.
Use lengthy passwords. Use multiple characters, upper and lowercase with special characters. And, better yet, use a password manager so you can store them and not have to remember them. And, most importantly, never re-use passwords.
The reason behind not re-using passwords, Pound said, is because hackers will take a database of known passwords and manipulate them. Change letters to numbers. Insert special characters. Add numbers on the end. And iterate on those combinations over and over.
You can see the rest of the video demonstration here: