Tuesday, August 21, 2012

The deal with passwords

Over at Ars Technica, Dan Goodin has written a comprehensive overview of the state-of-the-art of password cracking. Even if you think you understand passwords, you probably have many misconceptions that this article will dispel.

Passwords are far more complex than you think. Take, for example, this comment where somebody points out "MD5 would be an example of a hash algorithm that is no longer secure". Most people agree with that statement, they are all wrong. MD5 is just as good for hashing passwords as SHA1, or whatever appears as SHA3. The weakness MD5 has today is in "collisions", which don't matter for hashing passwords. Moreover, cryptographic hashes are designed to be fast, meaning that password cracking is fast. Better algorithms would be slow, like scrypt, bcrypt, or pbkdf2. A salted password using 10000 iterations of MD5 is still more secure than a single SHA1 hash.

Another issue is the "exponential wall", which is shown in the following graph (CC attribute license):

For brute-forcing passwords, people imagine that GPUs or Amazon EC2 clusters will make a massive difference. As the graph shows, they really don't. Short passwords are trivial to crack, even with the resources of an iPhone. Long passwords are impractical to crack, even with a billion dollar NSA supercomputer.

More hardware can make some difference because most passwords are around 7 to 8 characters, which is right in the sweet spot where added hardware will make a difference. However, what makes a bigger difference is skill, having the right wordlists of known passwords and exploiting patterns in how people choose passwords. A skilled cracker with an iPhone will crack more passwords than you can brute-forcing with an Amazon EC2 cluster. Combining skill with more hardware is even better, because the skilled person knows how to exploit the additional hardware in ways other than simply brute-forcing.

In conclusion, I highly recommend reading Dan's article. It defines the state-of-the-art of password cracking as of 2012.


t4b said...

Apropos passwords: What do you think is more secure for storing password hashes:
* Using a specialized password hashing algorithm
* Or chain something like SHA1 or md5 until it takes as long to calculate as a specialized password hash?

On passwords in general: I personally just generate very long passwords based on the domain name of a web service or the name of the service if it's not specific to a website and a master password (which isn't really very secure and the same for everything).
I think that way I'm secure enough unless someone breaks into my computer and gets my script which generates the passwords (including the salt it adds).

George said...

But there are so many more ways to attack the password without trying to crack the password. I'm sick of people about PSK cracking when few of them ever heard of FreeRadius-WPE. http://www.zdnet.com/blog/security/new-tool-cracks-most-enterprise-wireless-lans/922

Richard Steven Hack said...

For Web sites, I believe having a "secret salt" in addition to the random salt stored with the password is the way to go - especially if that extra salt is not stored in clear text anywhere and is only in compiled code running on yet another server...

To break that, the hacker not only has to compromise the Web server, but also a second server, then grab its memory, then search for the code using the secret salt, then decrypting that salt...

It would mostly eliminate the value of downloading and offline cracking of password databases. It could even allow the continued use of fast password hashing. It wouldn't be invulnerable - nothing is - but it would make things much harder.

phili pine said...

To escape unwanted attack by hacker it is necessary to provide good network security.Now these day's hacker can easly hack your website and get the all data.If we provide good network security we safe our website from the harmful effect of Top Security Threats

John Moehrke said...

Md5 collision may mean I find a good enough alternative... okay, not useful actually as real password is likely in easy pattern space, while alternative is in random space.

Anonymous said...

So you are suggesting that if i use a completely random 9 charachters for each site i login i am sure that these pass will not be broken?