Ian Simons Director of BlooCow Ltd, a specialist information security consultancy based in Shrewsbury, talks us through the first line of defence in computer security.
Passwords are still the 'first line of defence' into company networks and
user accounts. It is a secret string of characters that only the user knows
so that the user can be authenticated and granted the requisite level of
access to system resources.
However, they are getting easier to crack than ever before. The rapid march
of graphics card technology and power in particular is enabling password
cracking software to try billions of password combinations per second. What
used to perhaps take years may now only take months, days or even minutes.
(example: a PC with a single Radeon HD 7970 graphics card, around £300 at
today's prices, can try an average of 8.2 billion passwords per second). PCs
equipped with two or more similar gfx cards can achieve 2, 3 or more times
More importantly still, the variety and number of online password leaks from
various high-profile targets in the last few years has enabled password
crackers to create and tune their methods based on how users in different
walks of life create passwords for different sites.
How are passwords stored?
Passwords are almost never stored in plain text on systems, but stored in a
'hash' format by use of a 'cryptographic hashing function'. A hashing
function is a one-way process by which the password you enter is run through
a mathematical equation, or algorithm, to produce a string of characters.
The hashing function is was originally designed to be computationally easy
to run, but computationally expensive to reverse. There are many different
names given to hash functions, one of the oldest being MD5; this will
produce the hash '5f4dcc3b5aa765d61d8327deb882cf99' from 'password'.
How are passwords 'cracked'?
The hashing function is time consuming to attempt to reverse; password
cracking then becomes a process of running a plaintext password through the
same hashing function as a target system and comparing the result with a
hash found on the system. If the hashes match, then the password has been
identified. There are two main approaches - 'Brute forcing' and using lists.
Brute forcing entails trying every combination of letters, numbers and
special characters to attempt a hash match; lists contain a large number of
words (dictionary words, cartoon characters, pet names etc). Either method
can be easily automated, and the graphics cards provide the raw power to
make this as fast as possible.
What is the significance of the online password leaks?
As more and more passwords from various companies and social networks have
become available online (usually via pastebin or similar services),
attackers have gained valuable insight into the way users create passwords -
attackers now know that nearly all capital letters come at the beginning of
a password, almost all numbers and punctuation show up at the end and there
is also a strong tendency to use first names followed by years. By becoming
more familiar with how users choose and create passwords, an attacker can
increase the likelihood of cracking a password by putting more likely
passwords near the top of the list used to automate the cracking process.
For example, 'Password1' is still one of the most common passwords used,
followed by 'password' and 'Welcome1'. [From Trustwave Global Security
How quickly can passwords be cracked?
Taking this all into account, in June 2012 6.5 million password hashes from
the LinkedIn site were leaked online. Within 6 days, more than 90% of the
passwords had been cracked.
Example: Using brute force techniques to crack the password 'Julia1974',
trying every character and number in combination, assuming a 9 character
password length, would give the total number of combinations is 62 to the
power of 9. This would take a PC with a Radeon 7970 up to 19 days. Using the
intelligence gleaned from online password leaks, this time can be reduced to
The examples above assume that a 'standard' hashing function is used.
Because of advances in password cracking, specially designed password
hashing functions have been developed that make it more time consuming to
hash a plain text password. For example, using the algorithm called
'bcrypt', it would reduce the amount of password guesses from 8 billion per
second to 1,750 guesses per second. While imposing a greater burden on the
site, in direct contrast to the general philosophy of hashing functions,
this is now viewed as essential to provide increased security.
How can I protect myself?
Most importantly, a user much choose a password that is unique to each site
or resource that they access. As you have no way of knowing if the site
stores the passwords correctly, if the password is re-used on multiple sites
and one of those sites is compromised, then that user's accounts on multiple
sites will also be compromised.
Secondly, the password must not conform to the rules and strategies already
known - the password should be randomly generated by a computer and it would
help to have at least 9 characters to make brute force attacks infeasible.
Given that people are not good at remembering long strings of random letters
and numbers, it is recommended that a 'password vault' program be used that
can generate strong passwords, store them in an encrypted file that is
accessed by a single long master password.
That's our team, L-R Emma, Louise and Andy. We run thebestof and our sister marketing company, Key 3 Media. With over 40 years' combined marketing experience, we help promote local businesses through our...