Tuesday, November 16, 2010

Cracking Password Hashes in 5 Seconds

I imagine everyone realizes - by now - just how important it is to choose strong passwords. Although many people still use their pet's names, their birthday, "12345", "qwerty", or the ever classic "password" - you should know that it really doesn't offer you much security.

But, what if I told you that even a 14 char, strong password consisting of letter, numbers and symbols isn't safe? Yes, I mean a password like "*mZ?9%^jS743:!".

A security firm can now crack 14 chars complex passwords in just a few seconds.

The trick is: whenever you enter a password, it has to be stored "somewhere".
If your computer stored your password in plain text on your hard drive, anyone could easily snoop in and find it, right?
So, passwords are usually encrypted using mathematical formulas that are easy to perform, but nearly impossible to reverse.
So, instead of storing your password in your drive, what you'll find there is something like this:

That's called a hash. And it's the result of applying those math formulas to your password.

However, as nothing is impossible, rainbow tables came along. The trick is: store the results of "millions" of passwords, so you could easily "reverse" the process. Sure it will take a long time to create them, and requires many gigabytes or terabytes of space... but it's doable.
Particularly when you consider SSDs!

When coupled with SSD storage, flying through millions of passwords can be done instantly. In fact, this security firm's system can compare 300 billion passwords/hashes per seconds!

Reversing a hash like:
Takes just 5 seconds and returns a password of: 72@Fee4S@mura!

While the hash: ac93c8016d14e75a2e9b76bb9e8c2bb6:8516cd0838d1a4dfd1ac3e8eb9811350
takes little longer (8seconds) returning a passwords of: (689!!!<>”QTHp

What this means is that even complex password might not be as secure as one thinks. Even though hashes are now usually "salted"; a process that adds another element to your password to create an harder to crack hash.
If you want to be safe, you better star considering the use of much longer "pass-phrases" - something like:
"This is really a password you won't be able to crack not even if you try really hard! Ha! Ha!123!"

No comments:

Post a Comment

Related Posts with Thumbnails

Amazon Store