In the wake of recent account compromises, including Associated Press and the rampant breaches orchestrated by the "Syrian Electronic Army", Twitter have recently released 2FA (2 Factor Authentication), which is a most welcome addition to bolster users' security. It is not, however, the be-all and end-all: users are still responsible for choosing strong, hard-to-guess passwords. If your password is compromised, control of your account may be lost to malicious actors.
While it's true that, given enough time and resources, all passwords are crackable regardless of their complexity – a pass-string of 200 random characters is ultimately just as vulnerable to brute forcing as a password containing just one character – the aim of a complex pass-string is to make an attack temporally infeasible. Let’s first take a look at the total number of possible combinations for a given base of elements:
This table encompasses repeating characters and is subject to lexicality (ordering).
Of course, the first row contains all possible words in the English language, up to 8 characters. This may seem an unattainable number of combinations, but with modern GPUs (Graphics Processing Units) able to calculate hashes at a rate of up to 772 MH/s (772 million hashes per second) , the first row would be exhausted in around 270 seconds, or about 4.5 minutes.
A user is unlikely to choose 8 arbitrary characters when creating a password that will be used on a daily basis; a typical string is likely to have some semantic content, such as a dictionary word (and various mutations thereof). Knowing this, crackers have produced many aids for this type of attack, including dictionary files and Rainbow tables – similar to dictionary files, but containing pre-computed hashes and the plaintext equivalent.
To give an example of how quickly weak passwords can be cracked, we set up a test using a simple Python script and Backtrack 5’s Hydra combined with a moderate GPU, and targeted a test SMTP account:
Hydra v7.3 (c)2012 by van Hauser/THC & David Maciejak - for legal purposes only
Hydra (http://www.thc.org/thc-hydra) starting at 2013-05-23 07:08:12
login: ****** password: dave123
[VERBOSE] using SMTP LOGIN AUTH mechanism
1 of 1 target successfully completed, 1 valid password found
Hydra finished at 2013-05-23 07:08:51
The password contained only 36 possible chars: lower case a-z & 0-9, and was cracked in 39 seconds.
While major sites will have (or should have) authentication attempt throttling, it’s not uncommon for minor sites to allow unlimited attempts to access an account, which, coupled with password reuse, is a huge problem.
Users I have spoken to told me they use different passwords for different sites in almost all cases. When quizzed further, I found they typically used the same base string with some simple mutations, for example:
Knowing the base string, and with a very simple substitution (1337, symbols etc.) algorithm, we can crack these accounts in mere seconds. It’s trivial for an attacker to automate this process, meaning accounts on some forgotten, compromised server can be obtained, leading to accounts with the same user name being attacked and possibly compromised.
As Twitter will attest, using secure, hard to guess pass-strings and varying user names (not always possible) are an absolute must for anybody who uses systems, applications, or sites accessible to others. Remember, it’s not just the internet that has people after your credentials; rogue employees and disgruntled exes, to name but two, are on the lookout for your details.
To ensure accounts are as secure as possible, it’s advisable to:
- Use strong, hard to guess, non-dictionary pass-strings. If the app doesn't allow you to use a mix of alphanumeric and special characters, you may not want the owner to have your details.
- Never, ever reuse passwords. It’s also good practice to not reuse passwords with simple substitutions.
- Ensure old accounts are deactivated where possible. Although you cannot trust a database would be purged of credentials, it’s certainly a start.
- Think before signing up to a site or service; always read their security policy.
- Be vigilant! Phishing is an easy-win for cyber criminals, so don’t give them an easy ride – sites and services will (or should) _never_ ask for your password via email.
Abiding by these rules will help make passwords as secure as they can be.