Hardly a week goes by that there is some news about a data breach involving millions or even billions of passwords that are captured. What often is stolen is not the password itself, but a version that passed through an algorithm to disguise the contents. The latest report by Trustwave shows that this technique called hashing, does not help when users make silly passwords, and the password length is more important than complexity.
Hackers will crack complicated passwords like !u4vRj__43*4h faster than a longer password like ThiSIsALongPassThatISHardToCrack.
The idea behind “hashing” passwords is that the secure site never stores the user’s password. It saves only the result of the hashingproces that remains after running of an algorithm. Hashing is a kind of one-way encryption. The same input always gives the same result, but as a result you never come back to the original input. When you log in to the server, it compares the hashed version of your input with the stored hash and if they match you can enter the site.
The problem with this approach is that hackers also have access to the algorithms to hash passwords. They can pick any combination of letters and numbers for a certain password length by the algorithm and compare the results with the stolen hashed passwords. For any matching hash they have decoded a new password.
During thousands of network testings in 2013 and early 2014 Trustwave has managed to collect more than 600,000 hashed passwords. With that they run special software to crack these hashes and in a few minutes, they cracked more than half of the passwords. In a month’s time they knew as much as 90 percent of the passwords.
Passwords – you’re doing it wrong
Most people will be able to tell you that a password containing both upper and lowercase letters, numbers and characters are the most difficult to crack. That seems to be not enterily true. Yes, it is difficult for an attacker to guess a password like a N7d#9(?i, but according to Trustwave a password like that can be cracked in 4 days. In contrast to a long password like ThisIsAVeryLongPassWordThatIsHardToCrack, where a hacker would need 18 years to crack it.
Many IT departments in companies require that you choose a password at least eight characters with uppercase and lowercase letters and numbers. This report reminds us that, unfortunately, even Password1 meets these requirements. Not entirely surprising was that this was the most commonly found password in the investigation of Trustwave.
The researchers also found that users exactly do what they are asked, but not more. When the company went digging through the collection of passwords, they discovered that almost exactly half of them consists of the aforementioned eight characters.
Make them longer
We’ve said this before, but it is worth to remember. The longer the password the harder it is for hackers to crack it. Use a favorite quote or words, take the blanks out and you have a decent passphrase.
Yes, of course there are other ways to crack passwords. Instead of every possible combination of hashing letters and numbers, you can use a dictionary to hash and make the search for throbbing hashes easier with existing words. But with a password that is long enough it would take a brute-force attack centuries to complete.
The entire report shows different sides of the retrieved data. There were more than 100,000 of the cracked passwords from six lowercase letters combined with numbers as monkey12. If you are responsible for your password policy in your office, or just like to make a better password, it is absolutely essential reading material.