It’s just human nature the more enthusiastic someone speaks about something the more it seems to stick around in your mind. This is how I would describe a recent talk on Password Cracking given by Robert Imhoff-Dousham at Defcon this year. I won’t recap his entire presentation which you can review for yourself but I will touch on a few key points which may affect many of the current policies and practices being used out in the real world today.
“Passwords must contain 8 characters and include upper case and numbers”
This ‘rule’ is often used by many websites, corporate domains, and networking devices. But as is the case with many information security standards by the time it is adopted by the masses it is already weakened or outdated. Another point of human nature is we usually take the path of least resistance, even more so when we are dealing with something uncomfortable. For most average people this could include working on computer systems. So let’s take a closer look at this rule and how that would apply.
Let’s see Password1…
While most users are hopefully wise enough not to use such an obvious word most would do the following. Use an uppercase letter as the first letter, it’s easier to remember that way since that’s the way we write. Use a number as the last character, because after all AOL only had the username “StickyBuns234” available for me.
So me as an attacker can simply modify my method of brute force to test for these specific rules, thus reducing your 8 character passwords to 6.
Well it’s brute so it would take you years to actually get this cracked right?
With the advancement of both the GPU and cloud computing markets this is no longer the case. Let’s take GPU brute forcing for example. If we take a newer 8 core GPU and use a rainbow cracking tool or a multihashing tool and pump up to 8000+ streams at the operation. Using a brute force calculator we can see that with 1 box w/4gpu’s we would require ~240 hours. Now if we spread this out across 4 boxes w/4gpu’s each we bring our time down to 2.5 days. Double the boxes and cut the time to crack in half again. Now these numbers are based on a true complex 8 character password. If users are using the flawed methods mentioned above they really have something closer to a 6 Character password depending on my table/dictionary files.
So depending on how valuable your password or passwords in general are to me. I may be able to scale a small server farm just to break user passwords (see the presentation for a cool shopping list showing a $50k 40GPU super cracking server that will eat your password up in less than 140 seconds).
Coincidentally adding just 1 or 2 characters to your required password policy can make this attack vector almost non existent again (well maybe not from the 40gpu super server).
Creating secure passwords can be as simple as coming up with a memorable phrase instead of just a word or two. Here is a great video on how to perform this task. Also remember NEVER use the same password on multiple sites, it makes it much easier to steal all your gold pieces..