Cheap GPUs Rendering Strong Passwords Useless

StrongGlad writes with a story at ZDNet describing how it's getting easier to use GPU processing against passwords once considered quite strong. "Take a cheap GPU (like the Radeon HD 5770) and the free GPU-powered password busting tool called 'ighashgpu' and you have yourself a lean, mean password busting machine. How lean and mean? Working against NTLM login passwords, a password of 'fjR8n' can be broken on the CPU in 24 seconds, at a rate of 9.8 million password guesses per second. On the GPU, it takes less than a second at a rate of 3.3 billion passwords per second. Increase the password to 6 characters (pYDbL6), and the CPU takes 1 hour 30 minutes versus only four seconds on the GPU. Go further to 7 characters (fh0GH5h), and the CPU would grind along for 4 days, versus a frankly worrying 17 minutes 30 seconds for the GPU."

And?

[ledow]

And any system worth its salt (crypto-hashing joke) won't allow that many attempts against any external or internal authenticator and will NEVER expose its password hashes.

Seriously, if someone has your password hash, it's game over anyway and it doesn't matter if it takes 2 weeks or 2 months to guess the passwords. And if they don't, then you shouldn't be letting them try several BILLION attempts at guessing a password anyway.

Re:And?

Whenever a company "loses" a database with passwords, we scorch them for storing plaintext passwords. If hashing is supposed to help, then it has to create a significant barrier. As the processing power required for brute forcing password hashes makes longer and longer passwords insufficient, it should become clear that the age of passwords as the sole authentication is coming to an end.

Re:And?

[Yvanhoe]

hashing != encryption

Re:And?

[Fourier404]

Defense in depth. By your line of reasoning, there's no problem storing passwords in cleartext. Although a particular line of defense shouldn't be necessary, doesn't mean you shouldn't worry if it's quickly losing potency. There will always be security vulnerabilities, so for someone, somewhere, it matters, e.g. PSN.

Re:And?

Like this article shows, they're basically equivalent given enough processing power. The end result is the same; the "hidden" information becomes known, with relatively little ease. Sure, salting may currently help make the brute-force "decryption" of a hashed password more difficult, but hardware is always getting faster and more powerful.

Re:And?

Salting does not (and is not supposed to) complicate brute-forcing password hashes. Brute-force is what you use when you can't use rainbow tables due to salted hashes.

Re:And?

[atrus]

Its all an arms race in speed. However, if people were smart and realized that hashing was never a good solution and instead followed something like PBKDF2 with a large C (thousands of rounds), we still would be safe.

Re:And?

[hairyfeet]

So wouldn't it simply be smarter to go to two factor, aka 'something you have, something you know" for access? lets face it, flash drives are uber cheap and small enough you can put one on your keyring that would be able to hold authentication for dozens of systems.

Frankly in my mind it just doesn't make sense in this day of sub $500 quads and being able to go quad crossfire for less than $1200 on the GPU to not use two factor authentication. If we expect people to keep up with their ATM card frankly I don't see why they couldn't do the same with a little flash stick on a keyring. It just seems silly to me that when we have so much computing power like in TFA that people still expect simple passwords to keep the bad guys out.

And slightly OT, but is there any actual GP-GPU software out there that isn't for black hats? Because it seems to me that is all I ever hear of when there is a hell of a lot of GPUs out here in home user land that could put that GP-GPU power to good use if there were only some programs for it. I've searched and all I found was a couple of demos on the AMD website, nothing really useful that can do actual work like in TFA. Where are the programs that say let me volume level my entire MP3 collection in 30 seconds, or let me run Audacity effects on the GPU?

While I like the idea of a GP-GPU being this specialized co-processor I can do actual work with other than a drag and drop transcoder for video that frankly doesn't give a really good picture I can't seem to find any non blackhat code, at least not for the AMD GPUs.

Re:And?

[icebraining]

Isn't PBKDF2 basically iterations of an hashing function?

Re:And?

[vadim_t]

The problem is that when a big company loses a password database, it's a big one. Tens of thousands, if not millions of accounts.

And with a database that big, it's trivial to find something. If the attacker has 100K passwords, they don't need to make millions of attempts per hash, they just need to try them for the very few stupidest things, like $username, "password", "12345", "qwerty" and "secret".

Even if the passwords are repeatedly hashed to make brute force hard, all they need to do is to optimize and parallellize enough to test 100 per second, and in a day and half they'll have gone through that database, netting at least a few thousand accounts.

Re:And?

[SmilingBoy]

Yes

Re:And?

[jamesh]

Mostly agree. If there is a mechanism by which the bad guys can get your password hashes then you already have a problem.

It's a slightly bigger problem when the situation is something like the bad guys stealing (eg) Sony's encrypted[1] password database though. If everyone had 7 character passwords[2] and it took 24 hours for Sony to disclose the breach[3] and another 24 hours for users to get around to changing their passwords[4], that's enough time to crack around 150 passwords per GPU. I wonder though if you can exploit the fact that you have a list of (say) 1 million password hashes to speed up the search? with 1 million password hashes maybe some share the same salt[5]...

[1] ha!
[2] i'd be assuming a minimum of 8 though...
[3] yeah right
[4] again... probably another invalid assumption
[5] I'm thinking back to the days of /etc/password and crypt with a 2 character salt... maybe NTLM hashes have a much larger salt making collisions unlikely?

Re:And?

[cloudmaster]

If every password uses a unique salt, then it becomes substantially more difficult. You essentially have $number_of_salts different algorithms you have to attempt in that case. Say the passwords are MD5 encrypted (which should be SHA512 in modern times, but let's ignore that). If you're brute forcing, you try each possible string once, and compare the hash of "aaa" against all of the hashes. But wait, now you toss in the 0-8 character salt (selecting from the set [a-zA-Z0-9_] that GNU libc supports; you now have to recalculate that md5 hash for every possible salt in the file. There's what, around 64^8 possible salts, which might be randomly selected or might be sequentially selected based on the other salts in the shadow file; either way, you don't have to calculate the hash once - you have to calculate it once for every different salt. That's a whole lot of calculations for each possible iteration in your brute force attack - and is why salted passwords are a Real Good Thing.

Re:And?

[cloudmaster]

Yes, games use GPUs for people who aren't black-hats.

But, to your other question, how do you propose that we integrate multi-factor authentication in a portable way that actually works with all the things people need to authenticate against? You need an interface to get to that second factor somehow, and that second factor needs to be secure and pretty standard. It's a really hard problem to solve in a universal way, which is the main reason we still use PIN/password kind of things pretty much exclusively.

Re:And?

[RobbieThe1st]

There's a nice Bitcoin miner tool out there that runs on GPGPU; In fact, there's several.

The real problem is that it's hard to find tasks that are super highly parallizable like this -- I mean, aside from video, rendering and graphics related tasks, what is there?
Now, for those tasks, GPGPU's perfect and applications are adding support(often in the form of an OpenGL interface), but there's a huge number of older applications, especially for windows, that can't be updated to support it.

Re:And?

[jamesh]

hashing != encryption

No the parent poster was correct in his/her terminology. Encryption is what you use if you want to get the original data back again. Hashing is what you use when you only need to prove that the supplied information matches the original information. The latter is the best way to store passwords for user authentication. To be useful, you don't need to know what the original password was, you only need to know that the password the user supplied hashes to the same value as the stored hash.

If the company is storing passwords that need to be supplied to a third party then they would need to be stored encrypted so they could be decrypted back to the original value, but that's something different again.

Re:And?

[barlevg]

And slightly OT, but is there any actual GP-GPU software out there that isn't for black hats?

I've written plenty of numerical simulation coding in CUDA. I realize you probably meant like, "Is Adobe working on porting Photoshop to OpenCL" but I'm sure it's only a matter of time. Actually, I just remembered this Slashdot article: Matlab now comes with GPU integration.

Re:And?

[vadim_t]

The salt is normally stored right in the password file.

What the salt does is making it impossible to precompute hashes, and to notice that two users have the same password. Brute forcing each password individually doesn't get harder though.

Re:And?

[mlts]

Realistically, we need to have passwords as *an* authentication method, as opposed to *the* auth method.

Until we can decide on another method of authentication, perhaps one thing to do is have the mechanism that does the password validation (as well as storing hashes) physically secured on a tamper resistant card, similar to how public keys are stored on HSMs.

The mechanism on the tamper resistant card would have ports to store data on external media (encrypted with LUKS where the whole drive is encrypted with a key stored on internal, protected flash.)

The API for this device is fairly simple: Store a userID/password/date of expiration item, do a compare (hash, result) and return yes, no, or "too many times tried", change the expiration date on userID/password, delete the item, and reformat, purging everything, generating all new keys.

This way, there is no way that the stored values can ever be pulled. Brute force guesses will be slowed down because after 3-5 tries, the device will only allow one compare every "x" amount of minutes. Physical attack of the device is not going to reveal much other than quickly blown e-fuses due to tamper responses going off. The goal is to have an extremely simple device that just does authentication challenges. The LDAP server or authorization server handles if an account is expired or not. This thing just moves the passwords from hashes stored in /etc/shadow to a locked down appliance.

Other features could include:

Special key/PIN/password to start up, in case the device is powered off.

GPS location so the device will not work unless in a configured location.

A fiber optic cable that wraps around items, if it is pulled, the device locks until a key or password is given.

Backups done encrypted via USB flash drives, where the hash material is stored encrypted to private keys of the other HSMs, or smart card.

Multiple devices for redundancy that can keep in sync with each other.

With a dedicated HSM storing the password hashes, this would go a long way to adding security, just like a HSM does to protecting SSL keys.

Re:And?

[base3]

The time it takes to guess the password does matter. If it takes 30 days to guess and password changes every 14 days than everything is fine.

I don't know--if a user is made to change his/her password every two weeks, and the password cracker finds foo#$xx10, foo#$xx11 will be a good bet.

Re:And?

[tronbradia]

Seriously, if someone has your password hash, it's game over anyway and it doesn't matter if it takes 2 weeks or 2 months to guess the passwords...

The whole point of a hash is that it's supposed to offer last-ditch security if it's compromised. Otherwise why not just store in plaintext? I don't want any sysadmin near a server holding my information if they take the attitude that the server will never be compromised. Assume the server will be compromised, and take measures to minimize the damage when that unholy day comes.

I use 12-character passwords. http://howsecureismypassword.net/ estimates that my root password would take 25 million years to hack. I'll put the hash right here: f1593fdf843f6161b377d5d8adf7ad03 ... let me know when you've cracked it.

Re:And?

[blincoln]

"Seriously, if someone has your password hash, it's game over anyway and it doesn't matter if it takes 2 weeks or 2 months to guess the passwords. And if they don't, then you shouldn't be letting them try several BILLION attempts at guessing a password anyway."

Actually, it does matter how long it takes. If the passwords can't be cracked in less time than it takes them to expire, then it doesn't really matter who has the hashes.

I've been using passphrases for the last 3-4 years. They're at least 15 characters long - usually in the mid-20s - and I don't need to write them down to remember them. Whether they use special characters or not, I don't think anyone is going to be building a rainbow table that big any time soon.

Re:And?

[cloudmaster]

The post I responded to mentioned that it's bad if a company loses a big file with thousands of passwords because you could just work for a little while and find a few. You are 100% correct that a single password is not harder to crack, but salting makes it harder to break all (or even several) since you have to repeat the same average effort for each individual instead of doing the whole file in one shot.

So, the point I was trying to make was that you can't just start computing hashes and hope you land on one from the file; you are limited to just the ones with the same salt - which should be only a couple in a given file. You have to target a specific account rather than just calculating hashes and hoping you land on one that matches. :)

And technically, the salt only makes it a little harder to precompute hashes; the old DES crypt, for example, is now fairly easy to calculate all possible values with all possible salts. You can probably just download the file if you don't have a couple of recent computers at home to dedicate for a couple of days. ;)

Re:And?

[PlusFiveTroll]

No, most password changing systems force a password that isn't similar to the old one. If you have a system that forces password changes that often you can always figure out the password by looking at the sticky note on the users monitor.

Re:And?

[froggymana]

And any system worth its salt (crypto-hashing joke) won't allow that many attempts against any external or internal authenticator and will NEVER expose its password hashes.

>

Are they suppose to just expose the passwords as plain text files then?

Re:And?

[bloodhawk]

It does present a significant barrier, you have to remember the article is garbage, it talks about strong passwords being easily cracked but then only gives examples of weak short passwords. Having hashes of strong passwords even with GPU's is still a multi year piece of processing to recover a password (or at least a potential password).

Re:And?

[Burning1]

Password hashes are routinely exposed. Security in layers - any system that relies on the pasword table remaining protected is flawed. Also, it should be pretty obvious from the article, but you're never going to get the kind of throughput mentioned if you're going through the OS authentication stack. This attack relies 100% on the attacker having the password has in question.

Re:And?

[koreaman]

Luckily, you don't have to trust a horde of Slashdotters on AGW: just pick 10 climate scientists at random and ask for their opinion. (Note the "at random" part -- you're not allowed to cherry-pick for this exercise.)

Re:And?

[Eivind]

There's a reason (actually many reasons!) we store hashes of password+salt instead of storing the passwords in cleartext you know ?

You seem to be arguing that defeating this line of defence makes no noticeable difference to security. If that was true, we might just as well have stored plaintext passwords in the first place.

You are right that ideally, attackers should not be able to get the hashes. Still, they are hashed for a reason - some attackers (insiders for example) typically -can- get access to hashes.

Just because you have several lines of defence, it doesn't follow that having one of them breached, is meaningless.

Re:And?

[Yvanhoe]

It is very different. Encryption relies on the administrator keeping a private key secret. Hashing does not make such an assumption. When you encrypt, you cut informations in parts big enough to not be brute-forceable and add garbage at the end if necessary. Some encryption algorithms guarantee that there is not enough energy in the universe to brute-force them. It is fundamentally different from hashing + salt, where your bruteforcing just has to discover a user-memorized password, the salt being known. Bruteforcing an encryption requires you to also discover the 64K of garbage that were added at the end, which is pretty much impossible.

Re:And?

[Dr.M0rph3us]

The flash authentication can be a good idea, but it can be lost, stolen or broken in several ways, so it would require a recovery mechanism. There is also a problem on high-security systems, such as governmental machines, where most I/O ports are sealed, including USB ports.

Re:And?

[Nefarious+Wheel]

And any system worth its salt (crypto-hashing joke) won't allow that many attempts against any external or internal authenticator and will NEVER expose its password hashes.

Seriously, if someone has your password hash, it's game over anyway and it doesn't matter if it takes 2 weeks or 2 months to guess the passwords. And if they don't, then you shouldn't be letting them try several BILLION attempts at guessing a password anyway.

Well said. However, there are a number of systems not worth that much salt, that are still used --- I saw a cheap NAS box on our network that was attacked by a highly distributed botnet that was using simple password lists to reach it. Yep, you log in to those little things, and people will try.

And having said that, I think full pass phrases are more the go. I mean, what's it going to cost us? Disk space? RAM? Do the math. A long pass phrase such as "There is nothing quite so worth doing, said the dishwasher, as simply messing about with spacecraft." will be harder to match with hash tables, word lists or odometer attacks. And if you choose one sufficiently bizarre, you might even remember it.

Re:And?

[Nefarious+Wheel]

Meant to mention that little NAS box wasn't requiring a delay between attempts.

Re:And?

[Terrasque]

Actually, it does.

Let's say you have a file with 5000 accounts, passwords hashed.

And, lets say both Harry and Sally have "wuffles" as password. Without any salt, you can just generate the hash once and compare with all entries.

With a good salt, you have to generate the hash for every single user and compare.

Re:And?

[guacamole]

This _IS_ bad news for systems using such password hashing...IMO.

To me, computer security is always about erecting as many walls and layers against things you want to protect. If you think your hash database is so well protected, why not go further and store it in plain text?

Re:And?

[Lennie]

Finally someone in this discussion is making sense.

Here is something which might be of use:

https://wiki.mozilla.org/Labs/Identity/VerifiedEmailProtocol

A lot of stuff is webbased, why not have the browser authenticate in your name (probably with the use of an extra locally stored encrypted database of keys)

Re:And?

[qubezz]

Actually, all you have to do is ask 10 people with an IQ over 110. Sampled from a global population, of course; dissenters are more apt to be found as you pick your random 10 from decreasing non-representative pool, i.e The World > USA > The South > Mississippi > Chickasaw County.

If you want to harden the statistical integrity of such a question put to geniuses, ask the same question to a group with an IQ under 100. If they strongly agree with the high IQ position, it's definitely true. If they strongly disagree, it's still definitely true.

Re:And?

[base3]

True, for those who use OSs that check similarity -- but never underestimate the ingenuity of users to find password which comply with dissimilarity rules but yet are still trivially derived from previous passwords (or, as you point out, sticky notes :) ).

Re:And?

[AmiMoJo]

Why are we using hashes at all? Why not just use one-way encryption and compare cypher texts? Hashes were designed to validate large chunks of data with a small and relatively unique hash code, but passwords are so small that the hash often ends up larger than the plaintext. Most hashes are also designed to be easily computable, not what you want when trying to protect the plaintext.

Might as well just encrypt it with a unique key. Since the key can only encrypt it can't be used to get the plaintext back but can offer much stronger protection. GPG/PGP is a good example of one-way crypto (well, it is public/private key but if you discard the private key it's the same) and we are still a long way from being able to brute-force that.

Re:And?

[AmiMoJo]

The API for this device is fairly simple: Store a userID/password/date of expiration item, do a compare (hash, result) and return yes, no, or "too many times tried"

Chip and Pin tried this and it backfired on them. Because the terminal sends the pin to the card and simply asks if it was valid or not there is no way of knowing if the card is compromised. All you need is a card that supplies the correct credentials (perhaps by passing data to a genuine card you have stolen) and then when it asks "was the transaction verified" your fake card says "yes".

Researchers have demonstrated this attack in the UK. They hid a PCB in their pocket with the genuine (stolen) card on it for supplying the authentication credentials and a special fake card to put in the Chip and Pin terminal. They had to wear a long sleeved jacket to hide the wires coming out of the fake card (not too difficult since most ships give the customer the terminal and you can keep your hand on the card) but obviously that wouldn't be a problem for someone sitting at home in front of their computer.

You also have to consider the other major downside of using smart cards - you have to have the card and a suitable reader to log in to the site. Not something the likes of Facebook will go for. How about mobile users? Those two-factor number generating devices seem more practical, but again someone like Facebook is not going to give all its non-paying customers one just so they can protect their privacy that Facebook already sold.

Re:And?

[CSMoran]

is there any actual GP-GPU software out there that isn't for black hats?

Sure, libraries interesting for the High-performance computing community (BLAS, LAPACK, FFTW, etc) have been or are being ported to GPUs. Several molecular dynamics packages (say, Amber 11) already use clusters of GPUs. Hard-core visualization software (that renders huge molecules via raycasting in realtime) uses GPUs.

Re:And?

[mlts]

Chip and PIN is not the best technology -- something like OATH, or IBM's ZTIC would be a far better implementation, perhaps giving the ZTIC device a built in EDGE/3G radio so it has its own link and doesn't have to be attached to a computer.

However, this "password hash HSM" is intended not to guard against a compromised password, but to guard against someone snarfing the /etc/shadow equivalent in case everything internal gets compromised. This way, even though a blackhat may have root everywhere, the best that can be done would be running password guesses and having the device then start producing "too many wrong guess" errors for 5+ minutes per user. A user with a weak password is still easily hacked, as this provides no benefit if there are other weak links in the chain.

Companies have learned to physically store their secret RSA keys in HSMs for SSL and whatnot. It is time for password data to be treated in the same manner.

Re:And?

[Phoghat]

I've got nothing to worry about then. My password is "password" 8 letters

Re:And?

[Svartalf]

Heh... Hashes ARE effectively one-way encryption with comparison of the cyphertexts. This isn't a problem of the hash itself compromising the problem- this is a brute force attack where you have the hash and you're iteratively going through each and every possibility, hashing it up and comparing it. If you did what you proposed, it'd be little different for this attack. It's just simply that the cheap GPUs make it simple and cheap. They've had this capability to attack things like WPA-PSK this way for a while, using a Virtex5 FPGA to empower a low-end Celeron laptop to smash through the keyspace on an access point in minutes.

Re:And?

[LWATCDR]

Not exactly.
Let's say someone gets a password file though social engineering. You detect the breach and have two weeks to get everybody to change their password or move sensitive data off the system. So if it took you a week to discover the hack you have a week to migrate data and people. If you have 10 minutes to crack the passwords your in a world of hurt.
It is a two edged sword. The more expensive the hash the more time it takes to break but the impact of each login on the system also goes up. Not an issue with a website that only gets a few tens of thousands of logins a day but when you get into the millions of logins a day it could become an issue.

Re:And?

[GameboyRMH]

Wow, the key I've started using on my newer encrypted disks would take 815 quattuordecillion (that's a number?) years to crack. It's over 40 characters long and would appear random to the untrained eye ;)

That seems optimistic though, I wonder if that calculation adjusts for Moore's law?

Re:And?

[Unequivocal]

Very true, but for purposes of comparing a plaintext password with a previously stored hash of same, it amounts to encryption for that specific use case. You could do the same thing with PKI of course, but PKI can do a lot more (or preshared key encryption), which is I think your point.

Re:And?

[marcosdumay]

It goes to show that we need longer and strong passords. It used to be that only strong was enough, but now it isn't. The future probably is on long computer generated passwords*, stored on a disk. Now, of course, that'll only help if the database administrator does the bare minimum of work and hashes and salt the passords, if he doesn't, there is no solution anywhere.

* If it is long, computer generated, and stored out of the brain, I guess it shouldn't be called "password" anymore, we have the word "key" for those things already.

Re:And?

[mcvos]

Seriously, if someone has your password hash, it's game over anyway and it doesn't matter if it takes 2 weeks or 2 months to guess the passwords.

Yes it does. Note that the article is mostly about 6, 7, and 8 character passwords. 15 years ago, 8 character passwords were already standard. It's not that much of a surprise that they're easily compromised now. Use 16 character passwords (pass phrases, most likely), and you're okay.

Re:And?

[goarilla]

Out of curiousity how can they check this if they can only compare hashed values from new input to stored hashes:

$ echo -n 'a' | md5sum
0cc175b9c0f1b6a831c399e269772661 -
$ echo -n 'aa' | md5sum
4124bc0a9335c27f086f24ba207a4912 -
$ echo -n 'aaa' | md5sum
47bce5c74f589f4867dbd57e9ca9f808 -
$ echo -n 'aaaa' | md5sum
74b87337454200d4d33f80c4663dc5e5 -

I don't really see a pattern here ! Wouldn't you have to use something like TTH to be able to do this ?

Ha Ha, mine goes to 11

[ColdWetDog]

Go further to 7 characters (fh0GH5h), and the CPU would grind along for 4 days, versus a frankly worrying 17 minutes 30 seconds for the GPU."

OK, so go to 15 characters. Using a password generator I can go as far as I like. Using some sort of password bank program, I can store passwords / phrases of any complexity and use copy and paste, thus having only one strong password to remember.

So, what am I missing? (And lets keep it on topic, folks).

Re:Ha Ha, mine goes to 11

[ZankerH]

I think you need a real random source (as some device counting radioactive decay) to create the passwords in a secure manner.

Done.

What now?

Re:Ha Ha, mine goes to 11

[Securityemo]

Also, password phrases. Most online stuff allows you to type in whole sentences. This + some substitution with special characters according to some personal mnemonic means pretty much unbreakable passwords. And even if it's overkill in a technical sense, I seem to be able to remember passphrases easier than passwords.

Re:Ha Ha, mine goes to 11

[JAlexoi]

Rent a few Amazon AWS Cluster GPU Instances and your 15 char password is broken for a mere 4 to 8 USD... Get the point?

Re:Ha Ha, mine goes to 11

[Joe+U]

Use your generator to make a 100 character password, then cut out chunks of it wherever you feel like and add a number or letter here and there until you have a password near the maximum password length for the site.

You don't need a truly random source to be unpredictable.

Re:Ha Ha, mine goes to 11

[alt236_ftw]

Single point of failure.

Essentially, you will need to carry a copy of your password bank with you AND the application which opens it at all times to function.
This means that if it gets compromised (your memory stick gets stolen/your dropbox account gets compromised/ etc...) an attacker will only need to guess/bruteforce/dictionary attack/social engineer/look over your shoulder one password and gain access to everything in your wallet.

Its not a bad plan in principle, but only if you keep important passwords outside the wallet just in case it gets compromised. The point of the article is to raise awareness to the fact that passwords take less time to bruteforce these days as GPUs are very well suited for the job.

Also, keep in mind that websites have can limits to what passwords you can use (up to x characters, no symbols, etc...)

And, you cannot copy paste your login password to an OS :)

Re:Ha Ha, mine goes to 11

[gbjbaanb]

most of the password generators do have randomisation, usually asking the user to bash the keyboard or jiggle the mouse. How random and/or useful that turns out to be is debatable.

Re:Ha Ha, mine goes to 11

[zlogic]

Password pharses are easier to intercept (and remember) if someone is looking over your shoulder. Even if they skip a character or two they could still guess the word.

Re:Ha Ha, mine goes to 11

[PTBarnum]

Exponential growth. Get the point?

Using the same scaling as the summary, you can crack 8 characters with about 64 GPU hours, which is about $50 on AWS.

By the time you get to 10 characters, you are talking $700k. 12 characters is into the billions. Of course, I doubt that AWS will scale their fleet to billions of servers just so you can rent it for one hour, so you're going to have to pay to build your own data centers and, for that matter, chip factories.

Re:Ha Ha, mine goes to 11

[Plekto]

All you need to do is use a unicode character set and it pretty much kills any local password cracking attempts.

Re:Ha Ha, mine goes to 11

[node+3]

But the number of potential attackers is significantly diminished. And he did mention deliberate character substitution, which helps against that (as well as helping against dictionary attacks).

Re:Ha Ha, mine goes to 11

[node+3]

And that's just to get ONE password. Unless you know what you are going after, you probably aren't going to put in that much effort. And you most likely won't know ahead of time going into it if the password is short enough to be worth even trying (although I suppose you could make some calculated risks here).

Re:Ha Ha, mine goes to 11

[phantomfive]

Most people aren't going to use password bank programs for 15 character passwords, it's too inconvenient. At that point, you might as well give up on passwords and move on to RSA keys.

This attack is only useful if the attacker can access the password file, it can be trivially stopped remotely by enforcing a delay of 1 second between login attempts. The lesson here is for website owners to keep their password files safe, because users WILL be vulnerable. Implement multiple layers of security around the password file, only give access to people you trust, whatever.

For the average user, the lesson is to use a different password for each (important) website, so that losing the password to one will not give the attacker access to all your accounts. In general this is probably a smaller danger than phishing or keylogging trojans.

Re:Ha Ha, mine goes to 11

[MobileTatsu-NJG]

Is that your password or a recently erupted volcano?

Re:Ha Ha, mine goes to 11

That's amazing. I've got the same combination on my luggage.

Re:Ha Ha, mine goes to 11

[plsuh]

What you're missing is that the percentage of the general population that can consistently (a) remember a long password and (b) type it without a failure at least 50% of the time, is in the single digits. Remember, general population, not geeks.

I've expressed the opinion for several years now that password authentication is broken, and that we need to move to two-factor authentication schemes ASAP.

--Paul

Re:Ha Ha, mine goes to 11

[6031769]

And, you cannot copy paste your login password to an OS :)

What? Of course you can.

$ ssh -l foo bar.baz.com
Password: [*paste*]
bar-foo 1 $

That's not to say you should of course, because it would be much better to use PKI, but the point is that you could if you really wanted to.

Re:Ha Ha, mine goes to 11

[vrmlguy]

Go further to 7 characters (fh0GH5h), and the CPU would grind along for 4 days, versus a frankly worrying 17 minutes 30 seconds for the GPU."

OK, so go to 15 characters. Using a password generator I can go as far as I like. Using some sort of password bank program, I can store passwords / phrases of any complexity and use copy and paste, thus having only one strong password to remember.
So, what am I missing? (And lets keep it on topic, folks).

I've been generating 14 alpha+num+special characters with Last Pass, only to discover that some sites restrict you to 12 or fewer chacters and/or forbid special characters. And recent attacks (like Sony and Gawker) have involved the hackers obtaining user's password hashes, which are generally kept where the web server can see them to authenticate you.

Re:Ha Ha, mine goes to 11

[Threni]

Why not just stick 20 'F's in front of all of your passwords?

Easy to remember, hard to brute force.

Re:Ha Ha, mine goes to 11

[orkysoft]

What about hash collissions? If you have a 37-character password, but there exists a 5-character string with the same hash, you're screwed.

Re:Ha Ha, mine goes to 11

[pandrijeczko]

OK, so go to 15 characters.

Go to 15 characters in your organisation and the number of numpties ringing you up on the help desk for password resets will increase exponentially. :-)

If you're feeling the need to go beyond 8 character password lengths, then that's the time to look at one-time passwords / challenge-response keys or even scrapping passwords completely and doing authentication over SSH with public and private keys.

Re:Ha Ha, mine goes to 11

[im_thatoneguy]

Screw the general population. I'm a geek and a 120+ WPM @ 98% accuracy typist to boot and I can't even enter our administrative password more than 50% of the time at work.

Re:Ha Ha, mine goes to 11

[Bieeanda]

I've developed a Pavlovian response to sites that demand case-insensitive passwords between merely six and eight characters long. Namely, I suffer the nigh-uncontrollable urge to bring my forehead into violent contact with my desk.

Re:Ha Ha, mine goes to 11

[aseidl]

Depends on the algorithm used to hash the pass and the way the attack works. I believe ighashgpu bruteforces it by generating all possible hashes and simply comparing them to the collected hashes. One password or a thousand - you only have to do it once. It's the same as using rainbow tables, without the need to have tons of storage. But again, it all depends on the algorithm.

Re:Ha Ha, mine goes to 11

[martin-boundary]

Exponential growth. Get the point?

You're right of course, but I'd like to chime in with another observation: people don't grow the size of their passwords to counter Moore's law.

Statistically, the human population will choose an average (rather low) size of password, and that's going to stay constant over time. When faster machines appear, the average amount of time required to crack a significant fraction of human passwords goes down.

Re:Ha Ha, mine goes to 11

[cloudmaster]

I think that's why I stopped using MD5 passwords in favor of SHA512 several years ago. ;)

Re:Ha Ha, mine goes to 11

[ThurstonMoore]

The place where I have my IRA (Hartford) does not allow passwords over 8 characters. This totally blows my mind.

Re:Ha Ha, mine goes to 11

[Nutria]

Why not just stick 20 'F's in front of all of your passwords?

The password system for the company-wide intranet where I work doesn't allow more than 2 repeating characters.

The list of rules is absurd and basically guarantees Post It notes.

Re:Ha Ha, mine goes to 11

[archen]

Some password systems aren't allowing you to type the same character in more than twice in a row these days. That's what stopped me from putting arbitrary non alphanumerics at the end of my password. I've also tried to do sequences of alternating characters but I find myself tripping over password length limits just as often.

And on top of this they want some stupid security question that lets you bypass all this.

Re:Ha Ha, mine goes to 11

[MikeBabcock]

I know people who use a password intermixed with digits. For example:

password + 19910101 = p1a9s9s1w0r1d01

Its not hard to do similar obfuscations and make yourself a good secure long password (albeit harder to type quickly the first few times).

Re:Ha Ha, mine goes to 11

[Lehk228]

for unimportant things i use a word with some symbols, for anything with real value attached to it i use a 16 character alph-num-sym computer generated password.

Re:Ha Ha, mine goes to 11

[rpresser]

Except for banks. Many banks notoriously limit you to 8 characters, sometimes even requiring them all to be alphanumeric!

Re:Ha Ha, mine goes to 11

[Tacvek]

The properly implemented ones use an entropy pool system, and mix in the new data. The pool keeps track of the amount of randomness present. As long as there is some random aspect to the input (such as the lowest few bits in the exact number of clock ticks between two key-presses), and as long as the entropy of each sample is underestimated, then the result can have any arbitrary number of bits of entropy less than the number of bits in the pool size itself. (One can prove a lower bound on how random the pool's value is after a given number of events).

Or basically if implemented correctly the result can be arbitrarily close to perfectly random.

Re:Ha Ha, mine goes to 11

[RzUpAnmsCwrds]

Reply to: Re:Ha Ha, mine goes to 11

Re:Ha Ha, mine goes to 11 (Score:3, Interesting)
by alt236_ftw (2007300) Alter Relationship on Sunday June 05, @09:11AM (#36344906) Homepage
Single point of failure.

Essentially, you will need to carry a copy of your password bank with you AND the application which opens it at all times to function.
This means that if it gets compromised (your memory stick gets stolen/your dropbox account gets compromised/ etc...) an attacker will only need to guess/bruteforce/dictionary attack/social engineer/look over your shoulder one password and gain access to everything in your wallet.

No one is going to do that. Seriously. No attacker that I am worried about is going to go to the trouble and risk of physically stealing my property to get into my accounts.

And, by the way, even if they do get my vault they need to crack my salted, 10 character, lowercase/uppercase/number/symbol password, which has been run through a million iterations of SHA-256 to generate the key for my password vault. Good luck with that one.

I am not immune to attack. But I am a hell of a lot harder to attack than the typical user. That alone means that the chances of me being a target are very low.

Re:Ha Ha, mine goes to 11

[VortexCortex]

Security Now 303 -- "Password Haystacks"

eg:
vC!#/.-.-.-.-.-.-!#/e-mail-place
vC!#/.-.-.-.-.-.-!#/routing-thing

TL;DNL: Length matters -- long easy to remember sections + short "secure" sections.

P.S. Disallowed "special" chars or limited length == service is not hashing your password (I don't use such services that my PW schemes don't work with).

Re:Ha Ha, mine goes to 11

[Wallslide]

And to further complicate things, the password that it gets at the end might not even be the right one. Sure, it will work for the specific type of hashing algorithm whose hashes you bruteforced, but if it's just a collision and not the actual password a user used, then it won't work at other sites which use a different hashing algorithm.

Re:Ha Ha, mine goes to 11

[Kozz]

Screw the general population. I'm a geek and a 120+ WPM @ 98% accuracy typist to boot and I can't even enter our administrative password more than 50% of the time at work.

Actually, that's why I'm an advocate of using passwords like "Screw the general population." Easy to remember, mixed case, spaces, and plenty darn long, amirite? I'm assuming that generally speaking, this would be an extremely safe password (disclaimer: I am not a cryptologist). I wouldn't even have to put it on a Post-It(TM).

Re:Ha Ha, mine goes to 11

[binary+paladin]

I'm a big fan of passphrases rather than passwords. If you use punctuation, it's even better. I'll drop in "&" in place of "and" and try to include meaningful numbers in there too. They're pretty easy to remember and really, really strong by comparison.

Re:Ha Ha, mine goes to 11

[jon3k]

Except, how do you even know he used a password generator to begin with, let alone which one? You're also assuming he didn't modify the generated password at all. i think you're more likely to accidentally guess his password than pull off what you're describing.

Re:Ha Ha, mine goes to 11

[MobyDisk]

What you're missing is that the percentage of the general population that can consistently (a) remember a long password and (b) type it without a failure at least 50% of the time, is in the single digits. Remember, general population, not geeks.

This myth needs to end. Most people can memorize phrases hundreds of words long:
"Mary had a little lamb, little lamb, little lamb. Mary had a little lamb whose fleece was white as snow."
"Four score and seven years ago..."
"Your mother was a hamster and your father smelled of..."
"I pledge allegiance to the flag..."

Instead of writing down your password, write down the name of the song. Throw your favorite band in the middle somewhere to salt it and *bam* -- unbreakable and easily memorized. All you have to do is type in the first letter of each word or something if you need to shrink it down.

Re:Ha Ha, mine goes to 11

[TheCount22]

That means your password is about 35 characters long interesting...

Re:Ha Ha, mine goes to 11

[defaria]

In a word - Lastpass. My passwords are not 16 characters, upper, lower, numbers and special characters. I don't have to remember any of them and they are all different for each and every of my ~200 sites that I log into. Lastpass types them in for me and I only have to remember my Lastpass password. Also, even a password of "g0D,,,,,,,,,,,,,," is 1) easy to remember and more uncrackable than "g3klj#8432jhsdl#%".

Re:Ha Ha, mine goes to 11

[OnePumpChump]

What you're missing is Grandma has to be able to figure out how to do this, too, and the fact that you may have to access those password-protected services from places where you can't use your password bank.

Re:Ha Ha, mine goes to 11

[cgenman]

Also, keep in mind that websites have can limits to what passwords you can use (up to x characters, no symbols, etc...)

This one drives me absolutely nuts. You create a system that you memorize to generate random-sounding passwords from a key phrase and the name of the website, then the website goes and screws it up through arbitrary restrictions. No underscores, Must have Underscores, no numbers, Must have Numbers, Letters only, Must have Symbols... I actually had a login the other day where the username was required to contain a number and a unique character, and the password had to be plain lowercase alphanumeric. I could remember the password just fine, but the username was impossible.

This is getting ridiculous. We need to standardize on min 8 / max 32k characters, arbitrary unicode, automatically rejecting dictionary words. There is no reason why any of the above should be a technological problem these days, and it should be flexible enough for future expansion.

Re:Ha Ha, mine goes to 11

[Vegemeister]

#! /bin/bash

# This script generates strong random alphanumeric passwords of specified
# length.  It takes a single argument: the length of the password to generate.
#
# usage:
#
#     ./genpass [length]
#     *wiggle mouse spastically until password is done*
#
#
# This shell script is made availiable under the terms of the GPL, version 3.
# The full text of this license may be found at gnu.org/licenses/gpl-3.0.txt
#

NUM=5;  #generate a 5 character string by default
if [ -n "$1" ]
then
    NUM=$1 #first command line argument is the number of characters to generate
fi

for (( i=0; i<$NUM; i++ ))
do
    CHARA=''
    while [ "$CHARA" = '' ] #keep getting characters until one is kept
    do
        #Get a random byte and keep if it's an alphanumeric ASCII code
        #If you want to include other characters, change 'a-z0-9' as desired.
        CHARA=`head -c1 /dev/random | tr -dc a-z0-9`
    done
    #print characters
    echo -n $CHARA
done

#print a newline
echo ''

Re:Ha Ha, mine goes to 11

[bloodhawk]

There hasn't been a need to grow with moore's law. "Most" people in the security community have considered strong passwords to be in the order of 14+ Characters (We use 16 minimum here) with a mix of upper/lower/numbers and symbols for a very long time, hence why passphrases have been the recommended approach for a very long time now. While computing ower has curtainly made these faster to calculate you are still looking at many years on average to effectively crack a strong password. The examples given in the authors posting would have been considered weak passwords a decade ago.

Re:Ha Ha, mine goes to 11

[Burning1]

That's true. And in most cases, having just one of the X number of passwords set on a system is enough to expose further security flaws. Security decreases as the number of users increase, not the other way around. From the perspective of a sysadmin, every user added effectively reduces the time required for an attacker to correctly match a valid password hash - see the birthday paradox.

Re:Ha Ha, mine goes to 11

[gstrickler]

Here's what you're missing. NTLM encodes passwords in 7 character units. An 8-14 character PW is at most 2x as difficult to crack as a 7 character PW.

Don't use NTLM password hashes (you can disable them on newer versions of Windows Server).

Re:Ha Ha, mine goes to 11

[gknoy]

It might take that long to crack One Specific Password, but imagine how many others you crack in the process, since you'd effectively be generating a rainbow table limited only by space.

Re:Ha Ha, mine goes to 11

[midom]

I'm not sure if this was supposed to be funny. It is much slower to enter same character many times (not only brain sucks at counting fast mechanical moves, but also you don't get finger parallelism ;-)

Re:Ha Ha, mine goes to 11

[NetSettler]

we need to move to two-factor authentication schemes ASAP.

And by this I assume you don't mean first letting the attacker guess our regular password and then second letting them guess our cousin's middle name or some such other bit of info trivially available from facebook or ancestry.com. :)

Sigh. I've bargained down to where I'd think it a major step forward if there were at least a law against using the word "security" as part of the name for those stupid fixed-set questions. It's probably more than one can hope for to actually forbid their use.

Re:Ha Ha, mine goes to 11

[TheRaven64]

Maybe you should buy a copy of The Code Book for someone in IT? A very similar restriction to that on the German use of the Enigma machine was a key factor in the allies' ability to crack it...

Re:Ha Ha, mine goes to 11

[AYeomans]

The logical conclusion should be we need to use complex passwords that don't need to be typed manually.
That tends to imply some hardware device (since pure software systems run the risk of compromise).
We've actually had these for some time - the crypto smartcards / phone SIM cards / etc that perform crypto challenge-response.
Some of these use public key crypto, so additionally there is no need to share your secret (i.e. private key) with anyone else.

We may sometimes need two-factor authentication, but the main reason is to ensure that the correct human is using the device, to the necessary level of assurance.

Note we also should not demand high authentication all the time - it tends to lead to social attacks / phishing. So for example it might be appropriate to only need the hardware device to allow access to see the balance of a bank account. (Which is much the same as just needing your cash card to enquire the balance over the counter.) But if you want to withdraw any sizeable sum, then demand a second factor (password/PIN) on each transaction.

Re:Ha Ha, mine goes to 11

[Nutria]

Maybe you should buy a copy of The Code Book for someone in IT?

As if that would work in a large, geographically distributed company when I'm nowhere near corporate HQ.

Re:Ha Ha, mine goes to 11

[IrquiM]

Root password? Don't need anything else, thank you.

Re:Ha Ha, mine goes to 11

[martin-boundary]

How does the security community force hundreds of millions of people to use 16 character passphrases, and how long will it take to happen? It's good that your systems have higher standards, but you're in the minority, whereas crackers can crack the majority's codes ever faster.

Re:Ha Ha, mine goes to 11

[AliasMarlowe]

Why not just stick 20 'F's in front of all of your passwords?

The password system for the company-wide intranet where I work doesn't allow more than 2 repeating characters.

The list of rules is absurd and basically guarantees Post It notes.

A similarly insane system is inflicted on me at work also. There are several empires controlling passwords: 2 mutually untrusting LDAP systems, Notes and Oracle and SAP (pity me), and several department-specific tools. Most of them force password changes every 90 days. Since they have different definitions of which "special" characters are allowed (one does not allow any), and don't all require the same length (one has a maximum length of 8, one has a length-must-be-exactly-six condition, and one has a minimum length of 9), it's not possible to use the same password for all. If you want my work passwords, they're on a fucking post-it note.

We claim to use 128-bit AES all over the place, and have password systems which rarely reach 40 bits of entropy. I've pointed out the idiocy to our IT support, while waving my critical post-it. While they are in agreement with me, they don't actually control the password systems either.

Re:Ha Ha, mine goes to 11

[plsuh]

consistently (a) remember a long password and (b) type it without a failure at least 50% of the time, is in the single digits.

This myth needs to end. Most people can memorize phrases hundreds of words long:

You missed the second part -- TYPE them consistently enough that they can get in without getting frustrated. I have no doubt that a large percentage of the general population can memorize long, complex passages at the word level. The number that can get them consistently right at the character level is much lower. The number that can get them consistently right at the character level when they are required to change the phrase every six months drops to near zero.


--Paul

Re:Ha Ha, mine goes to 11

[MichaelSmith]

The IT system at my last job had rules like a new password every week, minimum 8 characters. No dictionary words. So one day I had to help an engineer with something. He had gone home but a co-worker helpfully told me the standard password for their team was yyyymmww where ww is the week number in the year. They might have had a few random letters in there to satisfy the filter. Its been a while.

Re:Ha Ha, mine goes to 11

[MichaelSmith]

Probably saves them money on customer support.

Re:Ha Ha, mine goes to 11

[slashdottedjoe]

One simple solution for complex passwords would be a barcode reader. It may not be perfect in all situations, but I have used them and they act like keyboards, so it is easy to setup. The hard part is finding cheap ones, but I picked up 3 CueCats from BG micro in the past and they provide me with what I need for home use.

However, if they have your hash, then they are already inside, so you lose. If physical access to a system is an issue, you will need to encrypt the entire disk and keep you system off when you are not around.

I found that good passwords are not that hard to remember, if you do not change them. Extreme complexity seems quite the bitch, but when you type them everyday, your fingers tend to remember. I have several such passwords and I almost have to type them to actually remember them character by character.

Re:Ha Ha, mine goes to 11

[CSMoran]

Why not just stick 20 'F's in front of all of your passwords?

Easy to remember, hard to brute force.

That sucks when the system truncates passwords after the first, say, 16 chars.

Re:Ha Ha, mine goes to 11

[DavoMan]

thats actually pretty awesome. go unix

Re:Ha Ha, mine goes to 11

[Methuseus]

Try it when sitting at the local keyboard for a machine. In many cases there's no way to copy/paste

Re:Ha Ha, mine goes to 11

[alt236_ftw]

I stand corrected.

Similarly you can copy paste a password for an RDP session.

Re:Ha Ha, mine goes to 11

[alt236_ftw]

Indeed. You are probably not a target worth the time or effort.

Incidentally, salting only protects against dictionary attacks (not brute-forcing) and SHA-256 is generally hardware accelerated (unlike md5, so the crunching will potentially be faster in your case). Also as I would have a copy of your vault application, I could potentially edit the authentication part to remove any additional, non-functional, delays the vault program might have added.

But again, it depends on whether or not you are worth the effort.

The best way to do this would be to use a two token authentication (something you know + something you have), but its going to be a while to get a non-hacky global framework in place that keeps everyone happy, does not break country specific-patents and its not subject to export regulations. And it would have to be ubiquitous, and easy to carry and cheap enough for companies to afford to give out.

Re:Ha Ha, mine goes to 11

[Hatta]

No, the English language has constraints that decrease the entropy. English text only has about 1.5 bits of entropy per character, giving you 45 bits. If you use all printable ASCII characters, you get 6.5 bits of entropy per character. That's about the same as an 8 character case-sensitive alphanumeric password.

Re:Ha Ha, mine goes to 11

[ResidentSourcerer]

So, you use a device that is hard to use. Suppose you built into a ring. The ring has the ability to interface with a socket, and transmit a password. It's voice activated. "Present slashdot password" touch to socket.

You could also use it to store your public key and exchange it with other ring holders.

Of course it's new technology so initially the rings would need to be very cheap. And it will be the kids who will be early adopters. I suggest that they be given away in boxes of cereal.

Who knew that Captain Midnight Secret Decoder Rings could become reality?

Re:Ha Ha, mine goes to 11

[TheCRAIGGERS]

This is getting ridiculous. We need to standardize on min 8 / max 32k characters, arbitrary unicode, automatically rejecting dictionary words. There is no reason why any of the above should be a technological problem these days, and it should be flexible enough for future expansion.

Not a technological problem, no... but there are still problems with the approach.

1) That forces passwords to be fairly complex. The stereotypical grandparents with little patience for this crap will likely just give up. Most websites would rather a person use a weak password than not sign up at all.
2) The biggest security problem of today (IMHO) is not that passwords aren't secure enough, it's that most computers are so full of keyloggers and other malware. It doesn't matter if your bank's password looks like baud barf; if the hardware you're using is compromised, you're screwed.
3) The more complex you require passwords to be, the more likely people will just use one password for every service, which is much worse than having a weak password on one service.

And on a personal note, I think any password requirements are stupid. If I want a one-character password on some service, it should be allowed. Not encouraged, but allowed. It's my own responsibility to secure my access. Obviously this is only for personal use; your IT department at work will likely have a different view of this, and that is fine and expected.

Besides, it is common knowledge (and the whole point of this article) that if an attacker gets the hashtable, you're screwed. Any service worth its salt has anti-bruteforce functionality built in. Combine those two facts and password requirements aren't worth shit.

Re:Ha Ha, mine goes to 11

[Joe+U]

If you're still concerned at that point, you have much more to worry about than someone getting your password, you will either need psychiatric help or you will need to talk to your NSA handler.

Seriously, randomly shaving and modifying a 100 character (pseudo) random string down to 29 characters and expecting to find a pattern is nearly impossible.

[As for breaking into the vault, it's tied to a keyfile and a large password.]

Re:Ha Ha, mine goes to 11

[Beat+The+Odds]

Why not just stick 20 'F's in front of all of your passwords? Easy to remember, hard to brute force.

Not any more.....

Re:Ha Ha, mine goes to 11

[EdIII]

You have a great point.

All of my passwords are more than 20 characters, with the exceptions being sites and service that limit me. The Visa challenge/response for instance only allows 10 characters I think, and it is retarded that ATM pin codes are limited to 4 in most cases. Wells Fargo, before I left them for good reason, actually allowed 6, but it was an unsaid and unpublished policy.

I think most of the TrueCrypt passwords are 40-60 characters in length and I always have keyboards and the ability to use the "unprintable" characters (Above 127 in ASCII).

So most of us on Slashdot are going to be different. I don't care what kind of multi-million dollar GPU farm you have got going. You will still need a damn long time to crack one of my passwords.

That being said, your point, is that statistically we don't matter. Unfortunately, you are correct. Although my passwords are intensely secure, the executives and marketers (of which I am now convinced share memory attributes with that of gold fish) use passwords so weak as to be pointless.

I have even been asked, in frustration, why their passwords could not just be blank. Additionally, since I am a sysadmin I have been able to see a lot of password stats for just what I administrate and the average password length is 8. Which is the requirement. On one of the systems where the users are particularly cranky and difficult to deal with it is 6 characters, or basically a PIN code.

Thankfully, we limit their access quite a bit, but some of them still have access to sensitive data and there does not seem to be anything we can do about forcing them to use strong password practices since the pushback is tremendous and IT is *always* seen as replaceable, out-sourceable, easily ignored. After all, when an attack finally does happen through one of the executives laptops because he uses it to surf for porn it will be IT's fault either way.

So, we can argue about exponential this and that, numbers... blah blah blah, but you nailed it by simply pointing out that (once again) Slashdot does not represent most of the users out there to any extent, and that is where the vulnerability will always be.

Re:Ha Ha, mine goes to 11

[marcosdumay]

Statistically, the human population will choose '123456', 'password', or 'password123' as they passwords often enough for a hacker to get anything he wants.

Re:Ha Ha, mine goes to 11

[losfromla]

I was gonna say, "there now you've given it away!" but then I thought, this is probably common information in certain circles.

Re:Ha Ha, mine goes to 11

[JAlexoi]

Yeah... No... A single 5770 is nowhere near dual Teslas. But yeah you got the point for scaling problem. Yet, it's not as drastic as you express. Cracking an average English speaking user's account has the base of 62(26+26+10)

Re:Ha Ha, mine goes to 11

[JAlexoi]

for anything with real value attached to it

You should use two factor authentication for anything of real value.

Re:Ha Ha, mine goes to 11

[mcvos]

Yeah. It's amazing how systems involving real money insist on weak security. My bank seems to be one of the worst. I've been planning to switch to another bank for ages now, but my entire life is tied to this bank account, and I just can't be bothered.

Re:Ha Ha, mine goes to 11

[mcvos]

For unimportant things, I use a 6 character word, all lowercase, no symbols or numbers. But this is only for stuff where I really don't care if it's compromised, like web forums.

Re:Ha Ha, mine goes to 11

[MobyDisk]

You missed the second part -- TYPE them consistently enough that they can get in without getting frustrated.

I didn't miss it all. I even addressed it in my post when I said "All you have to do is type in the first letter of each word or something if you need to shrink it down." I've used this technique successfully on computer illiterates with great success. They actually find it *easier* to remember passwords when they are derived from a phrase.

But the issue goes even deeper than this - people should stop even using the term "password" because passwords are hard to remember and insecure. We should be using "passphrases" instead. the user doesn't have to remember the character-level details since they can simply use whatever normal capitalization rules like they use every day. Passphrases can actually be fun - kids use them all the time: secret lingo, knocks, etc. Our problem is that we limit people's ability to be creative and turn it into a math and memorization exercise.

The thing about changing it every six months is irrelevant - such expiration rules are stupid if we use passwords, passphrases, gestures, pictures, or whatever.

If someone gets your hashed password, you're done

[homesnatch]

It is well known that if someone gets your hashed password, it is as good as cracked. 17 minutes vs 4 minutes is irrelevant.

On a live system, it is quite another story. You can't just remotely try 3.3 Billion passwords per second.. You'll be locked out after 10 attempts or so.

Re:So What?

[Securityemo]

This is about offline hash cracking, not bruteforcing passwords over a network connection.

Dunno if that helps

[zero.kalvin]

My passwords(for important things like the disk encryption one or my work email) are at least 13~15 characters long, including Upper-Lower cases, numbers and special characters, and no dictionary words. Now I did my part, so how about the people on the server side ?

Re:Dunno if that helps

[danielpublic]

My passwords(for important things like the disk encryption one or my work email) are at least 13~15 characters long, including Upper-Lower cases, numbers and special characters, and no dictionary words. Now I did my part, so how about the people on the server side ?

I would also like to know, how come/why say sha(2) is not the default instead of md5 and/or why blowfish is not supported by glibc? Long time user of passwordmaker here. Change my masterpassword every year, twentyfive char password where THEY will let me. *adjust tinfoil*

It's time for slower hash functions

The answer to this kind of attack is to hash passwords using hash functions that take a bit more time to compute.

Re:It's time for slower hash functions

[grahamsz]

Yeah, I was thinking about doing that on my site in light of the gawker crack.

Logins are relatively rare events on the server, so I could do something like 1000 SHA-1's with a salt on each iteration. That'd mean

a) It'd take 1000 times longer to crack (obviously this is a constant war between me and the adversary)
b) If i build my own salting implementation on top of sha-1 I doubt I could end up with anything less secure than SHA1 but hopefully it'll require custom software to actually do the exploit.

Re:It's time for slower hash functions

[VortexCortex]

The answer to this kind of attack is to hash passwords using hash functions that take a bit more time to compute.

Not just "slower" but also algorithms that require larger memory pools. SHAs take so little memory hundreds of state instances can be cached on most chips -- Big memory pool hashes are harder to parallelize since you run into caching barriers, RAM limits, and transfer speed limits.

Even key stretching with a general purpose (read: fast) hash only leverages processor power. Why not use a more memory consumptive hash (like bcrypt), and leverage RAM limits too?

Re:It's time for slower hash functions

[grahamsz]

Thanks - will look into that

Re:It's time for slower hash functions

[grahamsz]

If I set up something like password_x = SHA1(password_(x-1) + SALT) I really can't see how that would be an issue unless it exposes some weakness in SHA1.

Still the bcrypt solution below looks a lot better

What about salting?

[TubeSteak]

Is my five letter password more secure if the salt is 15 characters long?
Or am I misunderstanding the nature of the attack and of hashed passwords?

Re:What about salting?

[mazesc]

You are misunderstanding it. Salting only protects from precomputed tables containing (password, hash) entries (rainbow tables) when using a unique salt. I didn't read TFA, but I assume this is a simple brute-force attack. The attacker would just add the salt to each guess, which does not make it any more difficult.

Re:What about salting?

[Hermel]

> Is my five letter password more secure if the salt is 15 characters long?

No. The salt helps against dictionary attacks. Normally, it is different for every user, but not secret. It does not help against brute-force attacks.

What does help, is adding more rounds to your key-derivation function (e.g. PBKDF2). Or choosing a longer password.

Re:What about salting?

[jonbryce]

The salt is stored in a relatively insecure manner. It needs to be because the system takes the salt, adds it to the password you supply, runs it through the hashing function and compares it with the stored hash.

Re:What about salting?

You are misunderstanding it. Salting only protects from precomputed tables containing (password, hash) entries (rainbow tables) when using a unique salt. I didn't read TFA, but I assume this is a simple brute-force attack. The attacker would just add the salt to each guess, which does not make it any more difficult.

Not quite. If the salt is long enough, it will slow down the computation of the hash function and thus slow down the attack. It takes longer to hash a 1megabyte password+hash than a 15 byte password+hash

Re:What about salting?

[mazesc]

It just protects from precomputation of the hash values of the passwords. If there were no salts then the hash value of a given password would look the same in every database (if the same hash function was used). So if you would precompute a rainbow table, where you store the password next to the hash value of the password, you could attack every database easily in the same way by just comparing the hash values and using the password stored next to it in the rainbow table.
Now, with salting we get a unique hash value even if the password stays the same, rendering precomputation useless. The salt, however, is stored in plaintext next to the hash value: (hash, salt).

This does obviously not keep an attacker from computing the hash value = hash(password + salt) - it just helps against rainbow tables.

If you would still want to precompute a rainbow table the amount of memory needed would make it impractical. With n bit salts you would have to store 2^n entries for each password.

Re:What about salting?

[Joce640k]

The crazy thing about salt is that it's always known by the attacker...

Re:What about salting?

[mazesc]

You are right of course, but if you would just store extremely long salts for that reason, it would make more sense to include a time delay between computations. Are such long salts used in practice?

Re:What about salting?

[mazesc]

ah, i was stupid - time delay obviously makes no sense in offline cracking

Re:What about salting?

[Bogtha]

You're missing the point. If a unique salt is used for each password, then you have to attack each password individually. If the same salt is used for each password, then when you compute a hash, you can compare it against all the hashes in the database at once.

Unless the attacker is targeting your account specifically, then yes, individually salted passwords help.

Re:What about salting?

[gpuk]

I'm not a crypto expert but my understanding of salt is that it is simply an algorithm you apply to your password before it gets hashed. In order to verify a password, the system obviously needs to know the salting algorithm in order to compute the correct hash. If your password hashes have been stolen, it is reasonably likely that your salting algorithm has too. Therefore, whether or not each hash has it's own unique salt becomes largely irrelevant as the attacker will likely know how to produce each salt.

Of course if the authentication box and the hash database are on separate machines and only the hash database gets hacked, then it might be slightly useful. But then, even if you only used one salt for all the hashes, your passwords would still be safe from rainbow tables assuming your auth box was not hacked.

Re:What about salting?

[stonewallred]

Ok, call me stupid, but password stuff is not my area of expertise.

If "salt" means added random bits (from wiki) how does memory play a role?

Is it RAM they are talking about rather than hard drive space?

With TB drives less than $100.00 USD, it seems that space can't be the problem.

My only solace is knowing that I don't use the interwebs for any type of banking access, and that all my passwords are 15+ characters long and stored securely on Post-it notes by my computer. And if they are in my house looking at them, I got bigger worries than the sanctity of my WoW and /. accounts.

Re:What about salting?

[Bogtha]

my understanding of salt is that it is simply an algorithm you apply to your password before it gets hashed.

No, it's randonly-generated data that is combined with your password before it gets hashed.

If your password hashes have been stolen, it is reasonably likely that your salting algorithm has too. Therefore, whether or not each hash has it's own unique salt becomes largely irrelevant as the attacker will likely know how to produce each salt.

Where in my comment did you get the idea that I think that the attacker doesn't know the salt?

When somebody performs a brute force attack, they generate as many password hashes as they can, comparing those hashes against the hashes stored in the database. If the hashes match any of the hashes in the database, then they've cracked a password.

When a single salt is used for the entire database, the attacker can use the salt so that it's only the password he needs to guess. When he generates a hash, he can compare that hash with all the hashes in the database, and he can get 0-n hits, where n is the number of accounts. If all the accounts have the same password and he cracks it, he has access to every account.

When a unique salt is used for each account, the attacker can still use the salt so that it's only the password he needs to guess. But now, when he generates a hash, he can only compare that hash with the account he took the salt from. He can get only 0-1 hits*. Even if all the accounts have the same password, he'll still have to crack each of them individually because their salts are different, so their hashes won't match.

As I said, if your account is being targeted specifically, it won't help, but if the attacker is merely trying to compromise as many accounts as possible, individually salted hashes do protect you.

* Not counting collisions, obviously.

Re:What about salting?

[icebraining]

No, the salt is a large block of random data (usually stored as a string) that you append to the password before generating the hash.

Stealing the salt does nothing to prevent its purpose, which is to stop the use of precomputed hash tables, because it's not feasible to compute a table with all the possible large inputs.

http://stackoverflow.com/questions/1645161/salt-generation-and-open-source-software/1645190#1645190

Re:What about salting?

[icebraining]

With TB drives less than $100.00 USD, it seems that space can't be the problem.

With a decent salt size, the required space to store all the precomputed hashes quickly reaches exabytes (millions of TBs).

Re:What about salting?

[icebraining]

It's still not that useful, it's preferable to use algorithms that have a difficulty factor, like bcrypt, or hash many times.

Re:What about salting?

[pipatron]

Relatively insecure, as in, plaintext.

Re:What about salting?

[pipatron]

No, stuff like http://en.wikipedia.org/wiki/PBKDF2 is used in practice for this purpose. A one mega/giga/terabyte salt, wtf?

Re:What about salting?

[Kr3m3Puff]

mod parent up... Exactly PBKDF2 combines all the current best practices into something that is difficult for CPU or GPUs to deal with.

An attacker would need access to the hashes, then they would need access to the salt (even if the salt is insecurely stored, it should be kept separate from the hashes, though some idiots do put the salt in the same data store as the hashes) and then they need to determine how many iterations to run (again, usually requires source code level access) and then needs to wait a few decades for most "insecure" passwords and a few centuries for any moderate passwords.

Now in 20 years, that maybe irrelevant, but for now, implementing PBKDF2 would make it very difficult for a long time to come to recover passwords.

Re:What about salting?

[gpuk]

Nice explanation, I stand corrected :) I hadn't considered the (obvious now you point it out to me) fact that lots of users would likely have the same password.
Unique salts obviously help in that regard.

Re:What about salting?

[gpuk]

I wrote "an algorithm you apply to your password before it gets hashed" which could of course mean appending random string data. My mistake was to assume that appending the same randomly generated string to all passwords would be sufficient salt. I didn't consider users who used the same password.

Re:What about salting?

[icebraining]

It's not only about those who use the same password. If the same salt is used for all passwords, the attacker could build a single lookup table with that salt and crack all paswords with that single table.

If you have a salt per user, the attacker needs to brute force for each and every password.

Re:What about salting?

[pinkushun]

Correct, salting is used to secure _many_ rows of hashed passwords, it basically ensures that the attacker _has_ to brute-force each hash.

Re:What about salting?

[petermgreen]

No. The salt helps against dictionary attacks. Normally, it is different for every user, but not secret. It does not help against brute-force attacks.

Correction the salt helps against precomputed attack tables it does not help against direct attacks. Whether the attack uses a dictionary or simple brute force is irrelevent.

"Strong passwords useless"? Hardly...

[Pennycook]

From TFA: "It gets worse. Throw in a nine-character, mixed-case random password, and while a CPU would take a mind-numbing 43 years to crack this, the GPU would be done in 48 days."

Re:So What?

[gtvr]

This has to be considering that someone has the password file. Even if a remote system responded immediately, there is lag for the transmission. Also the local host isn't doing the computation, the remote host is, in that case. The GPU or local CPU is only doing the computations if you have the password to compare against.
I don't know if I wrote that clearly. In other words, if I try to log on to an NT server, and type the password "abc" then the remote server is doing the hashing, not my local CPU or GPU.

Who cares?

[IICV]

Hooray, you can crack an NTLM password in like five seconds! Too bad Windows has preferentially used Kerberos since Win2K, which means that pretty much any in-practice Windows network you'd like to hack in to is using a real security scheme.

I mean, really. This article isn't about how much faster a GPU is than a CPU for hash cracking (after all, four days to reverse a hash is still unacceptable, and that's brute forcing it and not using one of the widely available NTLM rainbow tables), it's about how much NTLM sucks and Microsoft should have never contravened the first rule of cryptography and tried to roll their own.

Re:Who cares?

[Tinctorius]

Mod parent up. This tool has no further practical applications and it is not news that brute forcing works better with GPUs than CPUs. It's exactly what they're meant to do.

Re:Who cares?

[ivoras]

Technically, MS *did* use a valid and acceptedly secure hash functions, DES and MD4. The problem is that, because of backwards compatibility across their 20-year product spans, they were not as vigilant in updating the protocols. Even when they *did* upgrade them, they went to MD5 (with NTLMv2) - which was again proced weak - but they continued to use the older protocol which allowed trivial attacks.

Which is why anyone "worth his salt" will laugh if you propose a crypto system which is supposed to last 20 years and is not flexible in its choice of component algorithms.

Re:Who cares?

[jayhawk88]

Well keep in mind that Windows generating and saving an NTLM was the default setting up until at least Server 2003 (not sure about 2008 but I think they took care of this). Sure, good admins turn this off, but how many systems are there out there where it isn't turned off, or perhaps even turned back on for compatibility reasons?

Re:Who cares?

[yuhong]

NTLMv2 did not change the password hash scheme. Don't confuse the protocol changes with the hash changes. It did prevent the even weaker LM hash from being transmitted in certain areas, I think. Of course, the fact that the password hash is transmitted in the first place means you can log in directly over the network already without the cracking.

Re:Who cares?

[cloudmaster]

Actually, the tool linked also cracks MD5 passwords. And SHA1. And a number of permutations:
http://www.golubev.com/files/ighashgpu/readme.htm

1Password FTW

[rekoil]

Shameless plug follows...

Seriously, once you're free from having to remember your own passwords, you can make them as long and complex as you like, and you can use a different *truly random* password for every login, so one compromise won't lead to others. There are freeware workalikes, but none that match 1P's feature set (syncing, browser auto-fill/change plugins, etc). Highly recommended.

Re:1Password FTW

I like LastPass better but I agree that everyone should use one of these services. The reason I like LastPass is you can use it on pretty much every platform out there for free and if you pay $12 a year you get smartphone apps and mutlifactor authentication. Also, and most importantly, LastPass is a really good company. They merely suspected they might have been attacked over their network a few weeks ago and they took thorough measures to ensure that the public was notified. Compare that to companies like Playstation and I think you will see why I suggest people use LastPass.

Re:1Password FTW

[cbiltcliffe]

Your shameless plug is correct, but for one problem:

When you use a fingerprint sensor, the traditional attack methods (brute forcing, social engineering, etc) still work. But you also add a new attack method, by generating a fake fingerprint from that coffee cup you threw into the trash that morning.

Needless to say, increasing the possible attack vectors decreases security, rather than increasing it.

Re:1Password FTW

[Pieroxy]

To be fair, the attacker population is vastly decreased with a fingerprint scanner. The script kiddie in China cannot do much as far as my coffee cup is concerned. And the usual problems with stupid passwords and using the same pwd all over the web are gone. So I'd say security was increased.

I'd be more worried about my computer crashing and my long and unmemorizable password collection just vanishing...

Just saying.

Re:1Password FTW

[cloudmaster]

Your fingerprint is read by a consumer-side device, converted to a string of some sort, and sent to a server to verify. The hacker now just has to brute-force that string instead, and send it in response to "what's your fingerprint". Hopefully that's hard, but maybe it's not.

Re:1Password FTW

[FrankSchwab]

Brute force a 128-bit equivalent random string?

Go ahead, give it a try. I'll wait.

Re:1Password FTW

[izomiac]

Are there 128 bits of entropy in the image produced by fingerprint readers? With only ~100 million fingerprints on record, there are a handful of known false positive identifications. Wikipedia knows of four cases of misidentification, so a low estimate would be an "identical" (for current technology) rate of 4/100,000,000, or 2^-24. So you get 24 bits, that's a four character mixed-case alphanumeric password. (IOW, 2345 is a 13 bit password, and twothreefourfive is a 13 bit password with some security by obscurity, not a 128 bit password.)

Re:1Password FTW

[DavoMan]

except every finger printer scanner known to man-kind can be fooled using everyday kitchen objects. wear a glove and shake someone's hand. put superglue vapour onto the glove. peel off. you have a print. not warm or moist? easy. lick it and put it over your finger. even the smartest ones which read your pulse, moisture and geometry will be fooled by that. fingerprints == next to useless.

Re:1Password FTW

[cbiltcliffe]

You're assuming that people will no longer use stupid passwords when they've got a fingerprint scanner. If you've been around the block more than once, you'll know this is simply not true. People will still use a password of '123456' for their facebook account, and use the same one for their bank account, since they always use it for facebook, making it easy for them to remember. Then they'll program in their fingerprint to give their lame password to both sites.

But they'll think they're more secure, because the Best Buy commercial that advertised their laptop said "It's got a fingerprint scanner for security!"

People are stupid. People are lazy. Security requires zero amounts of both.

Re:1Password FTW

[cloudmaster]

Well, that's what I was referring to when I said "hopefully it's hard". But really, brute force isn't the only way. Let's say this fingerprint reader is the way you start authenticating to a bunch of web sites. All I have to do is find one which I can compromise, either through weak encryption or some vulnerability on either end (man in the middle, phishing, whatever). Once your fingerprint's string has been compromised, then what? You plan to change it? :)

I'm curious (as is izomiac, I'd imagine) - where did you come up with 128 bits for fingerprint reader data? A few seconds of Google didn't get me anything.

Re:1Password FTW

[metrix007]

2345 is a 13 bit password, and twothreefourfive is a 13 bit password

Wanna check that?

Re:1Password FTW

[Fizzl]

Sorta related

Re:1Password FTW

[marcosdumay]

We have a name for long passwords that you don't need to remember... It is "cryptographic key", or just "key" to be short. Now, the browsers could start implementing RSA authentication (even the specs are done, SSL is complete) for the end user, and let all this problems with unprotected passwords go away.

Windows problem!

[SmilingBoy]

This is really a Windows problem. Windows uses a simple, fast hashing function (I think some version of HMAC). This means that an attacker can churn through many passwords very quickly (apparently billions per second per the article). You should really use a slow hashing function that takes around 0.1 to 1 seconds to calculate one hash on the server. Even a GPU will then take very long! Plus don't forget salt (different per user) against rainbow table attacks, plus key strengthening. Something like bcrypt is pretty good, but scrypt is probably even better as it does not only require a lot of CPU time but also significant memory (making dedicated hardware crackers much more expensive).

Re:Windows problem!

[thoughtsatthemoment]

even if the hashing function is fast, you can use many iterations to slow it down.

Re:Windows problem!

[dave420]

Exactly. That was the problem with the password storage on Blackberries. It iterated the HMAC once, whereas iOS 4 does it 10,000 times. Clearly an implementation fault.

Re:Windows problem!

[sshock]

Mod parent up. The NT hash is essentially just a single MD4 of the Unicode password. (In the SAM file the hash is also obfuscated with the RID and encrypted with the syskey, but RID obfuscation is easily removed and the syskey by default is just stored in the registry and can be easily extracted.) MS should have deprecated the NT hash like they did the LM hash, and replaced it with a salted iterative hash like PBKDF2.

Re:Windows problem!

[SmilingBoy]

Well, I *was* talking about the NTLM hash obviously (LM hashes are a joke basically). Even though it is much better than the LM hash (especially on passwords longer than 8 characters), it is still very easy to bruteforce (as the article says), in particular compared to better alternatives.

Re:Windows problem!

[SmilingBoy]

And that is exactly what is being done essentially.

I was not very verbose - I would call the hashing function "run MD5 1,000,000 times iteratively" a function in its own right, and I would also call it a slow hashing function.

Re:Windows problem!

[yuhong]

AFAIK HMAC-MD5 is used by NTLMv2 for transmitting the password hashes over the network.

Re:Windows problem!

[cloudmaster]

Yeah, the MD5 algorithm your old RedHat Linux box probably uses sure takes this tool a long time to calculate.
http://www.golubev.com/files/ighashgpu/readme.htm
Oh, wait...

Oh, and the DES algorithm your HP-UX and AIX systems still use is really hard. And don't forget the BigCrypt (two or three DES iterations!) the TCB implementation on that HPUX system, oh my!

It's a problem outside of Windows, because computers have gotten faster since the late 90s when we realized that NTLM was too simple. :)

Re:Windows problem!

[WuphonsReach]

You should really use a slow hashing function that takes around 0.1 to 1 seconds to calculate one hash on the server.

All you're doing is moving the decimal point a few positions when you use an iterative hash. Plus if the server takes a full second to calculate the hash, you're going to have some very pissed off users. What happens when the average server load has a dozen users all logging in at the same time? Each one probably has to wait 6-12 seconds as the server tries to handle calculating the passwords at the same time as getting work done.

Sure, if you're protecting billion dollar secrets, then it's worth going that distance. But for the average attacker, it's pure overkill and does nothing but drive your costs up.

The average attacker is opportunistic. They're not going to spend a million to break into a system that is only worth a few thousand. As long as your passwords are long enough (i.e. not 8-chars or less), complex enough (not dictionary words, requiring a mix of alphabetic, numbers and symbols) and you use a per-account salt, most attackers are going to give up after a few days. Heck, most won't spend more then a few hours against a single hash.

Attackers which are specifically targeting you are a completely different story. They will go after your systems in multiple ways and will have resources in excess of you. Social engineering, trojans, worms, exploits, physical intrusion and intimidation / torture will be used and your ultra-difficult password hash algorithm will be for naught.

Re:Windows problem!

[SmilingBoy]

All you're doing is moving the decimal point a few positions when you use an iterative hash. Plus if the server takes a full second to calculate the hash, you're going to have some very pissed off users. What happens when the average server load has a dozen users all logging in at the same time? Each one probably has to wait 6-12 seconds as the server tries to handle calculating the passwords at the same time as getting work done.

OK, if you have a server where you expect that many logins at the same time, just go for a shorter time, say 0.05 s. If you have 10 users logging in within the same second (and where does that happen except at the most high-volume sites?), the server will still be at 50% CPU load only. However, the security will still be magnitudes better than the 50 ns or whatever it takes with a simple hash now. With slow hashing and per-user salt, even short passwords (7 or 8 digits) are pretty well protected. And there is really no reason not to do it.

Re:Windows problem!

[WuphonsReach]

Increasing the time to calculate the hash is fine. But only up to a certain point. There are cheaper ways to increase the search space.

When you get into the scenarios of increasing calculation time by 10,000 or 1 million times, then you've probably gone too far. You would gain more from enforcing the use of slightly longer passwords with complexity checks. Each additional character adds 60x to 80x to the search space. (Depends on the mix of upper / lower / numbers / symbols.)

Forcing your passwords to be an average of 2 characters longer:
60^2 = 3600 or 80^2 = 6400

Which is already a bigger gain then switching to a hash algorithm that takes 1000x longer to calculate.

And if you force passwords to be 3 characters longer: 60^3 = 216,000, 80^3 = 512,000

The difference between an 8 character password and a 12 character password is not that big. But it increases the possibilities by a very large amount (13-40 million times). Especially when coupled with a modest (1000x) increase in hash calculation time.

And past a certain time investment to crack a single hash, you've exceeded the reach of opportunistic hackers to break in. Now you're into the realm where only targeted attackers, specifically out to get you, will bother. And they will employ other methods like social engineering, exploits, vulnerabilities, spyware, physical intrusion, intimidation, etc.

Re:Windows problem!

[MrAngryForNoReason]

You should really use a slow hashing function that takes around 0.1 to 1 seconds to calculate one hash on the server.

require a lot of CPU time but also significant memory

Which is a great idea unless you care about performance of your server. Any increase in work for an attacker is balanced by the increase in work for your server. Most people don't want to have to run a cluster of high powered servers just to calculate hashes no matter how secure they might be.

Re:Windows problem!

[SmilingBoy]

Maybe, but since you need to calculate only one hash per login attempt, increasing the time it takes to calculate this hash is fairly negligible in most scenarios. On the other hand, it makes attacks as the one described magnitudes more difficult.

Re:Windows problem!

[MrAngryForNoReason]

If it increases the amount of time to calculate a hash from a tiny fraction of a second to a whole second then that is likely to be significant if the number of users is at all significant. The whole subject of this article is that someone trying to crack a hash can apply a lot of specialised processing power to do so and that making them more complicated isn't really a solution because of this. Getting into a processing arms race isn't really a long term solution for security.

That said if you are running a server with low load and have tons of spare processing power then yeah why not make it a bit more secure by using stronger hashes. I am just pointing out that in real world situations burning up processing power on a server for something like this isn't usually an option.

Re:Windows problem!

[SmilingBoy]

As I have mentioned in another comment - even if you increase the time it takes to hash password+salt to 0.05 seconds, this will make an attack very difficult compared to the time it takes to calculate a normal hash. This will allow 10 logins in the same second with only 50% CPU load. I doubt that there are many sites out there that have such a large amount of logins on a single server. By the way, the article doesn't talk about a lot of specialised hardware - just a simple GPU.

Faulty Assumtions

[imsabbel]

A 6-7 letter password only using letters and numbers is NOT strong.

It would be trivial to cover it with rainbow tables and have near realtime cracking even without GPUs.

_Not weak_ would be 10 letter+, with a salt. Would make brute forcing not really that easy anymore...

Re:Faulty Assumtions

[thoughtsatthemoment]

We should also allow unicode characters. Those obscure Chinese characters that no one can write by hand would be really handy.

Re:Faulty Assumtions

[yuhong]

AFAIK the NT hash already does. Up to 255 UTF-16 chars. Note that IMEs are not allowed for passwords though in Windows, as it would defeat password masking.

Re:Faulty Assumtions

[rtconner]

I kind of get the feeling that in 5-10 more years that even this won't be enough.

Re:Faulty Assumtions

[gbutler69]

No, they wouldn't. They'd be represented as mult-byte characters. You'd still have a password consisting of some number of bits. How would you enter the Chinese character? Do you have keyboard with all the thousands of characters? No? Then you'd need to enter the unicode equivalent (e.g \u2023 or somesuch). Which would end up being between 2 and 6 bytes. Why not just type 2 to 6 other characters. It would be nearly equivalent.

Re:Faulty Assumtions

[jpate]

Those obscure Chinese characters that no one can write by hand

Um, over a billion people can write them in... wait for it... China! Yes, they do have computers there, and yes, they do type and read Chinese characters with them.

Re:Faulty Assumtions

[thoughtsatthemoment]

I meant the subset of characters that is obscure, not that all Chinese characters are obscure.

Re:Faulty Assumtions

[WuphonsReach]

I would say that 8 chars or less is basically broken now. It still falls in the realm of targeted attacks though. And the attacker will probably be working from a "most commonly used password" list instead of blindly attempting all of the possible permutations.

Or they'll use a weighted permutation (say 65% lower case letters, 20% upper case, 10% numbers, 5% symbols). Which covers an awful lot of passwords that normal users will come up with. And is a lot faster to iterate through.

If an 8 character password of the above complexity takes 9 hours (at 5 billion/sec) to crack, then a 9 character password will take 22 days. So each character added is about a 60x multipler.

Get out to 11 characters and you're up to 79,000 days (216 years). Go to 12 characters and the time is measured in millennia (13,000 years). Combine that with a modest increase in the complexity of calculating the hash (something that takes 1000x as long) and it buys you time.

The rate of increase of computer power per dollar has definitely slowed. At best, for embarrassingly parallel problems, it's maybe a 50% increase per year and that rate is slowing down. That means in 3 years, N currency will only buy 3.4x computer power, and in 10 years it will buy 58x computer power. So a machine that currently costs $1000 and has 6-cores would need to have 348-cores doing the same amount of work per hour as the 6-core version. And I don't see that rate of advance as being sustainable.

10 is probably okay for a few years, but 12-15 is more likely to stay safe for a few decades. Past that, 2-factor authentication will have to become commonplace.

Re:Faulty Assumtions

[marcosdumay]

If you did RTFA, you'd see that they just needed 48 days for a 9 characters long password. Of course, that means that one'd need a bit more than 2 years for a 10 chars long password. I mean, one'd need that time with one current GPU, if he waited those 2 years, 1 more would be enough... And we need to add an extra char at our passwords each 10 years.

If only...

[oGMo]

If only storage technology had kept up with GPUs! Instead of being limited to 8 character passwords because of stringent storage limitations, we could use entire passphrases that might be both fairly easy to remember and far more challenging for password guessing. But I guess we'll have to wait for some sort of technological breakthrough...

:p

Re:If only...

[betterunixthanunix]

If your passphrase is longer enough, you get a diminishing return, as there is going to be a collision with a shorter string, and so the amount of work your attacker needs to do is really bounded by the length of the output of your hash function.

Re:If only...

[krakass]

I worked for a company where passwords were limited to 8 characters, no more or less. Also since passwords had to be changed every 90 days most employees just chose a 6 or 7 character base password and incremented it by 1 each time.

Re:If only...

[Jonner]

No authentication mechanism (not even the current version of NTLM) properly based on a cryptographic hash limits the length of the password. Any such system produces a fixed-length hash of the password regardless of the length of the password. If a system imposes a limit on the length of passwords, that's a sure sign it's storing the passwords themselves, either in plaintext or encrypted by some common key. This is well-known to be a bad idea, so anyone doing it is extremely ignorant or negligent.

Cry me a river

Yeah, brute forcing NTLM login passwords. What's next, brute forcing your bank's 4 digit pin code? Please, give us a break. From wikipedia on NTLM: http://en.wikipedia.org/wiki/NTLM

Microsoft no longer recommends using NTLM in applications:

Implementers should be aware that NTLM does not support any recent cryptographic methods, such as AES or SHA-256. It uses cyclic redundancy check (CRC) or message digest algorithms (RFC1321) for integrity, and it uses RC4 for encryption. Deriving a key from a password is as specified in RFC1320 and FIPS46-2. Therefore, applications are generally advised not to use NTLM.

Re:"Strong passwords useless"? Hardly...

[JAlexoi]

If you're a hacker, my bet is you have at least 10 more friends with recent gaming rigs... And guess what? The problem is embarrassingly parallelizable. 4.8 days for a 9 char password(worst case, btw)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Slow hashing algorithm

[matzahboy]

Just make the hashing algorithm slower. For example, let's say you use md5 to hash the passwords. Hash the password 1000 times with md5 instead of just once. This will increase the time it takes to crack the passwords by a factor of around 1000.

Re:Slow hashing algorithm

[leuk_he]

No it won't. Running the same hash multiple times does not make it better. that is not how crypto works. Besides that, that would make it incompatible with older NTLM systems...

The password needs to be strong enough. Acrtually in NT passwords can be 255 chars long. maybe there is even room for improvement

Re:Slow hashing algorithm

[matzahboy]

It doesn't make it any stronger, but it means that it takes longer to brute-force (since if it takes you longer to hash the password, it will take the person brute-forcing it that much longer to hash each potential password).

Re:Slow hashing algorithm

[matzahboy]

Take a look at this article which explains why you want to use a slow hashing algorithm (such as doing md5 1000 times): http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html

SmartCards

[DaMattster]

Since GPUs are rendering traditional passwords insecure and obsolete, why not go with a broader usage of smart cards? Also, build in mechanisms to deny IP addresses from machines that are attempting to use brute force. I do it with OpenBSD's PF. After so many failed attempts over a period of time, the IP gets blacklisted. After 24 hours, the blacklist gets purged.

Re:SmartCards

[danielpublic]

Since GPUs are rendering traditional passwords insecure and obsolete, why not go with a broader usage of smart cards? Also, build in mechanisms to deny IP addresses from machines that are attempting to use brute force. I do it with OpenBSD's PF. After so many failed attempts over a period of time, the IP gets blacklisted. After 24 hours, the blacklist gets purged.

Yeah, two-factor authentication or more is really essential here.
eCryptfs wrapped passphrase file and pamusb on two usbdrives is a nice and complement to my generated 30char login password at home.

I use passwordmaker extensively, I feel safer with it since it is not a database as the application keypassx.
Usually I generate my passwords by user@host/email/domain/padlock/whathaveyou. Also I have a few modified tricks up my sleeve, that I learned on passwordmakers forum. It works everywhere! Even my brother with his iphone uses it, he even has the habit to take the two last chars in the generated passwords and paste it somewhere. Or so he said at least.

And certainly Yes, then there is always that question: 'Who have I trusted by installing this or that software'
Whom am I to say my (master)passwords is safe, since I generate them in my phone?

Re:SmartCards

[Jonner]

Since GPUs are rendering traditional passwords insecure and obsolete, why not go with a broader usage of smart cards? Also, build in mechanisms to deny IP addresses from machines that are attempting to use brute force. I do it with OpenBSD's PF. After so many failed attempts over a period of time, the IP gets blacklisted. After 24 hours, the blacklist gets purged.

Perhaps the article didn't explain it well enough, but brute forcing passwords with GPUs is only useful in offline attacks against the password hashes. CPUs are still plenty fast for online attacks, which are limited by network speeds. Because networks are so many times slower than CPUs or GPUs, true brute force attacks are never practical.

How To Choose Strong Passwords

[Nukedoom]

Self-explanatory.

http://www.wimp.com/strongpasswords/

Re:How To Choose Strong Passwords

[hedwards]

The bigger issue is that with all the sites that demand a log in, you're not going to have passwords that are strong, unique and regularly changed. Which is really the problem, on top of which many sites will hand out your information to anybody that can guess the security answers, which one then needs to remember as well because without them the account can't be reset.

Re:"Strong passwords useless"? Hardly...

The NSA guy who needs to spend 43 cpu years across a farm of, say, 1000 servers in order
to get a password in half a month probably has to write an application to his boss.

The NSA guy who needs to spend 48 cpu days on the same farm in order to get a password
in a little more than an hour can probably just go ahead.

(And, yes, servers in farms often do have GPUs in order to expose this kind of specialized
performance.)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Big-O complexity, look it up

[deapbluesea]

So the TFA proves that password cracking is exponential in the length of the password, and that GPUs cut down on the rather large constant in front of the exponent. This still does not eliminate the fact that each digit added increases the cracking time exponentially. In other words, use a longer password. Of course, NTLM is a farce since it only hashes 8 byte chunks, so you can't up the cracking time by more than X^8. The moral of the story here is that GPUs are faster than CPUs (for some specialized applications), yet you can still overwhelm them using a longer password. The other moral is that NTLM is an utter failure, but we all knew that.

If anyone really cared enough, they could build a single-purpose circuit to calculate hashes and compare with the hash file. With enough money invested, you could easily beat any GPU by a couple orders of magnitude. That still doesn't make this news worth discussing as the other side can up the ante by adding to the password length again (among many other things already mentioned such as salts).

Re:Big-O complexity, look it up

[jimicus]

Is NTLM still in use? It's been deprecated for years - is it even enabled by default on recent versions of Windows?

Re:Big-O complexity, look it up

[Hatta]

This still does not eliminate the fact that each digit added increases the cracking time exponentially. In other words, use a longer password.

There's only so much entropy a human brain can memorize easily. If you try to make it easier to remember, by making it pronounceable, or even using words, that decreases entropy defeating the purpose of extending your password.

Dunno what solution there is when computers can brute force passwords longer than a human can memorize.

Re:Big-O complexity, look it up

[the+eric+conspiracy]

Uh how about KeyPass?

Re:Big-O complexity, look it up

[Hatta]

Then they can just brute force your KeePass passphrase.

Re:Big-O complexity, look it up

[the+eric+conspiracy]

Yes, but if I only have one phrase to remember I can make it pretty annoying to crack.

Re:Big-O complexity, look it up

[deapbluesea]

There's only so much entropy a human brain can memorize easily

Check out this site on entropy. It provides some very interesting insights on ways to encode entropy memorably. http://www.leemon.com/crypto/MakePass.html

Re:Big-O complexity, look it up

[deapbluesea]

Your questions forced me to look up info on NTLM and it turns out my earlier post was incorrect. LM is encoded in 7 byte chunks, not 8 byte. NTLM was the fix to the horrible LM hash that I was remember earlier. Mea culpa. LM was still used in XP to maintain backwards compatibility (thus completely circumventing the NTLM hashes of the same password). NTLM is still in use today, although it also suffers from known vulnerabilities http://en.wikipedia.org/wiki/NTLM

Password Plus CAPTCHA helps

[billstewart]

8-character passwords were strong enough for Unix thirty years ago, but that was a long time ago in Moore's Law cycles; I've got wristwatches faster than that PDP-11. It's annoying how many systems still seem to use them.

For systems that do passwords interactively, you're not going to get the same brute force speed, but you're still exposed to automated attacks - using a CAPTCHA in addition to the password can help prevent them.

Re:Password Plus CAPTCHA helps

[iggymanz]

no need to change, 8 character using say 100 possible character password that isn't word or same as account name still can't be cracked by brute force attempts. Besides the challenge / response lag, and systems not allowing login for certain time after say 4 unsuccessful attempts, look at the math. That's only five attempts every five minutes or one attempt per minute allowed. That's 100 ^ 8 minutes for all possible combinations, or 10^16 minutes, or 2 x 10 ^ 10 years. The Sun would burn out first.

Re:Password Plus CAPTCHA helps

[bmo]

The quicker CAPTCHA dies the better.

Not only does it discriminate against machines (like it should) it discriminates against humans, too.

I long for the day when the Americans with Disabilities Act gets amended for the interbutt. You are an institution or you do commerce on the Web? You can no longer discriminate against the sight impaired ever again.

People see CAPTCHA as a magic wand for dealing with brute-force attacks and spam. It's not. If it was a pill for erectile dysfunction, the side effects would give you projectile diarrhea.

--
BMO

Re:Password Plus CAPTCHA helps

[EvanED]

That's only five attempts every five minutes or one attempt per minute allowed.

Let's look at some alternate math, considering that the article is talking about offline lookup.

3.3 billion passwords/sec decreases your estimate by a factor of 198 billion (basically 2^11). That gives 0.1 years. Not so attractive to break your /. password, but if you suspect someone has a fair bit of money in their bank account, easily worth it for that.

Of course, we all know that all networks are secure and so no one could ever get their hands on a list of password hashes, right?

Re:Password Plus CAPTCHA helps

[Concerned+Onlooker]

"The Sun would burn out first."

Especially if it's an old Ultra 5.

Re:Password Plus CAPTCHA helps

[rhook]

It is easy to thwart this attack, require a password in addition to a one time use RSA SecurID. eBay, PayPal, WoW and several banks already use this method of authentication.

http://www.rsa.com/node.aspx?id=1156

Re:Password Plus CAPTCHA helps

[sco08y]

The quicker CAPTCHA dies the better.

Not only does it discriminate against machines (like it should) it discriminates against humans, too.

I long for the day when the Americans with Disabilities Act gets amended for the interbutt. You are an institution or you do commerce on the Web? You can no longer discriminate against the sight impaired ever again.

Most of the big name CAPTCHAs I've seen have an audio alternative, so what's the issue?

Re:Password Plus CAPTCHA helps

[El+Torico]

I'm missing something here; how do the blind and leaglly blind use computers with video as the primary means of presenting information to the user? Wouldn't CAPTCHAs be the least of their problems? Can they be made much larger and an audio component improved?

I can see where CAPTCHAs will have to be changed as the populations of Japan, Europe, and the US get old.

Re:Password Plus CAPTCHA helps

[Frosty+Piss]

...projectile diarrhea...

Wow, you discovered my Slashdot password. I've had it for several years, now I have to change it...

Re:Password Plus CAPTCHA helps

[CharlyFoxtrot]

There's a whole array of vision problems out there. For instance this is how a person with keratoconus sees text on his/her pc. You can still function visually (with aids like zoom, increased contrast, etc.) but try figuring out a captcha with that vision.

Re:Password Plus CAPTCHA helps

[Nimey]

Better CAPTCHAs have audio challenges for people with visual impairments.

If you're Helen Keller, you're probably not using a computer anyway.

Re:Password Plus CAPTCHA helps

[cloudmaster]

Let's look at some alternative alternative math: that 3.3 billion passwords/sec were at http://www.golubev.com/files/ighashgpu/readme.htm. Note that this is the speed for cracking MD5 passwords, which were deemed "almost ready to crack" a few years ago. Modern Linux systems all support sha256 and sha512 hashing; given that this tool is 1/3 slower for sha1 (aka "sha160"), one can guess that current sha2 (sha256/sha512) algorithms will be slower. It's also worth nothing that the algorithms supported by the tool mentioned in the article are *all* not supposed to be used as of 2009: http://csrc.nist.gov/groups/ST/hash/policy.html; the tool doesn't currently even support the sha2 algorithms. The common algorithms which are currently supported (ie, md5) have been breakable in fractions of a second through rainbow tables for years anyway - which was NIST's point, IIRC.

I suppose I'll also note that the Ubuntu 11.04 system I'm typing this upon right now is configured out of the box to use sha512 hashing in /etc/shadow (check /etc/login.defs on most Linux systems, look for password strings which start with $6$). Assuming the use of PAM for anything important and passwords stored either in root-only shadow file or in an LDAP directory which does compare-only access or server-side hashing, and a secure transport such as current TLS, then this is a non-issue on a Unix system which hasn't already been compromised. It'd be easier and probably more effective, as usual, to socially engineer a password (or otherwise gain access through the human interface weak point) than to get password hashes and break them.

Re:Password Plus CAPTCHA helps

[chill]

They see a Squid Proxy error? I'm thinking a cure for that disease isn't too far off...

Re:Password Plus CAPTCHA helps

[Odinlake]

the side effects would give you projectile diarrhea.

whoa, awesome! </voice of Otto the bus driver from The Simpsons>

Re:Password Plus CAPTCHA helps

[Ambvai]

People see CAPTCHA as a magic wand for dealing with brute-force attacks and spam. It's not. If it was a pill for erectile dysfunction, the side effects would give you projectile diarrhea.

So... is that going to function like nitro for rapid thrusting?

Re:Password Plus CAPTCHA helps

[Psychotria]

Hmm. How do you see the audio icon if... you cannot see?

Re:Password Plus CAPTCHA helps

[Architect_sasyr]

Hah. haha. hahhahahhhahahhahahhhahahahahaaahahaha.

RSA Servers Hacked
Lockheed Martin Network Intrustion

Re:Password Plus CAPTCHA helps

[GrumblyStuff]

C'mon.. they got seeing-eye dogs don't they? What's the problem again?

Re:Password Plus CAPTCHA helps

[Lunzo]

It's called a screen-reader. Presumably the CAPTCHA and audio button have useful alt-text.

Re:Password Plus CAPTCHA helps

[Isaac+Remuant]

I'm interested. How do blind people (if they do) usually browse? How do they know what links or buttons are available? If they can recognize other buttons by sound, why wouldn't they be able to recognize the captcha soudn button?

Re:Password Plus CAPTCHA helps

[luke923]

I'm surprised no one has circumvented CAPTCHA by examining the audio.

Re:Password Plus CAPTCHA helps

[perryizgr8]

slashdotted?

Re:Password Plus CAPTCHA helps

[mjeffers]

Someone who'se completely blind would most likely use a program called a screen reader (JAWS was a common example last time I really looked into this, probably others out there as well). This is just a program that does text-to-speech for on-screen content, including web pages.

A screen reader would "read" the images using their alt text. Assuming the sound button had alt text that made sense it'd be pretty simple to select it and hear the content of the captcha.

Re:Password Plus CAPTCHA helps

[rpresser]

Try this image: http://upload.wikimedia.org/wikipedia/commons/thumb/b/b5/Kc_simulation.jpg/220px-Kc_simulation.jpg

Re:Password Plus CAPTCHA helps

[mjeffers]

There are devices that convert on-screen content into braille that someone who was both blind and deaf could use to read. I haven't played with these but I'm assuming there's an associated input device. There's a whole range of assistive technology out there for people now. The modern Helen Keller would probably be hanging out on facebook.

Re:Password Plus CAPTCHA helps

[bipbop]

I'm an engineer, so in many ways, I am not stupid, but in other ways, I think I am. I think I may be worse at some types of CAPTCHAs than a machine. It gets pretty frustrating, really.

One CAPTCHA I did get correct recently required me to enter a greek letter (to access an English-speaking forum). I didn't know how to type that letter, but I successfully copied and pasted it from Wikipedia, and it told me I was correct. These things are getting awfully exciting.

Re:Password Plus CAPTCHA helps

[Khyber]

"You are an institution or you do commerce on the Web? You can no longer discriminate against the sight impaired ever again."

That's not fair, especially in my line of work, where blind people would pretty much have ZERO use for my lighting products, and in fact they could make their blindness WORSE.

Way to unintentionally hurt people without thinking, and you managed to do it on BOTH SIDES AT ONCE. Bravo!

Re:Password Plus CAPTCHA helps

[mjeffers]

No, I think you may have misunderstood. The alt text is the alt text of the button used to trigger the audio captcha, not the alt text of the captcha itself. In this case, a user who was blind would use a screen reader and see an icon with alt text that said something like "click here to hear the captcha" and then could get an audio representation of the words in the image.

Re:Password Plus CAPTCHA helps

[DEmmons]

i think you'd better re-read what he wrote. no one would render a Captcha string in the clear in alt-text. i hope. he was talking about alt-text on the button that triggers the audio version, just like you are.

Re:Password Plus CAPTCHA helps

[bws111]

Did you know that many blind people actually have jobs? Just down the hall from me is a purchasing agent who handles literally millions of dollars of purchase orders each year. He is blind. Guess how much business would get sent to a company such as yours.

Re:Password Plus CAPTCHA helps

[letsief]

Strictly speaking, NIST still allows the use of SHA-1 for password hashing. NIST says you shouldn't use SHA-1 for anything that requires collision resistance. Password hashing doesn't require collision resistance, it only requires preimage resistance. In fact, there's relatively little benefit to using SHA-256 or SHA-512 for password hashing, since they're not that much slower than SHA-1 and its not much harder to generate and store a SHA-2 rainbow table than a SHA-1 rainbow table.

The page you referenced is from 2006, and NIST has backed off on their warnings about SHA-1 a little bit. The collision attack on SHA-1 probably isn't as bad as it looked in 2006. The attack hasn't improved- some of the alleged improved attacks turned out to have errors in them. No one has ever found a collision using SHA-1. Some people aren't even sure the claimed collision attack even works, though the general agreement is that even if the specific attack outlined in Wang's paper doesn't work, there probably is a similar one that does work.

In the mid 2000's the cryptographic community just saw both of the widely used hash functions attacked- SHA-1 and MD5. There were a lot of people concerned that the attacks would soon be catastrophic. That certainly didn't come true with SHA-1, and its only partially true with MD5 (which still has decent preimage resistance).

Still, telling people to move to SHA-2 is good general-purpose advice. It can be tricky to determine when you need collision resistance and when preimage resistance will do.

Re:Password Plus CAPTCHA helps

[Tokah]

Many audio versions of the captcha work very poorly, unfortunately. If a site is too captcha dependent, I just give up on it more times than not.

Re:Password Plus CAPTCHA helps

[Jane+Q.+Public]

"The common algorithms which are currently supported (ie, md5) have been breakable in fractions of a second through rainbow tables for years anyway - which was NIST's point, IIRC."

You must recall incorrectly, because a rainbow table is effective against ANY hash function, no matter how secure, although using salts (also known for some stupid reason as "nonces") can alleviate this weakness to a large degree.

In fact that is a big objection of mine to many of the things that have appeared in this topic today. A lot of nonsense has been bandied about.

For example, while certain cryptographic weaknesses have been found in MD5 and SHA1, those weaknesses are more theoretical than practical. I have yet to hear that any of those weaknesses have actually been exploited in a real-world scenario. For password hashes they work just fine, and probably will for years to come (as long as salts are used).

Re:Password Plus CAPTCHA helps

[Mathinker]

You seem to be informed enough that you probably were aware of this, but see:

http://www.win.tue.nl/hashclash/rogue-ca/

Could have been real-world, except that they were white hats. And yes, I know that password hashing is a totally different use case whose utility is based on strength against preimage attack.

Re:Password Plus CAPTCHA helps

[stoborrobots]

I'm surprised no one has circumvented CAPTCHA by examining the audio.

I assume you're being sarcastic, but for those playing along at home: http://search.theregister.co.uk/?q=audio+captchas and http://slashdot.org/tag/captcha list several successful attacks on audio CAPTCHAs...

Re:Password Plus CAPTCHA helps

[koreaman]

As an anecdote, I once had a man sitting at a computer next to me in a university library ask me to input a captcha for him.

Apparently he could see well enough to use a computer, but not well enough to decipher the captcha.

Re:Password Plus CAPTCHA helps

[Z00L00K]

And the SecurID has also been proven to be insufficient - if the perpetrator gets his hands on one and logs a few of the numbers then it's possible to digest those and predict the future numbers from that too.

Nothing is sacred these days - whatever method you create it can be cracked. It's just a question of how long time it takes to crack the method. If someone really wants to crack your specific account they are able to do that, but to crack a million accounts it's easier to inject malware and get useful information that way instead.

Re:Password Plus CAPTCHA helps

[Jane+Q.+Public]

Thanks for the link. I was aware that this had taken place but I was not aware that it was performed via deliberate creation of MD5 collisions. I stand corrected on that point.

After having read that page, however, it still seems as though salted, hashed passwords should be pretty secure. There is no way to add all the extra bits that they were required to manipulate in order to generate the collision. They only got away with it because of the presence of a public key inside the certificate, which game them ample room for incorporating the precalculated "collision bits".

Still, it was a successful demonstration, and illustrates that the weaknesses in MD5 should be taken seriously.

Re:Password Plus CAPTCHA helps

[rhook]

Nothing involving SecurID was compromised, and even if it was they would need the identifier for the keyfob that you use in order to predict your keys. If they're close enough to you to get that information they could just beat you until you reveal your password and take the RSA keyfob.

Re:Password Plus CAPTCHA helps

[rhook]

And if they are able to gain physical access to the keyfob they could just force you to login. Physical access is physical access, i.e. you're fucked.

Re:Password Plus CAPTCHA helps

[Anne+Thwacks]

My Ultra5 is still going fine, thanks.

Re:Password Plus CAPTCHA helps

[TheRaven64]

It took 4 days to find a 7-character password. Assuming that the password is mixed case and contains digits (as their examples did), but no punctuation, this means that it will take 62 times as long to crack an 8-character password, or a little over 8 months. That's 8 months of the GPU doing nothing except cracking your password. Of course, you could throw more hardware at it. If you had 16 GPUs, then it would only take a couple of weeks. 32 and it's down to one week. 224, and you can do it in a day. But then your password-cracking hardware is likely to be far more valuable than the accounts that you compromise (especially since you also need to go to the trouble of stealing the shadow password file).

Now, in 18 months, you can probably halve these times, and so on, but remember what the hash is for. It's not there to make the password uncrackable, it's there to give you time to discover the intrusion and change the password after someone manages to break in and make a copy of the shadow passwords file.

It's also worth remembering that the time taken to crack the password is also related to the complexity of the hashing algorithm. In this example, the passwords were hashed using md5, which hasn't been recommended for a while. The program that they're talking about will also do sha1, but it's slower. More complex hash algorithms take even longer. The complexity of the password doesn't have to change much. It's been possible to brute-force DES passwords (used by early UNIX systems) for ages. We didn't need to make the passwords longer when this happened, we just switched to MD5. Now we've switched to bcrypt, which is much harder to crack and is adaptive so it is easy to increase the complexity of a brute force attack just by tweaking a system setting.

Re:Password Plus CAPTCHA helps

[Evo]

SecurID has also been proven to be insufficient - if the perpetrator gets his hands on one and logs a few of the numbers then it's possible to digest those and predict the future numbers

Could you provide some citations for that please? To my knowledge this is just not possible.

Re:Password Plus CAPTCHA helps

One CAPTCHA I did get correct recently required me to enter a greek letter (to access an English-speaking forum). I didn't know how to type that letter, but I successfully copied and pasted it from Wikipedia, and it told me I was correct. These things are getting awfully exciting.

reCAPTCHA displays two words - one is a known control word, the other one is unknown (they use you to perform OCR for them); it is enough to get the control word right and if one word is very hard to decipher/cut off/ contains foreign letters/... chances are it is not the control word and it won't matter if you get it wrong.

Re:Password Plus CAPTCHA helps

[DNS-and-BIND]

Have you ever actually LISTENED to the "audio alternative"? I got complaints on my website because people couldn't register an account. I tried the CAPTCHA audio, and oh my God it was horrible. Some scratchy digitized voice saying "ALPHA, BRAVO, TANGO, NOVEMBER" and so on. It was hard for me to understand, and I'm a native speaker. My website has a significant minority of non-native speakers of English, and there's no way they could have deciphered the audio captcha. That Tango Uniform stuff is US military phonetic alphabet...who the heck knows about that outside America? What would a random person know to do when some voice starts saying random words like Charlie and foxtrot? How many ESL speakers have "foxtrot" on their vocabulary lists?

Re:Password Plus CAPTCHA helps

[qubezz]

I always do my best to OCR cyrillic, diacritic, and punctuated captchas. If enough people input them, they can get promoted to be the test captcha, then everybody will have to figure out how to type in Greek and umlauts.

I got one that was upside down. Someone scanned the source document upside down. I'd like to see what the OCR result is when captcha users flip the document one word at a time...

Re:Password Plus CAPTCHA helps

[benito27uk]

It took more than just seeing a couple of the token codes... Cryptanalysis of the Alleged SecurID Hash Function extended version: http://eprint.iacr.org/2003/162.pdf

Re:Password Plus CAPTCHA helps

[mreditor]

That Tango Uniform stuff is US military phonetic alphabet...who the heck knows about that outside America?

You mean the NATO phonetic alphabet? http://en.wikipedia.org/wiki/NATO_phonetic_alphabet Most amateur radio operators around the world know this method of reliably communicating letters over noisy paths......

Re:Password Plus CAPTCHA helps

[goarilla]

Actually the NATO uses the same system http://en.wikipedia.org/wiki/NATO_phonetic_alphabet

Re:Password Plus CAPTCHA helps

[goarilla]

Just out of curiousity how does one learn to read braille without being able to see or hear
I'm talking about people who are born blind and deaf.
How do you communicate the necessary concepts and abstractions through touch ?

Re:Password Plus CAPTCHA helps

[Lord+Ender]

You shouldn't compare rainbow tables to brute-force crackers. Password crackers like this can work against a salted password. Rainbow tables are worthless for salted passwords.

Re:Password Plus CAPTCHA helps

[Dog-Cow]

Reread the summary. It took the CPU 4 days, not the GPU.

Re:Password Plus CAPTCHA helps

[swv3752]

Not only is it used by NATO, but by the Airlines and air traffic controllers, and is often adopted by by many phone service companies when they need to spell over the phone. Not that uncommon and should be fairly self explanatory.

Re:Password Plus CAPTCHA helps

[Khyber]

Yes, I know of many blind people that have jobs. My investor being one of them.

You are simply unaware of the inherent risks in my particular industry and blindness is a major one. When you work with high intensity photon emissions in a narrow range of wavelengths that can cause eye damage or aggravate existing eye damage, you simply don't put blind people smack into the middle of it. Yes, you give them a peripheral job such as handling documents and phone calls.

Also, again, we specifically advise people with eye problems to avoid using our products, and if they insist, to use eye protection. But the fact is, most blind people aren't growing plants, and our equipment is hazardous to those people.

Re:Password Plus CAPTCHA helps

[bws111]

The topic at hand was the accessibility of web sites. It does not matter what business you are in, there is no excuse for not having an accessible web site.

Re:Password Plus CAPTCHA helps

[bmo]

What a lot of people in this thread refuse to understand is that...

One day you will become injured
One day, you will become sight impaired.
One day, you will become old.
One day, your perfect body will no longer be perfect.

As a person with decent vision, I have problem with captchas. I don't know what it is about some of them, but some are undecipherable and I have to hit the reload key.

Every single one of them with objection to making web pages non-discriminatory against the sight impaired are either teenagers or 20 something that have never been sick a day in their lives.

Some day things will be different for them. And they won't like it. Karma is a bitch.

--
BMO

Re:Password Plus CAPTCHA helps

[DNS-and-BIND]

So, if my users are NATO soldiers or air traffic controllers, then it's OK. It's NOT self-explanatory if you're a non-native English speaker.

Re:Password Plus CAPTCHA helps

[letsief]

The rogue CA demonstration attack on MD5 was important. It showed the attack wasn't entirely theoretical. Some thought that even though you could find collisions in MD5 easily enough, you wouldn't be able to find meaningful collisions that could be used an attack. This demonstration showed you could do a real attack without needing a ridiculous amount of processing power.

However, as Mathinker said, the weaknesses in MD5 and SHA-1 really aren't problems at all for password hashing. Collision attacks don't help you invert hash functions- preimage attacks do. There aren't any serious preimage attacks on MD5 or SHA-1. There's a theoretical preimage attack against MD5, but from a practical perspective its probably much slower than brute-force search.

Also, salted hashes only help you so much. Yes, they help block attacks using rainbow tables, but was was described in this article was just a regular old brute force search without the use of rainbow tables. So, for an attack like this, salted hashes don't make it any more difficult for an attacker to get one password, but it would make it more difficult for an attacker to invert a bunch of hashed passwords from a stolen password database.

Re:Password Plus CAPTCHA helps

[Khyber]

'The topic at hand was the accessibility of web sites. It does not matter what business you are in, there is no excuse for not having an accessible web site."

Actually, there is, especially if the website in question is pure graphical content.

Whoops. Didn't think about that, did you?

Re:Password Plus CAPTCHA helps

[bws111]

Uh, yes, I did think about that. I don't see what point you are trying to make. A website with pure graphical content is a shitty website, and unusable by anyone with vision problems. There is no excuse for that except lazy and/or incompetent developers.

My assumption was that your website was supposed to do something useful (product catalog, ordering, contacts, etc). From the sound of it, you are already compliant. Your website is equally useless for sighted and vision impaired people, so no discrimination.

Re:Password Plus CAPTCHA helps

[Khyber]

"A website with pure graphical content is a shitty website, and unusable by anyone with vision problems."

And when it comes to a product that no SANE person with vision problems would use, where's the issue of having a website selling said product and not making the website accessible to those that would realistically have zero need (and would in fact be at greater risk of further damage,) of the product?

Plain and simple, your black and white world has a ton of exceptions, and your thought path appears too narrow to be able to think of any.

Re:Password Plus CAPTCHA helps

[MaDeR]

Born blind and deaf? They are probably screwed.

long random passwords

[Doctor+Device]

it seems to me, if your password is random, mixed-case alphanumeric, and fairly long, there is an added layer of security against a brute-force hash attack like this. that being that the incorrect hashes will just be jumbled strings of letters and numbers... but the correct password will be, as well. how would such an attack differentiate the valid password from the invalid in this situation?

Re:long random passwords

[jpapon]

You misunderstand. I'm no expert, but I believe you hash the random string, and see if the result matches the hashed value for the password. If it does, that random string is the password.

Re:long random passwords

[HuguesT]

It doesn't work like you think it does.

Basically, most modern password protection techniques work like this: they take a password, say "my nice password" and transform it into a hash, say :"uq10ajg901a0##". Now only the hash is stored on the system. There is no way to go from the hash to the password. Classical hash functions are MD4, MD5 and SHA1. NTLM users MD4. Linux mostly uses MD5. There are added niceties likes salt, etc. You can look these up if you want.

When users enter their password, they are hashed again, and the *hash* are compared, not the passwords. If you enter the right password, no matter whether this is a nice word or sentence or jumbled letters, the system lets you in.

Crackers simply assume that the *hash* is available. It is in fact very easy to get it if you have access to the console, both for Linux or Windows. They then generate any and all combination of letters, signs, symbols and so on as input as potential password, they compute their hash, and they compare it to the hashes they know. If there is a match, bingo, they have found the password.

So the upshot is it doesn't really matter what the input password look like as long as the crackers can generate it and compute their hash. If the crackers know that you have used only letters, however, they can cut down dramatically on the numbers passwords they have to generate and save time.

So in some sense you are right but not for the reason you mention.

Hope this helps.

Re:long random passwords

[0123456]

Crackers simply assume that the *hash* is available. It is in fact very easy to get it if you have access to the console, both for Linux or Windows.

If you have access to the console and can boot a live CD you have access to every file on the machine; you might still want the password if the users have encrypted home directories, but you can just install a hacked library which sends you the passwords as they log in.

Console access == pwned in the vast majority of cases. Fortunately crackers rarely have console access to the machines they want to crack into.

Re:long random passwords

[Vegemeister]

Password reuse. Consider an admin who uses the same password for local root on all Windows XP, Windows 7, and OSX machines in a facility. XP's shitty hashes doom them all. What if that same admin uses the same password for all the managed switches in the building?

Re:Less than Ten Characters?

[ColdWetDog]

Does anyone really use less than ten character passwords anymore?

Your bank. My bank. The nuclear reactor down the street. All sorts of folks.

Re:increase the time lag between password tries...

[Joce640k]

Sure, IF we're talking about remote logins.

What about, say, a stolen laptop, how exactly will you enforce "1min/try" there...?

And in other news

[rossdee]

3m are going to introduce a larger post-it-note

Re:And in other news

[SydShamino]

http://www.post-it.com/wps/portal/3M/en_US/Post_It/Global/Home/Products/Easel_Pads/

3M: Innovative Technology for a Changing World!

Re:And in other news

[greentshirt]

and Moscow will order them in bulk for the Kremlin's next attempt to infiltrate the U S of A.

Re:And in other news

[garyebickford]

Wish I had mod points!! :D

Challenge respose is dead, almost.

[louarnkoz]

The problem with NTLM has been known for some time, but it is not just NTLM. It is in fact any challenge response protocol. Check this slide deck presented at the IETF in 2005: http://www.huitema.net/talks/ietf63-security.ppt. The punch line is simple: don't rely on challenge response protocols! If the attacker can see both the challenge and the hash, and if the password can be remembered by the user, it will probably be cracked.

Re:Challenge respose is dead, almost.

[marcosdumay]

Well, we have nothing better than challenge-response for authentication... But I guess I can see the flaw on that protocol: "If the attacker can see both the challenge and the hash, and if the password can be remembered by the user, it will probably be cracked." Here, I hightlighted it.

Re:If someone gets your hashed password..

Try reading the post you are replying to...

NTLM? Please be serious...

[pedantic+bore]

The title of the article is extremely misleading.

I don't really care that someone can break short passwords generated via MD4. MD4 is very broken. NTLM is essentially 1992-era technology that was later picked up by Microsoft, who now deprecates its use.

When a GPU can break 15-character AES256 keys, then I'll start to worry about the security of my 24-character key.

NTLM? Seriously?

[cortana]

What kind of incompetent fool would still use such a pathetically weak password hashing scheme?

Re:NTLM? Seriously?

[Mashiki]

If you have to ask... There are sites that still don't hash or salt their passwords. BBR recently had a break in via a SQL injection. No hash, no salt for their passwords. It's stupid enough to make me wonder if they've properly sanitized their database inputs or not.

You may have to hunt around a bit, but they did confirm that they didn't hash or salt.

Here's a link to the original article

[pnot]

Even for Slashdot, this is a little pathetic: the link is to a ZDNet article, which regurgitates a PCPro article, which in turn regurgitates a blog post by the guy who actually ran the tests, Vijay Devakumar. And here's Ivan Golubev, who wrote the cracking tool.

Still, ZDNet's advertisers thank you for the hits!

Re:Here's a link to the original article

[jonathansdt]

In 1998, L0phtCrack showed this to us on out pentiums, and we protected against it by changing the default hash to NTLMv2.

Re:Here's a link to the original article

[Larryish]

zdnet is ghey

Re:So What?

Solution: Make a stronger password.

Re:So What?

This is about offline hash cracking, not bruteforcing passwords over a network connection.

Assume someone gets access to a hash table of passwords and cracks many of the passwords. The system itself doesn't matter but the fact users tend to re-use passwords does, especially with seemingly secure and hard to remember random character strings. Assume the hacker knows enough of the users to have a clue about what other systems they access. With a list of user ids and passwords from the first system, they will likely find a combination that works on the other system and this can be done over the network because of the small number.

Do not use md5 for password hashes

It's the power of modern GPUs that's worrying you? Really? What you should be worried about is the security software you're using that uses md5 for password hashes. Use a more expensive algorithm - bcrypt, or better yet, scrypt. And if your software or OS uses md5 for passwords in a situation that's vulnerable to local brute force hacking... upgrade!

Re:increase the time lag between password tries...

[hedwards]

If you lose your laptop, you've got bigger things to worry about. There're much better ways of getting at whatever information the person is after.

Re:If someone gets your hashed password..

[iggymanz]

hashes don't normally "go over the wire". They don't for web logins, they don't for remote logins. They reside in a file on the host. If you copy that hash file from machine to machine by insecure means that's your problem, not something a good admin does. Encrypted file copy is a nice feature of the ssh/sftp/scp suite. E

Re:"Strong passwords useless"? Hardly...

[node+3]

Right, so it will take 10 black hats a work week to crack one password. Given the ratio of black hats to usernames, I wouldn't worry too much unless you are person of relative interest.

Also, they have to get the password file (or equivalent) in the first place.

Re:increase the time lag between password tries...

[Dekker3D]

New hashing algorithm that takes a minute to compute? Some hashing algorithms got turned down specifically for being too fast, and too easy to use in a bruteforcing attempt. [citation needed]

Re:You criticized us, but ...

[greentshirt]

LuLz(sec)

Re:If someone gets your hashed password, you're do

[sco08y]

It is well known that if someone gets your hashed password, it is as good as cracked. 17 minutes vs 4 minutes is irrelevant.

Bullshit. It is well known by people who don't know what they're talking about, which includes TFA.

Do you seriously think that in the age of bitcoin we can't make a hash function that is arbitrarily difficult?

Use an adaptive cryptographic hash function: bcrypt, PBKDF2 or scrypt. The key feature is a tunable stretch factor that basically sets the number of rounds of hashing. Set that factor (by means of a simple timing loop) to require 1 second of CPU time (or GPU time or whatever) to hash.

Now the simplest 8 character A-Z password will take an expected 3,311 years to break. You'll obviously want a safety margin, and will expect them to have more computing power a few years down the road. But you can tune the stretch factor to ensure that a reasonably strong password is perfectly good against offline attacks.

Re:So What?

[msclrhd]

That's neat. Using Upper & lower cases with a few punctuation characters, about 15 characters are enough to give a big computation time.

One thing I have started to do is to use pass phrases. For example, "Green peppers allow access." gives a massive cracking array time of 39.98 thousand trillion trillion centuries. Even just "Green peppers" gives 38.90 centuries.

Another thing I tend to do is splice 3-4 mini phrases around a concept, e.g. the "Red Hot Chilli Peppers" group:
      RHCP (the bands initials)
      b4nd ('band' with the A transformed to a 4)
      Californication (name of an album/single)
so you have: "RHCPb4nd Californication" which gives 9.38 hundred billion trillion centuries and covers at least one uppercase, lowercase, digit and punctuation character.

Go for length over complexity

[Ececheira]

This article spells it out:
http://www.baekdal.com/tips/password-security-usability

Too bad most sites are too stupid to allow a long enough password. I'll take a 16-character pass-phrase with all lower case + whitespace over a hard to remember 8 character one anyday.

Re:Go for length over complexity

[Lazy+Jones]

That sites calls passwords comprised of 6 characters with digits "low risk" due to 8 months brute forcing time, while the program mentioned in the OP checks that range in about 2 seconds on my GPU ...

Re:Go for length over complexity

[jensend]

Reminds me of the famous Bruce Schneier fact:

Most people use passwords. Some people use passphrases. Bruce Schneier uses an epic passpoem, detailing the lives and works of seven mythical Norse heroes.

Re:Go for length over complexity

Absolutely terrible advice. The above link recommends "This is fun" as a decent password. Anybody who understands the concept of information entropy would instantly recognize the password above as terrible. The person giving the advice assumes that hackers only brute force using random letter combinations and one word dictionary attacks. That is not necessarily the case. A quick (but destructive) test for whether a password is epically terrible is if when the phrase is quoted and put in a Google search if any hits come back. Google, as the all seeing cataloguer of humans, can be used as a pretty good entropy checks. The more hits, the lower entropy a password is. A good password should have no hits (but obviously once you send it to Google, the password is suspect), and not be easily brute forceable.

Re:Go for length over complexity

[WuphonsReach]

The problem is that if you compose your pass-phrase from 3 common words with only spaces between, the complexity is only about 10,000 ^ 3. (10,000 = about 13.29 bits of complexity.)

At best, you're looking at a 40 bit password. And if you only go with the "short" common words (under say 8 letters), it drops to about 11 bits per word (33 bit password). In comparison a 6-character, 80-possibles per position password is about 6.325 bits per position (about 38 bits) and a 8-character random password is roughly 50 bits.

You need to pick from less common words, and mix in symbols / upper-case / numbers. If you use the ~290,000 less common words and special words in the English language, then you've got about 18.2 bits per word chosen. Change the space between words into numbers/symbols and you have about 5 bits of entropy per word break. So for a 2-word set with 5 bits between, you have 18.2 + 5 + 18.2 = 41 bits. Use a 3rd word and that grows to 64.6 bits.

It won't be quite 18.2 bits per word chosen though as some words are too long or too difficult to be spelled properly, so say 17 bits instead (about 131,000 words). But you can gain about 2 more bits of complexity per word if you randomly capitalize letters at the start of syllables.

(Always assume that the attacker knows the pattern of how you construct your passwords.)

Re:"Strong passwords useless"? Hardly...

[betterunixthanunix]

Cracking one password may be enough for a larger attack even if the target user is not particularly high priority. So, maybe the hackers gain access to the shadow file of some other system, and correctly surmise that a low-level employee at the target company uses the same password for their work account as for whatever other system was compromised, and now they have access to the target company's internal LAN.

The real answer, IMO, is to start moving toward cryptographic authentication methods, and remove the problem of passwords altogether.

Not news for nerds in the know

[bussdriver]

A more informative link should be included, like:
http://www.openbsd.org/papers/bcrypt-paper.ps
so nerds not in the know can understand how silly the article is. NT hashes are a joke and other than pointing out how bad all the non-bcrypt ones are. It is not all that useful to work on GPU brute forcing for poorly designed systems... (other than to make a point or to aid in exploitation of them.)

You can use shorter passwords if the hash algorithm is sound. dictionary attacks will work regardless but once you are into using brute force your password could be short if it takes a long enough amount of time to cover the domain. bcrypt "scales" to as slow as needed ( I feel odd using "scales" in this way... ) one could make it so expensive that searching the space for short passwords would be too costly.

Re:Not news for nerds in the know

[cloudmaster]

The tool referenced:
http://www.golubev.com/files/ighashgpu/readme.htm
says it can do ~3.6 million attempts per second for MD5 passwords, which many "average" admins still consider to be the state of the art replacement for DES. That makes it pretty quick to brute force a short password.

Re:Not news for nerds in the know

[bussdriver]

Which is why slashdot should include a link actually explaining what is wrong with ANY simple hash solution for password storage like MD5 etc is temporary.

bcrypt is bsd so everybody should be using it. a lot of people use openssl so getting some security thing from the openbsd people is not so difficult.

Re:Not news for nerds in the know

[cloudmaster]

Rather than just look at Google - is there a patch to GNU libc which makes crypt() accept bcrypt as a hashing algorithm? 'Cause that'd be pretty much what would have to happen for it to be a viable option for Linux system passwords...

Re:Why do we still need strong passwords?

[nedlohs]

Because the crypted passwords never get grabbed for cracking offline.

Never all in all of computer security history.

Finally!

[sonicmerlin]

All those stupid passworded files you download from rapidshare/megaupload/etc. can be brute force opened without having to jump through the maker's stupid loop holes.

Re:So What?

[pandrijeczko]

Yes, it does make the assumption that you've been able to remove a copy of the encrypted password list and analyse it locally.

If you brute force a service or UNIX daemon over a network then it's going to lock you out of that account for good after maybe 5 attempts, or it might just lock for 20 minutes or so meaning that it's going to take you an incredibly long time to be successful. Besides which, any security or sysadmin guy worth his salary is going to have set up syslogging of invalid access attempts to somewhere where he gets an alarm indication when this stuff is happening.

It's also worth mentioning that if you're going to pull out a local copy of the encrypted passwords, even if it's possible to do so (Windows guys?), the mimimum account access you will need is root on a Linux or UNIX system (well, modern UNIXes anyway).

So, yes, it's a security concern but unless you know the root password, or someone with the root password, of little practical value in the real world.

Re:If someone gets your hashed password, you're do

[godlee]

It is well known that if someone gets your hashed password, it is as good as cracked.

Say what now? My passwords are 32 characters long, contain upper case lower case numbers and symbols, and are easy to remember. That creates a search space of 1.86 x 10^65 possible passwords. Have fun with your measly 3.3x10^9 passwords per second. The article considers a 7 character password to be secure. It isn't. Every additional character increases the search space by a factor of 95. Length matters.

Phrases not as secure as one might expect

[perpenso]

Phrases are not as secure as one might expect, it is not equivalent to a password several dozen characters in length. In some ways it is like substituting words for letters, a seven word password is only more secure than a seven character password in the sense that there are more words in a person's vocabulary than they are letters in the alphabet. Perhaps a "practical" improvement but not even approaching "pretty much unbreakable", even with substitution. In short, all the things that make passphrases easier to remember works in favor of the cracker. Frequency and correlation are a factor. In something analogous to a dictionary attack, given a phrase of a certain number of characters one might try famous quotes, passages, etc that match that length.

FWIW, phrases were often used to test the configuration of German enigma encryption machines during WW2. The British at Bletchley Park had some success in discovering unknown phrases and that was with 1940s technology. One German operator was discovered to be using the German equivalent to "mary had a little lamb". Better yet, he used that phrase every morning despite his training.

Re:Phrases not as secure as one might expect

[PCM2]

In some ways it is like substituting words for letters, a seven word password is only more secure than a seven character password in the sense that there are more words in a person's vocabulary than they are letters in the alphabet.

That seems to trivialize it a bit. There are only 26 letters an English-speaker can choose from (52 if you count upper and lower case separately). Merriam-Websters Collegiate Dictionary -- which is not the unabridged one -- claims 225,000 definitions. It's true that not every word fits next to every other word if you're using grammatically-correct phrases, but cracking such a password using brute force would still be orders of magnitude more difficult. Even if you had a "dictionary" that included commonplace phrases, you could confound those attacks by mixing upper and lower case in the phrase (say, using title capitalization, or capitalizing every word, or using all caps) or applying punctuation.

Re:Phrases not as secure as one might expect

[cloudmaster]

The article is talking about how easy it is to brute-force a password. The reason the letters were chosen don't matter one bit; if you pick 7 characters because your name is bendovr or because you LikeToEatPizzaNakedAtMidnight, it is still trivial to guess every possible 7 character combination. Sure, the probably matches will be chosen first, but if you're talking about the difference between 5 and 28 seconds with a kick-ass GPU or two, who cares?

The current solutions are to pick longer passwords and to use more complicated hashing algorithms - and to make sure the hashes are secured to begin with, which is why /etc/shadow exists. :)

Re:Phrases not as secure as one might expect

[Rockoon]

The entropy of English text is known to be less than 1.5 bits per character, and the average word length is 5 characters...

So an average upper bound for 7-word phrases would be ~52.5 bits vs ~41.5 for 7 random alpha-numeric characters. So about 2048 times harder, which is certainly orders of magnitude harder..

But 3 orders of magnitude is actually nothing in the world of moores law, so moving to pass phrases would only be a very brief solution to the actual problem.

Re:Phrases not as secure as one might expect

[realityimpaired]

You're assuming a lot. While I realize my passwords are a lot more secure than the average user, try this one on for size:

1. Take a phrase or full sentence that you will easily remember.
2. Translate that phrase into a language that's usually written with a different alphabet. Bonus points if the language is written right-to-left. I use Japanese usually because it was my minor at University, but every now and then I mix it up and use Russian or Vietnamese.
3. Transliterate the language back into the latin alphabet, keeping the word order (reversing it if you used an RTL language).
4. Start replacing random characters with their leet equivalent. a = 4, r = /2, etc.

There's your password. Arbitrarily long based on the length of the sentence you picked, and damned near impossible to guess.

A phrase is only as good as the person picking it, but they are more secure than simple passwords, specifically because most of the methods being used to brute force a password work faster against short passwords. Using a phrase instead of a password makes that password longer, increasing the time you have for it to be brute forced. As others have been quick to point out, if somebody's got physical access to your hash table, you're screwed anyway. But if somebody gets the hash table, and you're notified, you have much longer to get in there and change your password before it can be guessed if you have a long password.

And if you don't like having a password like I suggest, or can't read another language, there's other ways to randomize it. Another method I have seen used is to take an md5 (or other hash) unsalted of the password you actually want to use, and to use that md5 hash as your actual password for logging into the system. Works reasonably well for web forms and such, but not so well for logging into a system. You can also use random password gens with a keychain of some sort. There's lots of ways, and passphrases is just an easy way of increasing security without needing extra equipment or software.

Re:Phrases not as secure as one might expect

[mhelander]

What is the entropy of an English 7 word phrase with at least one random character thrown in?

Re:Phrases not as secure as one might expect

[arose]

A 7 character alphanumeric password has an entropy of ~41 bits, a 7 word passphrase (using his 225 000 possible words) has an entropy of ~124, the equivalent of a 21 character alphanumeric password. Care to revise the 28 second estimate?

Re:Phrases not as secure as one might expect

[arose]

7 random words would be quite easy to remember though.

Re:Phrases not as secure as one might expect

[swalve]

1.5 bits per character? That's only if you are using dictionary words spelled correctly, I'd wager. That value is determined by taking standard text and compressing it to the limit of compressibility, no?

I don't believe that passphrases are used differently than passwords- you'd be correct if each word in the passphrase was a separately decodable token. Guessing 7 random words is likely as easy as guessing 7 random characters. But passphrases are used as long passwords. 7 random words is 35 characters plus 6 spaces. So from the perspective of the cracker, who shouldn't be able to know whether it is a phrase or randomness or the characterset, it is a 41 character password. It isn't like they can get intermediate correct results- they have no way of knowing whether they've gotten the first word right or not.

Re:Phrases not as secure as one might expect

[Rockoon]

Replacing a randomly chosen character from the 7-word phrase with a random alpha-numeric would add at least 12.5 additional bits of entropy.

Its a little counter-intuitive that it would be so high as a random alpha-numeric itself is only 5.95 bits of entropy, but every other character also pays a small price for it being there.

Re:Phrases not as secure as one might expect

[mhelander]

So moving to pass phrases with a random character thrown in _would_ be a (non-brief) solution to the problem, right?

Re:So What?

[fuzzyfuzzyfungus]

If you want to really spoil a hypothetical hash-cracker's day(and, depending on the keyboards you routinely deal with, often yours as well), you can take advantage of the fact that some systems(recent NT derivatives among them) will accept the assorted unicode characters not accessible on the keyboard of your language area.

It isn't fun to type; but "&#9839;&#9578;&#743;&#190;&#8101;&#9619;&#9658;&#65272;" is relatively unlikely to fall easily. (Thanks Slashcode, still handling that Unicode, I see...)

No kidding

[Sycraft-fu]

Same shit with all the scare on rainbow tables. I remember the hype of "It can crack any password in seconds!" Then I found out it meant any LM password, which has some real limitations on it (14 characters total max, as two 7 character hashes, no upper and lower case). Ahh, not so impressive then.

Same shit with NTLM. Worlds better than LM, but not current. Wake me when it is a threat vs NTLMv2, which is what Vista and 7 use exclusively unless you manually change security policy (and XP and 2000 support it).

Then there's the fact that they are talking about short passwords. Security comes in length and it goes up drastically with each character. They are crowing on about how easy 7 character passwords are. Ok, fine, try 14 then. It isn't like if 7 takes 18 minutes 14 takes 38 minutes. It is more like if 7 takes 18 minutes 14 takes years.

Also to make a long, secure, password doesn't have to be that hard. Just take a phrase and modify it a bit. Say you decide the phrase "There can only be one," should be your password. Do something like "Th3r3 can only be #1!" Fairly easy to remember, yet you have to exhaust a massive space for a brute force attack.

Finally, all this is an attack against the hashes. While we want hashes to be strong, let's face it they are a last line of defense. This is a situation where someone has already gotten in, gotten high privileges, and stolen that list. This has no relevance to dealing with breaking in to a random system remotely.

Pretty much this is just fear mongering. Yes, you need to use longer passwords these days. So do so. However a short password really isn't as bad as they make it seem. The risk they are talking about here is only if someone happens to get the hash file from a system with NTLM passwords stored that you use a short password on. Given that the only system that qualifies for that for most people is their home desktop, if they get it the hacker has owned your system already (you have to have admin to get the SAM file) so it doesn't matter.

Re:No kidding

[garyebickford]

This raises the question, at predictable rates of increase in computing performance (per $) and projected advances in cryptography and decryptography, how many years will this longer password be reasonably secure? I think that's a very interesting and provocative question, with many subtopics to consider including users.

Say you decide the phrase "There can only be one," should be your password. Do something like "Th3r3 can only be #1!"

Of course, the ultimate bottom line for most any password scheme is, "Is it worth the bother of torturing the poor sap, and creating a duplicate of his retina?"

Re:No kidding

[yuhong]

As I said in another Slashdot comment, NTLMv2 uses the same raw password hash as NTLM. Don't confuse protocol changes with password hash changes. And note that if you already have the raw password hash, you can log in via network directly using it anyway.

Re:No kidding

[WuphonsReach]

This raises the question, at predictable rates of increase in computing performance (per $) and projected advances in cryptography and decryptography, how many years will this longer password be reasonably secure? I think that's a very interesting and provocative question, with many subtopics to consider including users.

Increases in computing performance per dollar are steadily slowing. The last big bump was the move to multi-core and even that has a limit in feature size.

How many more bumps are left before we get transistor sizes that are too small to use? The current state of semi-conductors is down in the 25-45nm range. If we get down to 4nm, we're in the realm of transistors that are only 7 atoms across.

So let's assume that someone figures out how to do 4nm (100x smaller size) and that it runs at 20GHz (10x faster then current). Unless CPU architecture changes radically, you're looking at a 1000x increase in computing power per square centimeter.

A 1000x improvement? That's not much. Moving to a slightly stronger hash algorithm that takes 10x longer to calculate combined with adding just 2-4 characters to passwords gets you that.

Re:No kidding

[WuphonsReach]

So your password is "a phrase, modified a bit". Would you care to estimate how many bits of entropy are in that?

Well, there are about 10,000 common words in english and maybe 300,000 words in a large english dictionary. So if it's a phrase composed of common words, then it's not very good. And if it's a phrase of related words, a markov chain could make short work of it.

Five to seven words picked out of the less common end of the dictionary would be 290,000 ^ 5 or 290,000 ^ 7. That's a pretty large number.

The presence or absence of things like periods, commas might add 2-4 bits to each word position.

Re:No kidding

[garyebickford]

But what if ...
    - cycles in the cloud become 100 million times cheaper? 10 billion?
    - 'web printing' of CPUs (like newsprint) means that desktops can have 100,000 core CPUs that are the size of a present day motherboard, and can be stacked 100 in a desktop box => equivalent of 10,000,000 CPUs in one desktop?
    - quantum computing is finally 'ready for the desktop' :D
or whatever ... I could make up more stuff, but you get the idea.

It's always dangerous to predict the end of tech growth. For perspective, it wasn't that long ago that hard drives looked like they were going to hit a hard limit on BPI - then vertical domains and several other technologies arrived. We are now achieving densities more than 1000x greater. True, there is a hard limit on the heat density equation, and many issues regarding shrinkage vs. leakage.

OTOH, 30 characters would in the abstract require 10^22 times as many cycles (using your model), which is a large number.

A 1000x improvement? That's not much. Moving to a slightly stronger hash algorithm that takes 10x longer to calculate combined with adding just 2-4 characters to passwords gets you that.

So an interesting metaquestion - given passphrases that normal people can remember, is a 30 character passphrase really 10^22 times harder to crack than an eight character password? Considering that it is very likely to be a slightly-disrupted string of words ('L1ke th1d 0n9!??') that has some mnemonic value. There's also the probability that they will be using the same password in several places, unless we go to some form of ubiquitous key exchange system, for which they only have to remember one password (a method that has its own issues)

Another factor is the application - it's certainly not worth while to spend $1,000,000 to crack my Slashodot account password, but it may be worth $100,000,000 (or more!) to crack the password of a notorious criminal or dictator, or the encryption system used by evil alien spies to communicate their plans to the invading fleet of star cruisers!

So I still think there is some crossover between the curve of the ability of humans to remember and use any form of passphrase plus tokens and the curve of complexity required to make cracking infeasible. I can't say where it is, but I am sure there is a limit that, eventually, will be passed.

Re:No kidding

[WuphonsReach]

Another factor is the application - it's certainly not worth while to spend $1,000,000 to crack my Slashodot account password, but it may be worth $100,000,000 (or more!) to crack the password of a notorious criminal or dictator, or the encryption system used by evil alien spies to communicate their plans to the invading fleet of star cruisers!

And there is the salient point that many people forget.

Unless the attacker is irrational or specifically targeted, the resources put forth to attack a particular password hash will be proportional to the value of what is being protected by the password hash. In the case of common user accounts on random websites, this generally means a miniscule amount of computation time because account X is the same as account Y. Why spend hours trying to track X's password when Y used a trivial password that was easily brute forced? Both accounts get you into the system / site which is what the attacker wants. They don't care which account gets them in.

So for most cases, your password only needs to be complex enough that it can't be cracked for less then a modest amount of money. That's enough to dissuade opportunistic attackers.

For normal accounts, I put that value at about $10. Very few opportunistic attackers are going to spend $10 to break into a common user's account. For superuser or administrator accounts, it is worth being more paranoid, but even then the upper limit on most systems is only a few hundred dollars before an opportunistic attacker goes elsewhere.

And at that point, you're dealing with an attacker who is specifically targeting you, and password strength quickly becomes the least of your worries. Social engineering, physical intrusion, flaws in the O/S or programs, bribes, etc. will all be used.

It doesn't have to be strong

[petes_PoV]

It just has to be stronger than the other guy's.

All the break-in attempts I've ever seen happening to one of our systems has only tried running through a list of users / passwords that are, bluntly, pretty dam' obvious choices. That none of them has ever succeeded on any of our user accounts tells you nothing about the strength of the individuals' passwords (policy set by the CIO's IQ/memory abiliity: 6 or more letters+numbers)

All it tells you is that the amateurs who run these scripts get a high enough hit-rate from rest of the internet to keep them happy - and not wanting to try anything harder. My personal belief is that if we did ever get hacked, the source would be internal or through information leaked by a user from social engineering, not from some script kiddie with a room full of GPUs, throwing off enough heat to make the cops think they've got a marijuana farm in the building.

Easy to remember implies less secure ...

[perpenso]

... My passwords are 32 characters long, contain upper case lower case numbers and symbols, and are easy to remember. That creates a search space of 1.86 x 10^65 possible passwords. ...

That sounds like you are using some words. If so the search space is smaller than you believe. Any time you can use the phrase "easy to remember" you no longer can use the mathematics of random permutations. Think in terms of tokens not characters, with a token being a word or a character. A token that is a word may be more secure since there are more words in a vocabulary than letters in an alphabet but a five character word is far less secure than 5 random characters.

Re:Easy to remember implies less secure ...

[sqrt(2)]

Actually, you can have all three of: length, sufficient entropy, and memorability. You create a small chunk or randomness (this makes a dictionary attack impossible), make sure it uses the largest alphabet possible (upper and lowercase alpha, numerals, and special characters) and pad it with easy to remember sections to increase the search space. This is possible because the attacker has no idea what password scheme you are using, and the only piece of info he gets is that a certain guess worked or didn't work. Steven Gibson recently did a podcast on this.

D0g.....................

is a better password than

@1Vp3Mfh8GivI%KfB=rebaL

Despite the fact that the first one has much lower entropy, it has enough to make a dictionary attack impossible, the same alphabet space, and a greater length meaning the brute force attack has another character to work through which increases the time by a multiple of the alphabet length.

Re:Easy to remember implies less secure ...

[Jane+Q.+Public]

Some years ago, back when I was still using Microsoft tools for programming (I think it was about 1999), Microsoft put on some seminars in my area, which they did from time to time. There was one seminar on System Security that some friends and I attended. The speaker was some bigwig in security at Microsoft, but I don't remember his name now.

One of the first things he said was "It's impossible to have too much security, right?" The audience almost unanimously agreed. He said "Wrong!"

He said, "In NT, you can set up a password policy that requires every user to have a password of at least 10 characters, containing at least one upper and one lower case letter, at least one number, at least one non-alpha character, and require them to change it every week. Is that a secure password scheme?"

Again, the audience agreed with him.

He said "Wrong! It is a bad password scheme. As soon as you set that up, what your people will do, is write their password down on a post-it note and stick it to their monitor. This is a ritual they will repeat every week when they change their password."

Re:Easy to remember implies less secure ...

[sqrt(2)]

Post it note on the monitor makes you weak to an attack only if the attacker has physical access to the machine, if they do, you have bigger problems on your hand than weak passwords.

Re:Easy to remember implies less secure ...

[Svartalf]

Yes and no. Post it note on a monitor means that they have physical access to the premises which does not equate to physical access to the machine, per se. I can assure you...interview in a cube or office where they've done that and it's seen doesn't equate to physical access to the machine. You presume that there's no other ability to access the network, etc. which would be incorrect.

Re:Easy to remember implies less secure ...

[slater.jay]

My passwords are 20 characters long and easy to remember. They're also very strong: I have English passphrases, but I type them with a Russian keyboard layout.

Re:So What?

[NoNonAlphaCharsHere]

Parent is a case-study in What's Wrong With The New Slashdot. In a proper world (or, if you prefer, in the Elder Days) the AC parent would have AT LEAST cruised up to +3 Informative in as many heartbeats. As it is, this nifty site/tool he's pointed us to will languish in obscurity.

And in case you're wondering at my 'get off my lawn', my REAL Slashdot UID is in the low 800Ks, but contains a special character, so I haven't been able to log in to this Brave New Slashdot for over a month.

Re:If someone gets your hashed password, you're do

[Jaime2]

This problem is trivial to defend against. Simply employ key stretching. You can make it take as long as you want.

Re:If someone gets your hashed password..

[Fenis-Wolf]

NTLM hashes are calculated on the host and submitted across the wire to a server in response to a request for authorization.

But your friends have to stop playing games

[perpenso]

If you're a hacker, my bet is you have at least 10 more friends with recent gaming rigs... And guess what? The problem is embarrassingly parallelizable. 4.8 days for a 9 char password(worst case, btw)

But your friends have to stop playing games for 4.8 days. Good luck convincing them of that because you want to crack a single password. ;-)

Re:But your friends have to stop playing games

[JAlexoi]

Easy! Most of them keep their PCs on 24/7, because Torrents need to run! And finding a 100 people in a large university dorm that have the equipment and a few hours of their "downtime" is easy. Maybe you've been out of college too long ago or are one of those that I wouldn't contact for help...

Re:But your friends have to stop playing games

[perpenso]

Even a dinosaur like me remembers SETI@Home and its spiritual successors. ;-)

Thing is

[Sycraft-fu]

You are assuming a lot of knowledge about the password scheme for an attack. This may apply when dealing with secrets of national security, this does not apply to random systems on the Internet. Yes, a pass phrase could potentially be weakened by some cryptanalysis against the person. Knowing something about their vocabulary, the movies and literature they like, dates, addresses, and other things significant to them, etc could be used to load a system to search a smaller space.

However that isn't the kind of research someone is going to do. You and your data are not worth that kind of money. Hackers are not going to spend tons of time researching a target like that.

Also you have to remember that you slow down tries a lot if the logic gets more complex. These brute forcers are fast because they are simple. It is "Pick next valid combo, hash it, compare to hash, if it doesn't match, repeat." If you start having tends of thousands of cycles of logic to generate your guess, that slows shit down a ton.

Always be aware of the threat you are trying to protect against. The measures the government needs to go to to protect nuclear secrets are not the same ones you need to protect your lolcats photos.

Think of it in terms of physical security. Think how flimsy your door lock is, how easily a battering ram could take it out. Think how easily your windows are broken, and so on. Should you secure all that? Should you live in an underground bunker, guarded by marines? No, because you've nothing worth that kind of effort to protect. You are sensible about what protection you need.

Re:Thing is

[AlienIntelligence]

Think of it in terms of physical security. Think how flimsy your door lock is, how easily a battering ram could take it out. Think how easily your windows are broken, and so on. Should you secure all that? Should you live in an underground bunker, guarded by marines? No, because you've nothing worth that kind of effort to protect. You are sensible about what protection you need.

It is glaringly obvious that you sir have never lived
in a ghetto. So, let me give you a bit of ghetto
edu ma ka shun.

In, your life/housing, the potential thief sees a
certain level of exertion vs reward.
Too much exertion...

From the ghetto point of view, every house is
worth something. Because at that the exertion
is LOW.

I've seen every single bottom level window
knocked out and every apartment "tried", this
was in a very large area and went on for
http://maps.google.com/maps?&gl=us&ll=34.218988,-77.932012&spn=0.012172,0.014248&t=h&z=16
quite a while, literally a brute force event,
that like a generalized brute force across a
large database of passwords will result in
the same type of yield/reward ratio.

Doesn't really happen in crackerville.

But online, everyone is one windowpane
away from your apartment.

-AI

Why crack passwords?

[Lazy+Jones]

Nowdays, once your hashed password is exposed (e.g. someone posts a database dump of your favourite forum somewhere), it is unlikely that the system where it was stored was not completely compromised. It is unlikely that the attacker could not grab or modify all personal data / other information that was stored on the system. He can gain entry to the system using your account by modifying your password, so 0 security left there to compromise by recovering the plaintext password.

The only benefit he or someone else could gain from cracking your password would be to try it elsewhere in case you are stupid enough to still use the same password for several different accounts... So: don't do that, use long random passwords stored in a safe place (in your password-protected browser if you must) and you might as well stop worrying about the next generation of rainbow tables or 100 times faster GPUs etc. ...

Re:"Strong passwords useless"? Hardly...

[PCM2]

Right, so it will take 10 black hats a work week to crack one password. Given the ratio of black hats to usernames, I wouldn't worry too much unless you are person of relative interest.

Wait, aren't we looking at this wrong? Yes, if the black hats only had one password to crack, it would take this long. But if they've gained access to the entire password hashfile, they have many passwords to crack, and they're just trying to get lucky. Each time they pull a hash from a rainbow table, they have the equivalent of [number of users] lottery tickets. Successfully cracking one password would give them access to the machine, and no matter what level of privilege that account has, gaining any kind of access is a huge step.

I guess what I'm saying is, from the perspective of one person who wants to protect their individual account, yeah, you might not worry too much. But if you're the guy in charge of protecting the server itself -- and by extension, the security of every account on that server -- then worrying seems justified.

SHA

[Zomalaja]

Wouldn't changing to SHA-512 from MD5 make this a moot point ? What if the stored hash was the MD5 hash of the SHA-512 hash of the actual password ? Or, the Md5 of the SHA-512 of the MD5 and so on.......

Re:SHA

[cloudmaster]

Not moot, just delayed a little longer until computers get fast enough to break SHA-512 faster.

Fun note: Ubuntu uses SHA512 by default, and has for a while. In /etc/login.defs, the number of SHA rounds is also configurable; it defaults to 5000, but can be set up to 999,999,999 if you really want to slow logins down. :)

just the opposite effect

[OrangeTide]

SHA512 takes less time to calculate than MD5. You'd be making brute force easier event though you are adding more bits!

bcrypt, scrypt, and pbkdf2 allow you to adjust the of iterations necessary to calculate a password. If you want you can crank up scrypt where it takes several seconds of pegging your server cpu to authenticate a password. A GPU could still accelerate that, and if it was a thousand times faster than a CPU (it's not) it would take a year to walk through 3 billion guesses instead of doing it in a second.

Re:just the opposite effect

[WuphonsReach]

Eh, all your doing is increasing your cost. If you make the assumption that the attacker always has orders of magnitude more resources then you do, then it's a losing game. Beyond a very small amount of increased time per iteration, you're just harming yourself.

And the attacker may not even be paying for those resources (think botnet). Can you afford to increase your costs 100 fold to fend off against a 10,000 machine botnet?

Using a hash that takes longer to calculate is fine - up to a point. But it has rapidly diminishing returns. And if it suddenly takes a noticeable amount of time for regular users to authenticate, then the attacker has won by forcing you to DoS yourself.

You gain far more, for cheaper, by enforcing longer password lengths and checking complexity. If that is still not enough, then a 2-factor system which adds a physical token to the mix may be cheaper then adding dozens of servers to calculate password hashes.

Re:If someone gets your hashed password, you're do

Do you seriously think that in the age of bitcoin we can't make a hash function that is arbitrarily difficult?

All right, strong enough with the spurious bitcoin references. We don't care about your silly toy project, no matter how many times you choose to mention it.

Re:So What?

[cloudmaster]

Unless some bone-head forgot to limit access to the password field in LDAP to compare-only, or forgot to turn on encryption on the LDAP transport. ;)

Offline passwords. . .

[JSBiff]

This could be more of an issue for something like a zip file, 7-zip file, truecrypt volume, etc. Something where the encrypted data is local, and protected by a password. Think of a stolen DVD or USB hard drive which you had put stuff on.

In such a case, the attacker can hook the device up to their own computer, which will NOT enforce any artificial delays. In such a case, the only thing protecting your data would be the complexity of the password itself, and of the algorithm from which an encryption key is derived from the password.

Re:So What?

[Nighttime]

Doesn't matter how strong a password is, xkcd have it covered.

Ignorant post

[JSBiff]

You assume the only use of passwords is for "online" systems where an artificial delay can be imposed by the server.

What about encrypted files? How are you going to impose a delay on someone trying to decrypt the file on their own computer, potentially using different software than what you used (e.g. the software you used might impose a delay, but maybe they have written their own implementation, or modified an open-source version, to skip the delay and continue full speed ahead)?

Re:Ignorant post

[JSBiff]

Bzzzt. Try again. I'm not talking about login systems like the login prompt on a Windows or Linux box.

I'm talking about encrypted files - like zip files, 7-zip files, and TrueCrypt volumes, etc. With such files, it may be possible that a third party gets a copy (for example, you lose a DVD or laptop which has a copy of the encrypted file on it).

With such files, typically, a strong random key is used to encrypt the data itself, and then a password is used to encrypt that key.

So, the key is only as secure as the password used to encrypt it.

Your answer still completely fails to answer this situation - you cannot impose a processing delay in data file formats.

That's the situation I care about. The situation you are talking about, like the login prompt on Linux box, is as you say - you can impose a delay. Unless the person has physical access to your box and can reboot it with their own boot disk/USB drive. Then it's game over, unless the hard drive is encrypted, but again, they could try to decrypt the hard drive if you've used a weak password to protect the encryption key.

Re:So What?

[iluvcapra]

Isn't this why we're supposed to move all these transactions over https? (Except for the NTLM token, you probably shouldn't allow those to fly over the WAN under any circumstance.)

Actually...

[fivevoltforest]

I can break a password of 'fjR8n' in less time than the GPU.

fjR8n

see?

Re:Actually...

[garyebickford]

Since your post was at 7:35 PM and it's now 8:37 PM when I'm receiving it, the actual delivery of your correct password guess took over an hour. So it took longer than the GPU! :D

Weak crypto

[Bert64]

All this is talking about NTLM password hashes, the algorithms used by modern unix systems are a lot tougher and even with modern GPUs, still very slow to crack...

More importantly, NTLM password hashes are plaintext equivalent, so you can use them without having to crack them at all (google for pass the hash), so cracking them is only for amusement value anyway.

So the problem is not so much GPUs, its more to do with windows systems having extremely weak methods of storing passwords.

Re:NT or LM?

[JSBiff]

I remember reading a write-up about that back when the gawker media password file leak happened. One of the schemes, I think it might have been the LanMan hash, effectively reduced all passwords of any length to a sequence of like 7 or 8 character passwords, because it hashed each section of the password separately - e.g. it would hash the first 7 characters, and store that, then hash the second 7 characters.

So, to find the full password, you just lookup one 7 character password in the rainbow table, then the next 7 characters, etc. Since each individual lookup takes like 1/1000 of a second on a modern computer, you could instantly crack any length password 'hashed' with that scheme.

Re:If someone gets your hashed password, you're do

[Caesar+Tjalbo]

Do you seriously think that in the age of bitcoin ...

I think there's a whole bunch of people with cheap GPU's out there in the age of Bitcoin.

Keepass' answer to brute force attacks

[KingofSpades]

Paroting the KeePass website:

'You can't really prevent these [brute force] attacks: nothing prevents an attacker to just try all possible keys and look if the database decrypts. But what we can do (and KeePass does) is to make it harder: by adding a constant work factor to the key initialization, we can make them as hard as we want."

To protect its database (of passwords), the program actually performs N rounds of AES encryption, with N being a large number of your choice, chosen so that these rounds take "a lot of time", say 1 second. This way, the attacker will only test 1 password per second.

Does this make sense ?

Re:So What?

[makomk]

Really, more systems should make use of the various encrypted key exchange schemes. They fairly strongly guarantee that you can only get one guess at the password per attempted login, even if you manage to intercept the communication beween server and client. (Obviously there's not a lot they can do about brute force attacks if you manage to acquire the information the server uses to verify the passwords, though.)

Strong Passwords were useles from the get go

[Cyberllama]

Nobody is trying to brute force a remote login--your account would be locked after a few failed attempts anyways. This is only a valid approach if you've somehow got your hands on the hash file. More and more we see people like sony having plaintext passwords or Gizmodo have unhashed (reversible encryption) passwords. The sites that have your password properly stored as a hash are not the ones getting hacked in the first place.

Re:If someone gets your hashed password, you're do

[cloudmaster]

I though the use of delay loops went away with computer games of the 80's. Besides, as soon as a faster computer comes out, the old algorithm is useless for security, and the new algorithm is so slow that it's useless on the old computers. Same problem that led to the move from DES to salted DES to MD5 to SHA512 to... You're chasing your tail with key stretching.

Re:increase the time lag between password tries...

[Joce640k]

So it takes a minute to log in anywhere? That'll go down well with people...

Re:If someone gets your hashed password, you're do

[Jaime2]

Quit pushing the solutions on the users. You don't need to use longer passwords to make it harder to reverse password hashes, all you need to do is salt the passwords and use iterative hashing (key stretching) to make each guess take longer. In a well designed system, it should take 200 days to brute force passwords for 1000 users, assuming all users had three character lowercase alphabetic passwords. This is base on tuning the number of hash iterations so that a guess takes 1 second to verify.

Taking the information into the article into account, there is a new wrinkle. The application will be using the CPU to compute hashes an attacker might use a GPU based approach. The numbers for the article show the GPU to be about 1500 times as fast as a CPU, getting the horrible passwords from the previous paragraph in about three hours. However, those were absolutely horrible passwords. By tweaking the password policy so that passwords must be five characters long (still no requirement for mixed case or non-alphas), we could still see passwords take 1 second to be verified in the application and the 1/1500th of a second for the GPU based attack would still require 91 days to complete brute forcing the entire database. Of course, nothing will help the users with passwords that are at the top of the dictionary. The best part about iterative hashing is that if we have the same discussion twenty years from now, we simply tweak the number of hash iterations and we get exactly the same results.

Re:If someone gets your hashed password..

[jshackney]

What fascinates me about this scenario is how many collisions can be found during this brute-force process?

Re:If someone gets your hashed password, you're do

[letsief]

It's not that simple. Cryptography is an asymmetric game: you always have to assume the attacker has orders of magnitude more computing resources than the target. Cryptography works because we can (usually) find problems that get exponentially harder and harder to crack. For instance, let's say you just want to encrypt something. A block cipher with a 64-bit key is just on the edge of being brute-forcible today. But, as a general rule, you could use a block cipher with a 128-bit key and it should only be half as fast as the 64-bit cipher (note I said this is a general rule, there are number of factors that influence speed). A 128-bit block cipher is 2^64 times more difficult to crack than a 64-bit block cipher. So, the target can make something 2^64 times more difficult to crack by just doing twice the work.

Your proposed solution just grows linearly, not exponentially. If you iterate SHA-1 10,000 times instead of just 5,000 you're also doing twice the work, but this time you've only made your password twice as difficult to crack. If you can suddenly start doing twice the work you did before, you have to assume the attackers can as well.

Yes, iterating hash functions buys us more time, but this is a game that targets can't win. Plus, you're ignoring all of the problems associated with moving to higher iteration counts. Probably first and foremost is interoperability. There's a massive application base out there that just uses MD5 or SHA1 with little to no iteration. It's not easy for software like Windows to change. I think it wasn't until Vista that Microsoft stopped storing a LAN Manager hash of users' passwords, which made then trivial to break. That's been known to be bad for a long, long time. Plus, in most web-based applications its not the client that does the hash operation, its the server. While your new Core i5 processor could probably easily handle bumping up the iteration count by an order of magnitude or so, Google's Gmail servers probably can't.

Longer, more complicated passwords would be more effective than increasing iteration counts, but people are bad at generating and remembering long passwords. So, the only long term solution seems to be moving to stronger forms of authentication, like smart cards or using devices like smart phones as one-time password devices.

Re:If someone gets your hashed password..

[MikeBabcock]

NTLM hashes (and most others) are sent over the wire in a number of circumstances.

The whole point of password hashes is to have something more secure than a raw password to transmit over the wire. What do you think is sent over the wire if not a password hash?

Re:NTLM? Please be serious...

[theinfamousbob]

Thank you for pointing this out. I'm wondering why people are upset about NTLM hashes being broken; any good user disables the legacy storage of them.

I need the community's help then

[drsmack1]

My password is tYidsasaf770 and my IP is 198.81.129.125 - can someone try this GPU thingie on me? I want to be secure as possible. Thanks...

good combo

[Sase]

Thats why i dont use a password..or at the very least...
So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!

Re:So What?

[perryizgr8]

your big cracking times are misleading, because you haven't factored in dictionary attacks. 'green peppers allow access' would probably be ultra-quick to crack.

Re:"Strong passwords useless"? Hardly...

[DriedClexler]

And don't forget all the people who set up rigs specifically optimized for computing lots of hashes quickly to mine bitcoins *looks around furtively*...

finally,

[Jarik+C-Bol]

so this means i may finally have a quick way to get back into that encrypted file I forgot the password for? I should have known that the 32 character password was a bad idea.

Truecrypt?

[Frederic54]

I don't need a Windows password using a weak algorithm, I have an encrypted partition with Truecrypt that ask a password at boot just after BIOS, mine is 24 characters, I am wondering what a GPU could do...

Re:So What?

[adamstew]

except dictionary attacks aren't combining words in the dictionary in to phrases.

There are 171,476 words in the english language, according to the count in the oxford dictionary (source: http://oxforddictionaries.com/page/93)...probably many more in reality. If your phrase is 4 words long, using just the words in the dictionary, that's 8.65x10^20. If your cracker is going at 1 million guesses per second, then it's taking your "ultra-quick" dictionary attack is going to take about 27 and a half million years.

Re:So What?

[Khyber]

I use Kanji for my password!

Re:If someone gets your hashed password, you're do

[Bryan3000000]

Yes, it scales linearly. But if you set a 1-second minimum on hashing, and a GPU normally does 3.3 billion/second, then you've done 3.3 billion times the work. Not twice the work. Plus a brute force attempt would not know the number of rounds, and so would have to try, say, everything from 1 round to 9.9 billion rounds, just to be reasonable. So requiring a second or two of hashing has potentially required billions of times more work to generate the hash, and requires billions of times more work to break (which already takes relatively a long time), assuming no shortcuts.

Perhaps it's reasonable to do this much work when generating each password. How many new users/minute do you expect? If you add users at that rate, there are bigger scaling problems.

Stronger forms of authentication should be used in addition to strengthening passwords, since passwords will likely still be one factor used. Even two-factor authentication employing a password plus a "stronger" form can become meaningless if the password can be brute forced and the other factor overcome with social engineering or simple theft.

Re:So What?

[Rizimar]

That's too hard to remember. I use "password" for my password.

Re:If someone gets your hashed password, you're do

[letsief]

You don't just hash a password when you you store a new password. You also have to hash the password every time a user logs in. Now I agree you could certainly increase the iteration count on passwords, but one full second of computation on a busy server isn't going to fly. Companies have pushed back over far less. It has taken a long time to get where we are today when it comes to using TLS for login pages, and that's far less than one second of computation. Far fewer companies continue to use TLS once you get off the login page, even though the symmetric encryption operations that take place after the initial key establishment are even less computationally intensive.

I was just the example of twice the work to show how much easier it is to make brute-forcing a key infeasible versus brute-forcing a password. Yes, I'm sure you can do more than twice the work. But you're not going to get away with doing 3 billion clock cycles. I think you'd have a hard time getting people to deploy enough iterations to block brute-forcing attacks. And even if you do, it would be short-term fix. Bumping up the key length of an encryption algorithm can extend security a long time. From a practical perspective, AES-256 should work indefinitely, as long as someone doesn't break the algorithm itself. There's probably not enough energy in the universe to brute-force a 256-bit key, and quantum computers don't help that much. Bumping up the iteration count by a factor of 50 or so (any more and I think you'd have a hard time getting people to deploy it) basically just gets you the same thing as another character in the password. That's not enough to block these attacks. And by the time you'd actually get that deployed password crackers would be even more powerful. And since you can't get companies to change crypto algorithms and protocols constantly, you'd basically be stuck with that for 5-10 years.

You're not going to close hole with higher iteration counts alone.

Use sentences!!

[DavoMan]

I use sentences for all of my passwords. I have in effect a 20+ character password which is just as easy to remember as a word. I throw in a number in replace of a word or letter and bam - i have an alphanumeric 20+ character password which is extremely easy to remember.

Re:Use sentences!!

[DavoMan]

not to mention commas or exclamation marks. sentences really are the way to go dudes

Re:So What?

[wkcole]

If you want to really spoil a hypothetical hash-cracker's day(and, depending on the keyboards you routinely deal with, often yours as well), you can take advantage of the fact that some systems(recent NT derivatives among them) will accept the assorted unicode characters not accessible on the keyboard of your language area. It isn't fun to type; but "&#9839;&#9578;&#743;&#190;&#8101;&#9619;&#9658;&#65272;" is relatively unlikely to fall easily. (Thanks Slashcode, still handling that Unicode, I see...)

Not useless, but do the math. A printable ASCII character space can be typed almost anywhere, and gives you about 6.5 bits of variability per character. The cases described in the FUD of the article are all assuming limits on the length of passwords shorter than 8 characters, but they don't hide the fact that lengthening the password (or in fact, just allowing longer passwords) gives pretty good protection rather swiftly even with a fairly limited character space. At 6 bits per character, 2 more characters means about a factor of 2k in time to guess, 4 more adds a factor of 4 million. Based on the numbers in the summary, a 12-character password will take that GPU well over 8 millennia. That's not a meaningful number, but it is well past any rational threshold of being easy to crack.

Re:So What?

[wkcole]

At 6 bits per character, 2 more characters means about a factor of 2k in time to guess, 4 more adds a factor of 4 million. Based on the numbers in the summary, a 12-character password will take that GPU well over 8 millennia. That's not a meaningful number, but it is well past any rational threshold of being easy to crack.

Bad math. My factors were too low. 2 more characters from a 64-character space (as implied by the examples) would multiple the guessing difficulty by 4096, 4 more by 16M, and a 12-character password would occupy the claimed GPU for 35ky.

Re:If someone gets your hashed password..

[atomicdoggy]

NTLM hashes do NOT go over the wire. You use the hash to encrypt a "well known" key and sent THAT across the wire. The remote server then does the same thing and compares the results.

Summary, article, and references all FUD.

[wkcole]

1. NTLM hashes have not been deemed a safe way of protecting passwords for many years.
2. If you use NTLM hashes for password storage and a blackhat has the freedom to run a GPU cracker on them, you've almost certainly already lost whatever those passwords protect. The only advantage in cracking them would be to try them on other systems.
3. Sure, 5, 6 and 7 character passwords are trivially cracked. The headline reference to "strong passwords" cannot refer to that fact. A short password is a weak password, and that has been known for a long time.
4. The fastest way to strengthen passwords is to add length, not to expand the element space (as suggested in the referenced article.) To make an 6-character password limited to the base64 ("email safe") character set 64 times harder to guess, i.e. to add 6 bits of variability, just add a character of length. To do that by broadening the character set, you'd need to add a bit to each character, i.e. find another 64 available characters.

Bottom line: Want a strong password that you can type anywhere? Make it 12 mixed case letters, numbers and at least one punctuation mark. Based on the times claimed in the article, that should take 35,000 current GPU-cracker-years.

Re:Summary, article, and references all FUD.

[lazyforker]

Windows has some unsavory habits. Windows 2000 or later systems will store NTLM hashes for backwards compatibility. Many administrators do not know this; and fail to disable this "feature". cf href="http://support.microsoft.com/kb/299656">How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases

Re:Summary, article, and references all FUD.

[yuhong]

you've almost certainly already lost whatever those passwords protect.

Remember that most Windows network protocols rely on the client to hash the password and transmit the hash over the network, which means that an attacker can use the password hash directly to login over the network.

Speed

And what about Rainbow tables? Those things can break weak password even faster than a GPU, by virtue of being precomputed. And available for download.

Re:And? GPU programs

[AlienIntelligence]

And slightly OT, but is there any actual GP-GPU software out there that isn't for black hats?

Newest Photoshop and Folding at home GPU client, CUDA optimized.

Two that come to mind quickly.

-AI

Break this!

[govt-serpent]

hunter2

Pedant point on memory...

[wkcole]

[...] memorizing a handful of 12-character passwords is no harder, in a practical sense, than memorizing a handful of 10-digit phone numbers.

Sensational alarmist crap at its best.

I don't disagree at all with your overall point, but as a practical matter here you are wrong. As it turns out, most human brains have a threshold at 7 items. Below that the difficulty of remembering a sequence of items grows linearly with a very low slope (i.e. remembering 7 numbers is only slighly harder than remembering 6) but past that it gets hard parabolically, so much so that most people will find mental ways to break up any series longer than 7 into parts. You don't really remember a 10-digit (NANP format ) phone number, you remember the 3-digit area code and the 7-digit local number, which most people probably break into 3+4 . If you are remembering a 12-character password your brain will break it up into at least 2 pieces, both of which should be rather random (unlike phone numbers) and containing more than digits. However you do it, the same number of 12-character passwords will be harder to remember than 10-digit numbers.

Secure pword?!?

[tqk]

"fjR8n" is your idea of a secure pword? Allow me to introduce you to the following chars: "!@#$%^&*()_+-={}[]"

Does Win* allow those in pwords?

NTLMv2 is much stronger and the default as of 2008

[KidSock]

Note that the article is referring to NTLMv1 which uses 56 bit DES and, as illustrated by the article, that is easily broken. However, the article conveniently fails to mention that as of Vista and Windows 2008, default security policy requires NTLMv2 which uses 128 bit RC4. That is a totally different crypto scheme. Despite the fact that the protocol for exchanging authentication tokens (NTLMSSP) has been around since early Windows NT days, it doesn't matter - cryptographically 128 bit RC4 is fairly secure. At least the difference between 128 bit RC4 and the 256 bit AES used by Kerberos is not the weak link (and as of today Windows domains still default to allowing 128 bit AES to be negotiated anyway).

Also, note that NTLM authentication is absolutely not obsolete. Kerberos clients require access to domain controllers. Kerberos is very sensitive about the name a client uses to authenticate with a service and it is very sensitive about DNS. It requires a lot of manipulation of principal names and key files. Time must be synchronized on all three machines involved in a Kerberos authentication. Stale tickets may need to be purged. If any of these things are not right, it can be non-trivial to track down the problem. NTLM does not have any of these issues. NTLM is much more robust than Kerberos. It's just less efficient and it lacks features like delegation. A "pass through Kerberos" mechanism is being developed to replace NTLM that would resolve some of these issues (the main one being that clients would not be required to access domain controllers), but I suspect it will still be quite a while before it actually does and it's not clear that it will solve all of the aforementioned issues anyway.

Re:So What?

[LO0G]

Actually for the NTLM hash mentioned in the article, the maximum effective password length is 7 characters.

That's why the NTLM hash was replaced 15 years with NTLMv2 which doesn't have that weakness. And the NTLM hash has been turned off since Windows Vista.

Re:If someone gets your hashed password, you're do

[Jane+Q.+Public]

As usual, when discussions of cryptography happen on Slashdot, a lot of nonsense gets bandied about. Let's clear some of it up:

Bcrypt is "adaptive" in a sense, in that you can specify (to a certain extent) the number of key setup rounds to be used in the algorithm. But there are some assumptions that many people are making in this discussion that simply aren't true. Let's take care of the assumptions first:

(A) This discussion is about brute-forcing passwords via the Web.

No, it is not. Because of various factors (one of which I bring up below), it would make no sense if this were about web-based attacks. For one thing, there is no way in hell a GPU utility could be doing web-based attacks that fast, no matter how fast it was itself.

(B) bcrypt is an advantage when faced with attempted brute-forcing over the web.

This is simply false. When doing web-based authentication, it is the server that does the hashing. The only advantage that bcrypt might have is that computing the hash takes time... but since it's happening on your own server, that is not an advantage. You could simply introduce a small delay before your hash is computed, and you will get exactly the same effect. Better, in fact, because of a serious issue with bcrypt, which I will explain below. But to be clear, this discussion is about breaking passwords assuming that someone has your database.

(C) Both MD5 and SHA1 are broken, to some degree.

This is nonsense. Certain weaknesses have been found, but the odds against those particular weaknesses (such as the probability of a collision with MD5) being used in a real-world exploit are astronomical.

(D) Certain hashing algorithms are vulnerable to rainbow tables.

No... ALL hashing algorithms, no matter how complex, or how much time they take, are vulnerable to rainbow tables, by their very nature. There is nothing in the world that can change that, except:

(E) Salts are completely unnecessary if you use the right hashing algorithm.

Utter nonsense. Salts are the only thing that can save you from rainbow tables. Some people have pointed to bcrypt, saying that it doesn't use salts, but in fact it does. It's just that unlike most other schemes, it stores the salt in the same database entry as the hashed password.

Now here are some things that seem to be contrary to popular opinion about bcrypt:

(1) You can specify how much time the algorithm takes to hash your password.

No... all you can do is set a "work factor" (N) to be used by bcrypt. The number of key setup rounds will then be 2^N. Not only is that NOT a fine-grained "tuning" mechanism, it has nothing directly to do with time. Given the same work factor, a supercomputer (or GPU) will still compute the hash a hell of a lot faster than a standard CPU doing the same thing. What you are adjusting is difficulty, not time, and and settings that can only be powers of 2 do not exactly constitute "fine-tuning".

(2) bcrypt will help prevent web-based brute-forcing.

No (see above). If your only concern is a web-based attack, then introducing a simple delay before your existing hash function will give you exactly the same protection... over the web. In fact, it gives you better protection in a sense. You see, using bcrypt with one "work factor" setting is NOT compatible with bcrypt at a different work factor. If for any reason you wanted to ratchet up your security by increasing bcrypt's work factor, all your existing passwords would have to be re-entered by their users, because there is no way to go from one hash to the other... the new hash has to be computed from scratch.

Which means that, for all practical purposes, bcrypt is not really "tunable" at all. Once you have users with established passwords, changing bcrypt's "work factor" will require each of those passwords to be re-computed. Which means the end user will have to manually

Re:If someone gets your hashed password, you're do

[mcrbids]

There's been a raging debate internally as to whether or not we should change to hashed passwords. (for historical reasons, passwords aren't hashed now)

I've pushed for hashing repeatedly, but it's always been downsided by the fact that users are often technological cave-dwellers who have trouble turning their computer ON, let alone not being able to get their password from a support staff.

However, I'm not sure it matters so much, anyway. There are a number of techniques (such as hash tables) that make hashing much less usable, this GPU attack only exacerbates an already bad situation.

I'm of the opinion that anything less than 2 factor authentication is broken now or soon, anyway. I'm in favor of a random, cell phone text tied to the password, myself, except that texts are sometimes delayed. It works like a one-time password and can't meaningfully be broken since the time window of opportunity is far less than the password timeout for trying again.

Done right, this can't even be used to cause a DDOS because, if it's tied to IP addresses, the cracker would have to work 24x7 for a few hundred thousand years to make the window of opportunity, or, use a few hundred thousand IP addresses for a year to do the same in a year.

Use Diceware, boys and girls...

The "nobody but us geniuses can make or use strong passwords" problem has been over and done with for a long time. And it turns out that anyone who advocates for requiring non-alphabetic keystrokes is simply ignorant, genius or not.

Just use diceware. Roll five D6 dice, look up the resulting base six number in the diceware dictionary, and write it down. There's your first short, memorable word. Repeat three times for login credentials and the like, seven times for "really strong" cryptographic pass phrases. When calculating password search space, it is easily found that length is everything: Increasing the symbol set increases the base, increasing the length increases the exponent. So your diceware pass phrases lose nothing of value if they are all lower case with no spaces and no "exotic" keystrokes - they just become much easier to remember.

http://world.std.com/~reinhold/diceware.html

Re:If someone gets your hashed password, you're do

[xenobyte]

So, the only long term solution seems to be moving to stronger forms of authentication, like smart cards or using devices like smart phones as one-time password devices.

Actually, the only solution is to do away with passwords as the ONLY 'lock' on protected systems. Multi-factor authentication is the only way to go. Sure there can be a password in there (something the user KNOWS), but cracking that gets you nowhere in itself. You'll also need the access card, token or whatever the user HAS and the finger, eye or whatever biometric component that represents what the user IS.

So, with such systems you can't just steal a hash file and crack that. You'll also need to physically access the user and get his code key and his finger... As 99% of all computer crime is executed remotely, this will be efficient to stop intruders. Even social engineering is mostly done remotely over the phone. Having to get close physically means a greatly increased risk and thus chance of capture. In other words - it will be pretty efficient at keeping unwanted visitors out. This is probably why most online banks use something like this (two factors minimum) as their access security.

How many years does it need to be?

[Sycraft-fu]

If the password protects access to a system, it needs to be secure only so long as it is the password in use for that system. If it becomes less secure, switch to a different one (or a different system like two factor authentication). If it protects data (like an encrypted volume) then you need to decide how long that data needs to be secure for.

Re:How many years does it need to be?

[garyebickford]

True. I was thinking more on the lines of, "when will every 30 character passphrase be generally recognized as crackable on a desktop machine in 5 minutes" as a criteria for what we might call the 'singularity' - the time when passwords that a 'normal' human can be expected to remember are no longer a useful barrier, at least for some common uses - the time when passwords become essentially useless, to be replaced by ... what?

Re:How many years does it need to be?

[Sycraft-fu]

Not really going to be a problem. So remember for this cracking shit we are talking about is you get a copy of the shadow or SAM file, and you start brute forcing the hashes. Well that is pretty rare anyhow (a system has already been badly compromised) but the thing is we can change the hashes used. Securing against this in the longer run means using much more computationally intensive hashes.

A brute force attack against a has table is literally nothing more than "Generate next password according to the brute force rules, hash said password, compare it to the hash table, if there's no match, repeat." So, need to slow that process down? Make the hash take longer.

So in the future systems will use new, much more secure hashes that will slow things down.

Irrelevant comment

[AC-x]

And any system worth its salt (crypto-hashing joke) won't allow that many attempts against any external or internal authenticator and will NEVER expose its password hashes.

What an utterly irrelevant comment, obviously you can't GPU-accelerate a remote login, that's got nothing to do with the issue here.

Fact is data breaches do happen (see Sony) and if you can suddenly brute force a password 300x faster than before that is a very big deal. 10 GPU equipped desktops can now do the work of 3,000 CPU based desktops...

Re:If someone gets your hashed password, you're do

[petermgreen]

Which means that, for all practical purposes, bcrypt is not really "tunable" at all. Once you have users with established passwords, changing bcrypt's "work factor" will require each of those passwords to be re-computed. Which means the end user will have to manually enter it again.

Your users enter their passwords when they log in giving you an opertunity to replace their password hash.

So provided you have some policy on expiring inactive accounts you can switch to a new hash scheme (or the same scheme with different settings) over whatever your inactivity timeout period is without users noticing a thing.

The fools!

[Ginger+Unicorn]

If only they'd built it with 6001 hulls!

NTLM is 4 times easier to crack then unix

[Gunstick]

And I talk about the old style 8 chars max unix hashes.
See some stats here:
http://openwall.info/wiki/john/benchmarks#Collected-john-test-benchmarks-for-one-CPU-core

and cracking the newest sha512 takes how long?

Re:increase the time lag between password tries...

[Lennie]

Depends, is it using a whole disk encryption sheme ? And was the laptop turned off ?

Re:So What?

[fuzzyfuzzyfungus]

I agree that, for most purposes, a few extra normal characters are rather more useful than a few weird ones, and much less of a pain to type. Plus, if there are applications that hook in to wherever you have your fancy-unicode password that aren't expecting non-keyboard characters, fun ensues.

I really only mentioned it because it can be kind of a cute trick. A dash of Akkadian Cuneiform probably doesn't add too much more entropy than would the same number of keystrokes of normal alphanumeric; but it is more amusing, and tends to place your password entirely out of the scope of any commonly available precomputed tables.

Re:NTLM? Please be serious...

[pinkushun]

And That's we have a 256-bit encrypted luks /homes

Trend is not good

[AliasMarlowe]

I use 12-character passwords. http://howsecureismypassword.net/ [howsecurei...ssword.net] estimates that my root password would take 25 million years to hack.

Well, I also use a 12 character password, with at least one upper-case, at least one lower-case, at least one numeric, and at least one non-alphameric character. That web site estimates a mere 4 million years for a desktop PC to crack it. However, it does not indicate whether that's using the CPU or a GPU. Several orders of magnitude might vanish from that estimate if it is based on use of the CPU and a cracker uses a decent GPU. The remaining safety factor may become uncomfortably slim before long, given the performance improvements expected in GPUs and the parallelism inherent in password cracking.

The other posters are correct: passwords should be a necessary step in authentication, but by themselves should not be sufficient for authentication. After all, we can't expect to keep using longer and longer passwords (or pass-phrases). A few years ago, I was content with 8 character passwords for root (and sudo) accounts, and often containing only two character classes. Now it's 12 characters, containing four classes of character. Clearly, this trend is not good, as my memory for passwords is not improving at the same rate.

Re:NTLM? Please be serious...

[pinkushun]

I have to add that the title *is* misleading. The 7 character password which was cracked in 17 minutes is alpha-numeric only. That hardly constitutes a strong password.

Including special chars, the 8 character password estimated 25 days to beat, while the nine char password of the same set, estimates a 7 year solve period.

I think the concept is very interesting and how this can be done! I still love it!

The simplest solution is...

[Phoenix]

The simplest solution that I can think of is to use an authenticator system.

That way the passwords can be as simple as the users want, they do not have to be changed every 90 days (the duration of a password in our facility) and with the code changing every 60 seconds, it means that even if they somehow managed to snag your passwords, they can't do anything with them.

And I know that such a system is not fool-proof. But until someone develops a way to break that system it may be the simplest and the best solution for now.

Re:So What?

[Junta]

That's assuming you know it's a phrase of exactly four normal English words long (no more, no less), what punctuation, capitilization, odd spelling or any other things could be in the mix. Even if you ignored all of that, even with 16,000 GPUs at your disposal, it'd still take you up to 6 months for *one* guy's password, The chances that you will be singled out as the target to the exclusion of all others seem slim. If you do have the attention of 16,000 GPUs dedicated to just you you must be a very special person of interest whose password is probably the least of your concerns.

Re:So What?

[EsbenMoseHansen]

While that method is effective on a few individuals, it doesn't scale well to 1000's of accounts.

Re:So What?

[OeLeWaPpErKe]

What I've always wondered about password cracking is that if you have sufficient access on either a linux or a windows system, you have sufficient access to change the login routine.

Just an example, change :

if (password_ok(user, password)) {
    mail_to_oelewapperke(user, password) **
    (original code)

** yes I know smtp mail is a total disaster to use for this. It's often blocked, unreliable, or worse : monitored. There are better, quicker protocols that pass through every firewall I've ever met in the field (even the ones *I* configure generally don't block at least 3 protocols you could use for this).

But given that you can download the shadow file, you can replace the pam_unix.so (after which even ssh will be sending it's passwords to you, so it's nice and general way to do this). On windows you can "stack" the GINA (which conveniently sends both local logins and rdesktop logins. Handy).

It used to be the case that people checked the integrity of .so's on their system, especially these VERY critical ones, but those days are long over. At least windows contains a (small) landmine you could step into when trying this. And of course, you have to prepare for this (though these days it's pathetic, there are basically 2 pam_unix.so versions : 32bit and 64bit, otherwise they're interchangeable over distributions. On windows, we're talking 3-4 different versions of the dll's and 2 different ways to install them).

Given that doing this gives you access to past *and* future passwords ... Real fun to see tell a sysadmin "hey I hacked your system", only to have them reinstall and tighten the firewall and replace *all* software and ... and .... and then tell them "hey I hacked your system again" 5 minutes after they've invested a week of time fixing their system.

Re:If someone gets your hashed password, you're do

[WuphonsReach]

It is well known that if someone gets your hashed password, it is as good as cracked.

It still depends on how much time / money the attacker is willing to spend. If you use slightly longer passwords / passphrases, then you won't be the low-hanging fruit. A dedicated, targeted attacker is still a big problem, but the opportunistic attackers will check the hashes, fail to crack them and move on to the next target.

I did an analysis on this a few years back, when CUDA and GPUs first started getting popular. Back then, my estimated speed was 5 billion hashes per second for a single GPU. A bit of an overestimation, but in line with the ~3 billion/sec of current GPUs. Passwords were assumed to be semi-random with 65% lower case letters, 20% upper, 10% numbers, 5% symbols. A big assumption, but it provides a starting point.

Very few attackers are going to spend more then a day on a single account. Even with a large botnet of 10,000 GPUs at their disposal. The ones that will go that distance are targeted attackers and they will be trying other methods as well to compromise your security.

Brute force times:
chrs
8 = 9 hrs
9 = 22 days
10 = 1325 days (44 months)
11 = 79,000 days
12 = 4.7 million days
13 = 282 million days
14 = 16.8 billion days
15 = 1 trillion days

The lesson from that was that 8 characters or fewer (of the stated complexity) passwords are screwed. You really have to go out to 11-12 characters and enforce some measure of password complexity to be safe.

Re:If someone gets your hashed password, you're do

[Terrasque]

And what happens when it takes 10 seconds for one of your users to log in (not to mention what happens when you got multiple logins at the same time), and the attacker still can do a billion tries per second thanks to his GPU farm?

Hey Math Guys

[AmberBlackCat]

Does the strength of the encryption significantly affect the user's experience with passwords and encrypted files? I mean, if 256-bit encryption is better than 128-bit encryption, why isn't everybody using 32678-bit encryption or maybe megabit encryption?

Re:If someone gets your hashed password, you're do

[Jaime2]

It is impossible to have both. GPUs are only about 2000 times faster than CPUs at calculating hashes. A reasonable password policy ensures that passwords won't be cracked before users have time to react (usually months or years). Your example would require that a GPU be tens of billions of times faster than a CPU at hashing.

Re:"Strong passwords useless"? Hardly...

[WuphonsReach]

I guess what I'm saying is, from the perspective of one person who wants to protect their individual account, yeah, you might not worry too much. But if you're the guy in charge of protecting the server itself -- and by extension, the security of every account on that server -- then worrying seems justified.

Excessive worrying is only justified if:

- You allow passwords shorter then 8 characters.
- You do not enforce password complexity.
- You do not uniquely salt your passwords on a per-account basis.

Change at least two of those things and you're protected against opportunistic attackers (which is probably 99% of the threat). Force passwords to be at least 10-11 characters (I suggest 12-15). Force passwords to have at least some numbers / symbols / mixed-case feature. Make sure you use a different salt for each account, of at least 12 bits, for storing the password.

Maybe switch to a hash that takes 100x longer to calculate then MD5. (The other steps will buy you the equivalent or better time over using a difficult hash method.)

If the information is that valuable, consider adding a 2-part authentication system (password + token, or password + biometrics).

Once you drive the time to brute-force a password hash into the hundreds of years (even assuming that everything gets 1000x faster before we hit the physical limits of the universe), then you're pretty much done. No attacker is going to spend a year cracking a single password. Now you need to worry about the other dozens of ways to get at the information - like social engineering, exploits, vulnerabilities, sniffing, spyware, physical intrusion or intimidation.

Re:If someone gets your hashed password, you're do

[Terrasque]

You're assuming that the cost ratio CPU / GPU will continue to be the same. That's not certain at all.

I can easily see both the per-card cost going down, and see per-gpu calculating power get increasingly ahead of CPU in these things.

Re:If someone gets your hashed password, you're do

[Svartalf]

It's not quite that simple... If you make a hash/crypto scheme that will be less vulnerable to this, you make it much more difficult to use it as a means for passwords in the first place as it's much more difficult to compute for authentication.

Re:So What?

[WuphonsReach]

The rule of thumb that I've used is:

About 10,000 common words (13.325 bits).
About 300,000 words in a large dictionary (18.2 bits).

(Most attackers will probably attempt to build the pass-phrases out of common words first. It's a much smaller search space.)

Re:So What?

[WuphonsReach]

With the advent of password cracking power that GPUs bring, it does indeed look like keyspaces the size of 8.65x10^20 and similar that those who think about such things traditionally believed were reasonably secure is starting to become attackable by entities smaller than governments. This'll continue, and it should.

And, as always, risk assessment comes down to knowledge of your attacker. Are they opportunistic? Or are they specifically targeting you (insane attacker, country-sized government, or you are a high value target such as Sony)?

It makes a huge difference. The opportunistic attacker is defended against by merely not being the low-hanging fruit. The latter is generally a no-win situation because they will attack from multiple angles and their resources vastly (1,000,000 or larger multiplier) outstrip your resources. It's still worth being smart about your password hashes in the latter situation, but you probably have other larger security holes through which they will gain access.

Re:So What?

[Coren22]

Or aren't able to turn on encryption because Macs can't do encrypted LDAP with SMB connections...

Re:If someone gets your hashed password, you're do

[Jaime2]

So, when do you forsee GPUs getting to the "tens of billions of times faster" that I mentioned above and is necessary for your comparison to be valid?

Re:So What?

[whereiswaldo]

Keep in mind "Green peppers allow access." follows standard sentence structure. I'd wager that your passphrase would be much more difficult to crack if the capital letter was in some random place and the period was moved somewhere else, like "greeN pepp.ers allow access"

Re:If someone gets your hashed password, you're do

[Jane+Q.+Public]

That's a good point I had not considered. It would take a rewrite or patch of most plugin authentication systems, but that would probably do the job.

Re:If someone gets your hashed password, you're do

[Jonner]

Quadrupling the time it takes to crack a password is significant if yours is one of thousands and the attacker doesn't have the resources or will to crack them all. If your password is four times harder to crack than everyone else's, it may be skipped. Just like any security measure, passwords are never absolute protection.

Any security measure from a closed door to a combination lock to an army can be overcome with enough resources and will. Sufficient security is something that requires more resources or will to overcome than the attacker possesses or just delays the attacker long enough that the attack can be rendered useless. In the case of password hashes being obtained by an attacker, the longer it takes for the password to be cracked, the greater the chance the victim can be made aware of the attack and change the password or take other measures that render the attack useless.

Re:If someone gets your hashed password, you're do

[marcosdumay]

Isn't it better to simply get the public RSA key of the user and be done with it? You get a 2048 bits key that won't need replacing often (good till the heat death of the Universe), won't burn your money into useless server cycles (fast algorithm), and is still more secure (older, way more tested than your idea). We just need to adapt the browsers, untill then you just don't limit the size of passowrds on your site, so people can protect themselves with longer ones.

It's true

[Physician]

I can confirm this as true because every single person responding to this thread is actually me. Getting everyone's password was a breeze. Logging into everyone of them and posting something different....... that was a pain.

slashdot is full of arm chair security experts

[OrangeTide]

Your point is not really true at all because you fail to take into account the scale of turning a few microseconds per calculation into a several seconds calculation. I just made it cost a million times more to crack passwords. There are no 10 billion machine botnets.

You think a 2-factor system is more user friendly than limiting authentications to roughly 35 logins per hour per quad core system? Having to wait in a queue seems less painful to me, and less likely to line the pockets of RSA Security.

Re:So What?

[Bob+Uhl]

Which is why Secure Remote Password was invented. It's pretty secure for a password-based authentication protocol--much more so that HTTP Basic or Digest.

Re:increase the time lag between password tries...

[Dekker3D]

If you get access to the hashed password, there's little else that'll slow down hacking attempts. Either make the hash take longer, or make the password more complex.

Re:If someone gets your hashed password..

[MikeBabcock]

Funny, l0phtcrack did a great job of pulling in NTLM hashes over the wire.

Re:If someone gets your hashed password..

[jshackney]

The post I replied to suggests stopping at the first collision. Perhaps the question was poorly worded. I would like to know how many collisions occur for a given hash. Could this be calculated without a brute-force attempt or is that the only way?