Stolen credentials are among the most popular items for cyber attackers. The best way to get them, until recently, has been tricking victims through phishing attacks to give them up. Usually, having a password of at least eight characters with a mix of upper and lower case letters, a number and a special character is safe enough.

However, thanks to the power of graphic processors, the ability of hackers to efficiently crack a password with a dictionary attack has been increased. A writer at this week’s RSA Conference 2015 found that out at a vendor booth which demonstrated the power of a password cracking server it has assembled.

It has four ATI Radeon R9 290x GPUs; 32GB RAM; two six-core Intel E5 processors; and a 2TB RAID array. It can do 47.708 Billion hash guesses per second. Armed with  four custom built dictionaries with a combined total of 6,316,324,295 entries, all of the password cracking tools and rules they use are commonly available and in a lot of cases open source.

The result? Four of five hashed MD5 passwords the writer created for a test were cracked in less than five minutes. That included a nine character scrambled creation, as well as P@ssw0rd (the 0 is a zero). That five-minute stat that should be passed by a CSO on to an organization’s staff.

So what’s the solution? Two-factor authentication — particularly for those who have access to sensitive data, as well as for network devices like routers — will be a big help, no matter what the cost is for the organization to implement it. So will longer scrambled passwords.

There is no doubt, though, that CSOs have to re-think corporate password strategy to emphasize eight is no longer enough.

Read the full story here. 

  • Hitoshi Anatomi

    Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another.

    At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.