Infosec pros who had no idea of how easily a stolen list of hashed passwords could be cracked got a sobering lesson at this month’s SecTor security conference in Toronto.
There, Will Hunt, co-founder of the U.K. based In.security consulting firm, casually talked of systems that can be built around a common (about $1,500) Nvidea GTX 2080 graphics card that could make 100 billion guesses a second in a brute force attack.
Using a common open source password recovery tool called Hashcat, he said such a system would go through a large hashed list of eight-character passwords in two and a half hours.
Think how fast it would be if a couple of those GPUs were chained together …
Lesson: Powerful and reasonably priced-GPUs are making things easier for hackers.
Hunt used his own computer with three CPUs to recover 90 per cent of a stolen database of 380,000 passwords hashed with the MD5 algorithm in about 14 hours.
Want to make things harder for the bad guys? The usual recommendation is to have users mix special characters in with letters and numbers. Not necessarily, said Hunt. A nine-character password that uses mixed alpha-numeric and special characters generates 630 trillion possible combinations. A 10-character password using only upper and lower case letters generates 839 quadrillion combinations. (But he admitted Hashcat has a few tricks to shorten a search, so the odds are it would have cracked a password before hitting the 839 quadrillion mark.)
Still, the lesson remains: The longer the password the better.
Which is good, Hunt said, because the U.S. National Institute of Standards and Technology (NIST) now recommends IT departments tell users to create passphrases of at least 64 characters. And forget about changing them every 90 days.
For his presentation Hunt talked about the intricacies of Hashcat, runs on Linux, OS X, and Windows and can be used against Microsoft LM hashes, MD4, MD5, the SHA-family, Unix Crypt formats, MySQL, and Cisco PIX.
Users can employ a number of attacks on hashed password lists including brute force, dictionary, combinator, fingerprint and hybrid attacks. Briefly, the software hashes an unknown password and compares it with a hashed version on a dictionary until there’s a match. Searches can be customized to, for example, ignore special characters or upper case letters to make things go faster.
But, Hunt acknowledged, password length and complexity can foil — or drag out — a search.
In an interview Hunt acknowledged that the examples he cited in the presentation were poorly-protected — eight-character passwords, protection with the now out-of-date algorithms like MD5 — although some companies still use it.
One of the best defensive weapons for a CISO is to salt as well as hash user passwords, with the hash using modern algorithms like SHA-256 or Blowfish which are very hard to attack. (A salt is random data added to a password, so even if two people use the same password it generates separate results.)
In addition, he urged the use of multi-factor authentication, which “substantially thwarts the ability of an attacker to compromise accounts, and the use of password managers.
“At its heart, I firmly believe cyber security is a people, and not a technical, problem. So first of all a good security culture needs to be embedded in the organization. With that comes a degree of cyber security awareness training where people understand the importance of choosing long and complex, unique passwords.
“In terms of technical implementation, I would ensure my password policy is robust and has been heavily scrutinized and approved by a number of people, ensuring that weak passwords cannot be chosen, ensuring users are taking the right steps, and applying defence in depth.”