Stolen credentials are among the most popular items for cyber attackers. The best way to get them, until recently, has been tricking victims through phishing attacks to give them up. Usually, having a password of at least eight characters with a mix of upper and lower case letters, a number and a special character is safe enough.
However, thanks to the power of graphic processors, the ability of hackers to efficiently crack a password with a dictionary attack has been increased. A writer at this week’s RSA Conference 2015 found that out at a vendor booth which demonstrated the power of a password cracking server it has assembled.
It has four ATI Radeon R9 290x GPUs; 32GB RAM; two six-core Intel E5 processors; and a 2TB RAID array. It can do 47.708 Billion hash guesses per second. Armed with four custom built dictionaries with a combined total of 6,316,324,295 entries, all of the password cracking tools and rules they use are commonly available and in a lot of cases open source.
The result? Four of five hashed MD5 passwords the writer created for a test were cracked in less than five minutes. That included a nine character scrambled creation, as well as P@ssw0rd (the 0 is a zero). That five-minute stat that should be passed by a CSO on to an organization’s staff.
So what’s the solution? Two-factor authentication — particularly for those who have access to sensitive data, as well as for network devices like routers — will be a big help, no matter what the cost is for the organization to implement it. So will longer scrambled passwords.
There is no doubt, though, that CSOs have to re-think corporate password strategy to emphasize eight is no longer enough.