5/13/2015 2:54 PM. All your passwords are belong to us. Authorities dig through prescription med databases thanks to pre-digital age precedent.

Size: px

Start display at page:

Download "5/13/2015 2:54 PM. All your passwords are belong to us. Authorities dig through prescription med databases thanks to pre-digital age precedent."

Beatrix Summers
5 years ago
Views:

All your passwords are belong to us. by Dan Goodin - Dec 9, 2012 4:00pm PST Authorities dig through prescription med databases thanks to pre-digital age precedent.

Jeremi Gosney A password-cracking expert has unveiled a computer cluster that can cycle through as many as 350 billion guesses per second.

The five-server system uses a relatively new package of virtualization software that harnesses the power of 25 AMD Radeon graphics cards.

1 All your passwords are belong to us. by Dan Goodin - Dec 9, :00pm PST Authorities dig through prescription med databases thanks to pre-digital age precedent. Welcome to Radeon City, population: 8. It's one of five servers that make up a high-performance password-cracking cluster. Jeremi Gosney A password-cracking expert has unveiled a computer cluster that can cycle through as many as 350 billion guesses per second. It's an almost unprecedented speed that can try every possible Windows passcode in the typical enterprise in less than six hours. The five-server system uses a relatively new package of virtualization software that harnesses the power of 25 AMD Radeon graphics cards. It achieves the 350 billion-guess-per-second speed when cracking password hashes generated by the NTLM cryptographic algorithm that Microsoft has included 8 in every version of Windows since Server As a result, it can try an astounding 95 combinations in just 5.5 hours, enough to brute force every possible eight-character password containing upper- and lower-case letters, digits, and symbols. Such password policies are common in many enterprise settings. The same passwords protected by Microsoft's LM algorithm which many organizations enable for compatibility with older Windows versions will fall in just six minutes. LG goes with a wild rear design and a Snapdragon 808. The Linux-based GPU cluster runs the Virtual OpenCL cluster platform, which allows the graphics cards to function as if they were running on a single desktop computer. ocl-hashcat Plus, a freely available password-cracking suite optimized for GPU computing, runs on top, allowing the machine to tackle at least 44 other algorithms at near-unprecedented speeds. In addition to brute-force attacks, the cluster can bring that speed to cracks that use a variety of other techniques, including dictionary attacks containing millions of words. "What this cluster means is, we can do all the things we normally would with Hashcat, just at a greatly RAW MEMORY DUMP, ANYONE?

e-mail to Ars. "We can attack hashes approximately four times faster than we could previously." Gosney unveiled the machine last week at the Passwords^12 conference in Oslo, Norway.

As Ars previously reported in a feature headlined "Why passwords have never been weaker and crackers have never been stronger," Gosney used the machine to crack 90 percent of the 6.

2 to Ars. "We can attack hashes approximately four times faster than we could previously." Gosney unveiled the machine last week at the Passwords^12 conference in Oslo, Norway. He previously used a computer equipped with four AMD Radeon HD6990 graphics cards that could make about 88 billion guesses per second against NTLM hashes. As Ars previously reported in a feature headlined "Why passwords have never been weaker and crackers have never been stronger," Gosney used the machine to crack 90 percent of the 6.5 million password hashes belonging to users of LinkedIn. In addition to the power of his hardware, his attack was aided by a 500 million-strong word list and a variety of advanced programming rules. Using the new cluster, the same attack would move about four times faster. That's because the machine is able to make about 63 billion guesses against SHA1, the algorithm used to hash the LinkedIn passwords, versus the 15.5 billion guesses his previous hardware was capable of. The cluster can try 180 billion combinations per second against the widely used MD5 algorithm, which is also about a four-fold improvement over his older system. The speeds apply to so-called offline cracks, in which password lists are retrieved by hackers who exploit vulnerabilities on website or network servers. The passwords are typically stored using one-way cryptographic hash functions, which generate a unique string of characters for each unique string of plaintext. In theory, hashes can't be mathematically reversed. The only way to crack them is to run guesses through the same cryptographic function. When the output of a particular guess matches a hash in a compromised list, the corresponding password has been cracked. The technique doesn't apply to online attacks, because, among other reasons, most websites limit the number of guesses that can be made for a given account. The advent of GPU computing over the past decade has contributed to huge boosts in offline password cracking. But until now, limitations imposed by computer motherboards, BIOS systems, and ultimately software drivers limited the number of graphics cards running on a single computer to eight. Gosney's breakthrough is the result of using VCL virtualization, which spreads larger numbers of cards onto a cluster of machines while maintaining the ability for them to function as if they're on a single computer. Enlarge Jeremi Gosney "Before VCL people were trying lots of different things to varying degrees of success," Gosney said. "VCL put an end to all of this, because now we have a generic solution that works right out of the box, and handles all of that complexity for you automatically. It's also really easy to manage because all of your compute nodes only have to have VCL installed, nothing else. You only have your software installed on the cluster controller." The precedent set by the new cluster means it's more important than ever for engineers to design password storage systems that use hash functions specifically suited to the job. Unlike, MD5, SHA1, SHA2, the recently announced SHA3, and a variety of other "fast" algorithms, functions such as Bcrypt,

3 to convert plaintext input into cryptographic hashes. As a result, the new cluster, even with its four-fold increase in speed, can make only 71,000 guesses against Bcrypt and 364,000 guesses against SHA512crypt. For the time being, readers should assume that the vast majority of their passwords are hashed with fast algorithms. That means passwords should never be less than nine characters, and using 13 or even 20 characters offers even better security. But long passwords aren't enough. Given the prevalence of cracking lists measured in the hundreds of millions, it's also crucial that passwords not be names, words, or common phrases. One easy way to make sure a passcode isn't contained in such lists is to choose a text string that's randomly generated using Password Safe or another password management program. Slides of Gosney's Passwords^12 presentation are here. et Subscriptor Rom wrote: I don't understand how any password system allows that many sequential guesses. If you fail 100+ times, what are the chances you are trying to crack it? Like the story says, this is all for offline attacks. The first step would be getting access to a list of all the hashed passwords and the associated login name and . Once you have this you don't have to worry about tripping any server side security as you already have the data and don't need to talk to the original server. You then take this offline, point your super duper password cracking machine at the list, hit go, and wait as the fun begins. 5 posts registered Jan 19, 2012 dave.abbott wrote: Would a 20 character password really take that much longer to crack than an eight character password? I was under the impression that the generated hashes were all of a uniform length - meaning that a 20 character password could conceivably have an 8 character counterpart that generates the same hash. I remember reading something about MD5 having exactly that flaw. I understand that the odds of that happening are simply too high to fathom, but it is conceivable for a 20 character password to be cracked well before the the guesses even reach that length, yeah? This is a common misconception, that when we crack hashes we are really trying to find collisions. Single block collisions are extremely rare. For MD5, only one single block collision has been found. No single block collisions have been found for any of the SHA algorithms. So for all intents and purposes, no, we are not trying to find a collision. Every time you add a character to your password, you are exponentially increasing the difficulty it takes to crack via brute force. For example, an 8-char password has a keyspace of 95^8 combinations, while a 20-char password has a keyspace of 95^20 combinations. However, this ONLY applies to brute force attacks. If your password is weak it does not matter how long it is, as it will likely fall to other attacks such as wordlist and rule-based attacks. We regularly crack pass phrases that are 15 to even 100 chars long because they are too simple. FrankM wrote: epixoip wrote: Every time you add a character to your password, you are exponentially increasing the difficulty it takes to crack via brute force. For example, an 8-char password has a keyspace of 95^8 combinations, while a 20-char password has a keyspace of 95^20 combinations.

4 Thanks, I was wondering where the 95 came from and why it wasn't shown as 6.6*10^18 or similar. The "95" comes from the standard 95 characters on a US keyboard. 26 upper, 26 lower, 10 digit, 33 special chars. Using extended ASCII or Unicode chars increases the keyspace. But, it should be noted that using these characters doesn't necessarily make your password any more difficult to crack. emschorsch wrote: While this seems really impressive what kind of difference does this actually mean? It seems that there is only a 4-fold increase which while significant doesn't really seem to be a game-changer. If a password can be cracked in 5.5 hours using the new system then people were still screwed after 22 hours under the old system. You make a great point, which I will gladly address. The real threat comes not from quicker brute force attacks, but from greatly reducing the amount of time it takes to run more complex attacks. The 5.5 hours mentioned in the article is how long it takes to exhaust an 8 character password through brute force. This is all well and good, but we just use brute force times as a benchmark because it's the most comprehensible metric. As most Ars readers will note, brute force is almost always a last resort for us. We have lots of other tricks up our sleeves which help us to get longer, more complex passwords than are possible through brute force, including rule based attacks, combinator attacks, and hybrid attacks. The faster we can compute a hash, the more complex the attacks are that we can throw at it. For super fast hashes such as MD4, MD5, SHA1, SHA2, and even SHA3, we are virtually unlimited in the types of attacks we can run. We can throw tens of gigabytes of words at the hash, running each word through permutation filters and rules engines, even running complex combinations of attacks without really having to worry about how long each attack would take to complete. So what this really means for the average person is that not only are short-to-average passwords guaranteed to fall in a short amount of time, but also longer, more complex passwords fall in a quarter of the time it previously took. Wise, Aged Ars Veteran et Subscriptor For passwords I can paste into a field (apps, web sites) I use 1Password generally creating passwords characters in length depending on what is supported. For passwords I have to reamember and type in manually, computer accounts generally, I pick a word. Uppercase one of the letters (but not the 1st) then append a string of 4 random characters that includes numbers and special characters. That string is the same of random characters everytime, just the 1st word changes. I typically follow themes for picking the word. One computer may use the names of rivers, or states, or something i'm not telling you. Since the random characters are the same everytime I don't have to struggle to remember them. Because of this I'll most likely bump the random characters to 5 but otherwise keep the same method. The important part of passwords currently is simply length and the padding I use, plus using 4-6 character base words, makes the length pretty good. making it "look" random using some obscure method isn't anymore secure than my method. Dictionary attacks are geared towards 1 or 2 characters appended (or prepended) to a dictionary word (usually! or 1!) not 4-5 random characters. 121 posts registered May 23, 2007

5 Dan Goodin / Dan is the Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other on Twitter About Us Advertise with us Contact Us Reprints RSS Feeds Newsletters Reddit Wired Vanity Fair Style Details Subscribe to Ars 2015 Condé Nast. All rights reserved Use of this Site constitutes acceptance of our User Agreement (effective 1/2/14) and Privacy Policy (effective 1/2/14), and Ars Technica Addendum (effective 5/17/2012) Your California Privacy Rights The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast. Ad Choices

Frontline Information Protection

Frontline Information Protection a presentation to the Phoenix Chapter of ISACA by Hoyt L Kesterson II October 2014 OBSERVATION Most successful attacks spring from weakly-coded web pages or compromised