Archive for September, 2012

You are going to have to change the way you make up and use passwords, or you’re going to be very sorry.  There.  I’ve said it.  And I really mean it.  Sorry to start out so negative.  Read on, and I’ll tell you why.  And I’ll tell you right up front what to do about it, so you don’t have to read the whole thing if you don’t want.

This is different from the post I just wrote about the Mat Honan hack, which had nothing do to with password strength or hacking or encryption or anything like that, because in that hack the customer service drones at Apple and Amazon simply gave the hackers the passwords — nothing technical can protect you from that kind of “service. ”  No, this is about technically hacking your passwords using a psychological understanding of how humans construct passwords, databases of stolen passwords, and readily-available password-cracking software to lay waste to the presumed security of what people believe are “clever” passwords.  They aren’t clever, folks, they are transparent.

As Dan Goodin said in Ars Technica recently:

The ancient art of password cracking has advanced further in the past five years than it did in the previous several decades combined. At the same time, the dangerous practice of password reuse has surged. The result: security provided by the average password in 2012 has never been weaker.

If you read the rest of this post, you will see how this works and why this really has become an issue in the last 6 – 9 months, where it wasn’t before.  If you believe me already and don’t want to dig into the details, fine, here is what you need to do.  If you’re not sure yet, read on — it’s technical but I have simplified it for you, and when you’re done back up to here and start executing these steps:

  1. You need to stop using anything but computer-generated, high-entropy gibberish passwords, at least 12 characters.  See below on the use of long passphrases;
  2. You should manage these passwords through a cloud-resident password manager such as LastPass or 1password, so you don’t have to remember them;
  3. Critical accounts should be protected by two-factor authentication, wherever they offer it (e.g. the service will send you a text-message with a numeric code you have to enter, in addition to your password.
  4. Anything you are storing in the “cloud,” e.g. iCloud, needs to be encrypted with a private key YOU and only you know, before this data leaves your PC.

There have been several papers, blogs, and articles published in the last 6 months that demonstrate this, specifically here and here and here.  These and a few more even more technical are my sources for this analysis.

Root of the Problem: Corporate Security Incompetence

Almost weekly, it seems, we read about some corporation or governmental entity announcing, “Oopsie, we have been hacked and our password files stolen.”  Yahoo, LinkedIn, Gawker, eHarmony, Lastfm, Sony (multiple times), and many more, all the way back to the RockYou penetration in 2009, are all part of this dismal litany.  Now you might think this is relatively harmless, after all they’re encrypted, right (well, sometimes, anyway they’re encrypted, but sometimes they’re not)?  But it turns out that a stolen password file is anything but harmless.  Right now, there are perhaps around 500,000,000 passwords that have in this fashion been turned over to  hackers, who then are free to crack them offline, and share the results of their cracking with each other.

From this immense database of cracked passwords they have extracted rules and probabilities and psychological principles about how real people try to generate secure passwords.  It turns out that these rules are rooted in our human consciousness and apply across broad swathes of the population.  For example, the lame exchange of “L”s by “1”s, or “B”s by “3”, or “O”s by zero and so on.  Or, your name followed by the year you graduated from high school.  Or two words with varying capitalization (duckspit or ducKspiT).  The crackers have built databases and rule engines that follow these and other examples, and run them against stolen passwords until they find a match.

But doesn’t that take, like, twice the age of the Universe to decrypt them?  Well, only if you’re trying to actually decrypt the password.  But they don’t do this — they use their giant index of already-cracked passwords and take yours, encrypt it, and compare the encrypted value with the encrypted password in their index.  If it matches one of them, presto, they have your password, no decrypting necessary!

Example: in the recent LinkedIn hack, they lost 6.5 million passwords, and it took only 6 days for 90% of them to be cracked.  Actually (and I can’t find the reference for this, but I read it somewhere) about 25% of them were cracked in something like the first 30 minutes.  Note the futility of rushing out three or four days later when you heard about it, and “changing your password.”  Almost certainly, your password had already been cracked.

Cracking Engines: Hardware and Software

And they can do this encrypting and comparing very, very quickly.  It turns out that not only are today’s PCs very powerful, the secret weapon is none other than the display adapter boards (GPUs, or Graphics Processing Units) that gamers and statisticians alike use to draw sophisticated images on their monitors.  These boards, by Nvidia, AMD, and others, are in reality very powerful floating-point calculators that are just right for carrying out encryption. You can plug in one, two, or however many you have card-slots for, and you have something that rivals a Cray of 20 years ago.

To make it worse, there is no shortage of free or low-cost software that leverages this hardware to perform the cracking.  Good examples, and far from the only ones, are John the Ripper, HashCat, PassPal, and ExtremeGPU Bruteforcer.  Take a look at them, it’s downright scary.

How fast are they? Well, Rick Redman of KoreLogic has a machine with four GeForce GTX 480s, certainly not huge by today’s standards, and he can try 6.2 BILLION passwords per second.  Yes, billion, and per second.  At this year’s Defcon hacker conference, a project computer called Project Erebus made up of 8 Radeon HD7970 GPUs demonstrated it could test every single combination of 8 characters, including upper and lower cases, numbers, and symbols, in 12 hours.  So, if your password was 8 characters or less, it would have been hacked in less than 12 hours.  Actually, in an average of 6 hours!  This machine, believe it or not, cost less than $12,000.

The Result is Where We Are Now

Which is where?  Corporations and website operators have proved dismally inept at protecting the most basic security component, their login / password files, and these losses have fed crackers who are armed with computational power nearly undreamed of only a few years ago, and software that makes unfortunately fine use of their advanced hardware platform, to extract the passwords.  A big part of the solution would be to punish the corporations who lose this data by a fine that threatens their existence, and put the CIO in prison for a decade, but I have no hope at all that any such thing will ever come to pass.  They own our data, and we have nothing to say about it.  And when they lose it, it’s tough luck — for us.

So we can no longer be Pollyannas and trust these site operators to competently protect our data.  Pretty much, eventually it seems that it will all leak out and fall into the hands of people with the means to pry it open.  So, prudence says to make YOUR passwords one of the ones they have to brute-force and so likely give up on.

The only solution then is to make sure that a) our passwords are long, and b) they are so random that they can’t be guessed according to the human-sourced rules the crackers have, and will fall only to lucky brute-forcing.  12 characters gets us back up into the “thousands of years” area but ONLY if the passwords are inhumanly random.  And that’s where the password-handlers I discussed above come in — they can do the heavy lifting for you in this approach — they’ll generate these passwords for you, store them, and then play them back when you need them.

But what about passphrases — long phrases that you can remember (presumably)?  Because they’re so long, aren’t they resistant to cracking? Well, as Jeremi Gosney has said, “If the phrase you have in mind exists anywhere in writing it’s probably in somebody’s wordlist and can be cracked with a rudimentary dictionary attack.”  So, none of that, please.

Should Password Crackers be Shot?

Actually, I think not.  At first blush, it seems that they are to blame for all our problems, punish them!  But really, if they weren’t doing this, and pointing out the problems, I can assure you the government and the serous crooks WOULD be doing it, and not telling us.  We would be fat and happy using 4-digit pins online, and they would be reading our every word and when push came to shove, they would own us.  So I applaud the crackers for punching holes in our complacency and forcing us to take better care of our online assets.

Final Thoughts on Internet Safety

Sometimes the people I talk to start thinking that the Internet is such a dangerous place that they should get offline at once, or they just give up and think that they can’t find off the hackers and crackers at all, so they might as well not try.  Neither of these is true.  The Internet is just another place we go, like a new downtown or maybe a foreign country.  There are online risks as well as offline risks; we are good at evaluating offline risks (where we would walk at 2 AM or whether we should get out of a stalled car at all on a freeway), but we are still learning about online risks.  Don’t lose heart, you can adapt as your children surely will.  It’s just the march of progress leading us into new places.


Read Full Post »