Why passwords have never been weaker—and crackers have never been stronger
Thanks to real-world data, the keys to your digital kingdom are under assault.
In late 2010, Sean Brooks received three e-mails over a span of 30 hours warning that his accounts on LinkedIn, Battle.net, and other popular websites were at risk. He was tempted to dismiss them as hoaxes—until he noticed they included specifics that weren't typical of mass-produced phishing scams. The e-mails said that his login credentials for various Gawker websites had been exposed by hackers who rooted the sites' servers, then bragged about it online; if Brooks used the same e-mail and password for other accounts, they would be compromised too.
The warnings Brooks and millions of other people received that December weren't fabrications. Within hours of anonymous hackers penetrating Gawker servers and exposing cryptographically protected passwords for 1.3 million of its users, botnets were cracking the passwords and using them to commandeer Twitter accounts and send spam. Over the next few days, the sites advising or requiring their users to change passwords expanded to include Twitter, Amazon, and Yahoo.
"The danger of weak password habits is becoming increasingly well-recognized," said Brooks, who at the time blogged about the warnings as the Program Associate for the Center for Democracy and Technology. The warnings, he told me, "show [that] these companies understand how a security breach outside their systems can create a vulnerability within their networks."
The ancient art of password cracking has advanced further in the past five years than it did in the previous several decades combined. At the same time, the dangerous practice of password reuse has surged. The result: security provided by the average password in 2012 has never been weaker.
A new world
The average Web user maintains 25 separate accounts but uses just 6.5 passwords to protect them, according to a landmark study (PDF) from 2007. As the Gawker breach demonstrated, such password reuse, combined with the frequent use of e-mail addresses as user names, means that once hackers have plucked login credentials from one site, they often have the means to compromise dozens of other accounts, too.
Newer hardware and modern techniques have also helped to contribute to the rise in password cracking. Now used increasingly for computing, graphics processors allow password-cracking programs to work thousands of times faster than they did just a decade ago on similarly priced PCs that used traditional CPUs alone. A PC running a single AMD Radeon HD7970 GPU, for instance, can try on average an astounding 8.2 billion password combinations each second, depending on the algorithm used to scramble them. Only a decade ago, such speeds were possible only when using pricey supercomputers.
The advances don't stop there. PCs equipped with two or more $500 GPUs can achieve speeds two, three, or more times faster, and free password cracking programs such as oclHashcat-plus will run on many of them with little or no tinkering. Hackers running such gear also work in tandem in online forums, which allow them to pool resources and know-how to crack lists of 100,000 or more passwords in just hours.
Most importantly, a series of leaks over the past few years containing more than 100 million real-world passwords have provided crackers with important new insights about how people in different walks of life choose passwords on different sites or in different settings. The ever-growing list of leaked passwords allows programmers to write rules that make cracking algorithms faster and more accurate; password attacks have become cut-and-paste exercises that even script kiddies can perform with ease.
"It has been night and day, the amount of improvement," said Rick Redman, a penetration tester for security consultants KoreLogic and organizer of the Crack Me If You Can password contest at the past three Defcon hacker conferences. "It's been an exciting year for password crackers because of the amount of data. Cracking 16-character passwords is something I could not do four or five years ago, and it's not because I have more computers now."
d3ad0neAt any given time, Redman is likely to be running thousands of cryptographically hashed passwords though a PC containing four of Nvidia's GeForce GTX 480 graphics cards. It's an "older machine," he conceded, but it still gives him the ability to cycle through as many as 6.2 billion combinations every second. He typically uses a dictionary file containing about 26 million words, combined with programming rules that greatly extend its effectiveness by adding numbers, punctuation, and other characters to each list entry. Depending on the job, he sometimes uses a 60 million-strong word list and something known as "rainbow tables," which are described later in this article.
As a penetration tester who gets paid to pierce the defenses of Fortune 500 companies, Redman tries to spot weaknesses before criminal hackers exploit them on his customers' networks. One of the key ways he stays ahead is by downloading hash lists that are dumped almost every day on pastebin.com and other sites to see if any belong to the organizations he is contracted to protect.
Recently, he recovered a 13-character password that he had spent several months trying to crack. To protect the account holder, he declined to reveal the precise combination of characters and instead made up the imaginary passphrase "Sup3rThinkers" (minus the quotation marks) to illustrate his breakthrough. "Sup3rThinkers" follows a number of patterns that have become common: it opens with a common, five-letter word that begins with a capitalized letter and substitutes a 3 for an E, followed by a common, seven-letter word that also begins with a capital letter. While the speed of his system didn't hurt, cracking the password was largely the result of the collective codebreaking expertise developed online over the past few years.
The most important single contribution to cracking knowledge came in late 2009, when an SQL injection attack against online games service RockYou.com exposed 32 million plaintext passwords used by its members to log in to their accounts. The passcodes, which came to 14.3 million once duplicates were removed, were posted online; almost overnight, the unprecedented corpus of real-world credentials changed the way whitehat and blackhat hackers alike cracked passwords.
(the rest of the article is at the link)
http://arstechnica.com/security/2012/08/passwords-under-assault/
.
Drought effects a lot of things
Drought causes shortage in Wis. cow chip throw
SAUK CITY, Wis. (AP) - It's very seldom someone talks about the quality and amount of cow dung, but in one southern Wisconsin city that's all they've been talking about lately.
The drought has caused a shortage of flattened, dried cow manure _ or cow chips _ for the Wisconsin State Cow Chip Throw and Festival, which attracts about 300 throwers and 40,000 spectators to Prairie du Sac, Wis.
"This is my 24th throw, and it's never been this difficult to find chips," said Marietta Reuter, who helps organize the festival that runs Friday and Saturday.
They use the chips from a local beef cattle herd that mostly eats grass, because the diet helps keep the chips dense and strong.
The hot, dry summer _ which has caused crop, water level and other problems across the nation _ caused the grass to brown and cattle to stay near their barn for food and to keep cool. That means the manure in the pasture wasn't able to dry and flatten in the sun.
The committee that runs the festival usually goes out once in July to shovel the manure and let it dry in wagons in the sun. But this year they had to skip it because of the poor quality.
Instead, a few organizers went out sporadically and collected about a third of the usual amount _ 200 or 300. Every year they keep the good ones that don't break _ so they will dip into the 150 to 200 in reserve barrels for this year's competition.
When searching for chips, they look for them be about the size of a ping pong paddle.
"If it looks like it has air bubbles on the top, it's bad chip," Reuter said. "It won't be worth it because it will be light and airy. But if it's thick and solid and grassy, it's a good chip."
Once they dry, they don't really stink anymore.
"A lot of people are afraid to pick it up," said Terry Slotty, who runs the throw every year. "They look at it, and it looks like what it is but once they touch it they notice that it's very dry."
The men's record was set in 1991 at 248 feet. The woman's record is from 2005 at 157.5 feet, Reuter said. The festival will give the top finishers $200 each toward a trip to the World Championship Cow Chip Throw in Beaver, Okla., should they decide to go, Slotty said.
Reuter's brother, Russ Ballweg, who is the festival's grounds chair, said they are already planning on a backup plan for next year.
"We are probably going to have to go out more often and pick so we can get our reserve back up a little bit," he said.
http://wtop.com/209/3014087/Chipping-Away
No comments:
Post a Comment