Article first published as Password? No Barrier for a Hacker on Technorati.
No matter how carefully thought out your password, no matter how complex it is, if you type it on a keyboard, (irrespective of language or symbol), as we all must do, it is no challenge to a hacker.
Yet another major website ( LivingSocial.com ) falls prey to a hacking attack. What was the treasure hackers were after? What is the bounty they lust after?
Well, approximately 50 million email addresses and passwords for starters.
In a USA Today interview, C.E.O. Tim O’Shaughnessy stated: “We recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers. We are actively working with law enforcement to investigate this issue,”. He went on to say “Although your LivingSocial password would be difficult to decode, we want to take every precaution to ensure that your account is secure, so we are expiring your old password and requesting that you create a new one.”
What an understatement. The fact is, passwords are becoming totally useless for several reasons. which I will outline here, but first, it’s important to know HOW hackers get your password in the first place. The vast majority of the public don’t have a clue what is really happening out there.
Sit down and buckle up, let’s go.
The age old art of cracking passwords has advanced capabilities so much so in the last 5 years, than it did in several decades combined. This is due to two reasons:
#1. The average person uses weak passwords, and re-uses them on multiple different sites, so if one site is compromised, down come the house of cards.
With each major security breach over the years, over 100 Million real-world passwords have provided hackers (more accurately called CRACKERS) with an immense database of compiled data, giving them a broad picture about password behavior. This compiled information allows CRACKERS to program sophisticated software like oclHashCat to crunch through algorithms and immense amounts of data, which leads to reason:
#2. The computer hardware hackers are using now is advancing faster than you can image. Most people have a password that is 8 characters or less in length. Crackers can now crunch through 16 character passwords with ease.
By combining this raw computational ability, with a massive database of known passwords, regular passwords are now compromised almost instantaneously, allowing the computing horsepower to focus on the longer passwords, making it easier and faster to crack through them as well.
A THIRD issue, is that most websites encrypt passwords using cryptographic algorithms that were never designed to protect passwords, for example, SHA1, DES, NTLM/MD4, MD5, etc. ( LivingSocial.com was using SHA1 ) They use these so they can encrypt plain text passwords, and do it incredibly quickly. Unfortunately, they can be decrypted just as quickly.
What can be done? Websites need to start using encryption designed specifically for securing and protecting passwords, like the SHA512crypt, or BCrypt, which uses a variant of the Blowfish encryption algorithm’s keying schedule. This would definitely slow the crackers down a bit, but not forever, and certainly not guaranteed.
The end result is passwords are OUR responsibility. Make them long, change them frequently, and don’t use the same password at multiple sites. That’s just the way it is.
P.S… Don’t count on services like 1Password either, as services like these also have serious vulnerabilities.