Debates rage over how complex a password should be, but today some are questioning if passwords themselves are obsolete. Security consultants tell us that the longer the password and more complex it is, the harder it is to compromise. This might well be true against an attacker who is trying to break a password by hand, but against technological powerhouses, keyboard-based passwords may be insufficient.
There are two considerations here that need to be addressed. The first, of course, is the password the user creates for his personal websites and files. These passwords often are designed for the user to remember and often are repurposed for multiple sites. There are myriad articles that explain password-cracking techniques, but far too often users simply pick the easiest key combinations they can remember. Worse, sometimes people use these combinations for sites that contain sensitive data, such as banks or healthcare organizations.
Today’s prevailing wisdom is to create a password that combines upper- and lower-case letters with numbers and special characters, such as ^, ?, <, or }. The challenge, however, is that some websites and applications are unable to handle special characters, so that significantly reduces the potential complexity of the passwords. Additionally, ASCII characters (created using a combination of the ALT key and a numeric code, such as the British Pound symbol £ produced by holding down the ALT key and typing 0163) also are excluded from many password applications.
What not to choose.
The second consideration is how companies encrypt user logins and passwords. Many of today’s sophisticated password applications are capable of using the much more complex password combinations. Various algorithms (called the “hash function”) are used to encrypt data, which then creates a “digest” that represents the data being stored. If that digest is stored in a database of user credentials, it becomes a valuable commodity to an attacker. The more complex the hash function, the longer and more difficult it is to decrypt the data.
In order to demonstrate the weaknesses in existing data security techniques, Jeremi Gosney, founder and CEO of Seattle-based Stricture Consulting Group, built and demonstrated a system designed to crack any eight-character password created on a standard, US-style keyboard using any key combination, in less than six hours, using a brute force attack. Gosney demonstrated the system’s capabilities at the Passwords^12 Security Conference in Oslo in December.
Using a custom design created by Amnon Barak and Amnon Shiloh at Hebrew University, the system is based on a cluster of 25 graphics processors running Virtual OpenCL. This approach, Gosney tells Internet Evolution, makes the system relatively inexpensive to build and optimize for the task at hand. This is not a commercial computer; it is a purpose-built system designed to crack passwords as quickly as possible.
Gosney says popular Windows encryption hashes, such as Microsoft’s NT LAN Manager (NTLM), can be breached more quickly than other approaches, such as sha512crypt, an approach supported by Linux distributions. The idea here is not to pick on one vendor or another, he says, but rather to encourage all to support passwords that are more difficult to breach.
There are valid business reasons to be able to crack passwords, Gosney says. Corporations can use a system that can analyze millions of passwords quickly to audit their own users’ passwords, identifying those passwords that are easy to breach (such as 123456). Once an organization identifies easy-to-breach passwords, a company can contact those users and direct them to employ more complex passwords, which will make it harder for a less sophisticated attacker to guess the user logins to a corporate system.
Also, Gosney notes, users tend to reuse passwords for multiple sites. A user with a weak password probably uses that same password often. Identifying weak passwords should be part of every company’s security plan.
You can find details of Gosney’s presentation and a technical explanation of the system here.
— Stephen Lawton is a longtime technology journalist and industry pundit.