May 31, 2017, 11:47 a.m.
IT | Security in IT

Passwords Passwords Passwords!

Joke aside, I recently had to respond to some comments about password strength checkers and revisited an old blog entry I made back in 2012. What interested me, was that in 2012 my relatively high end rig managed an average of 925 million hashes per second:

Speed........: 924.0M c/s Real, 929.7M c/s GPU

That meant I could brute force any 6 character password within 13 minutes. On my latest rig I checked again and what a difference 5 years made (not that my system is optimised for password cracking):

Speed.Dev.#*.....: 54730.4 MH/s

My password cracking ability increased almost 60 times in 5 years. That means I can now crack any 7 character password in about 15 minutes. So 5 years dropped 1 character off a password for the same brute force crack time. Look:

b6a8207cfd1e8c71c17fa48919814195:z^4AQF,

Session..........: hashcat
Status...........: Cracked
Hash.Type........: MD5
Hash.Target......: b6a8207cfd1e8c71c17fa48919814195
Time.Started.....: Wed May 31 10:27:33 2017 (15 mins, 21 secs)
Time.Estimated...: Wed May 31 10:42:54 2017 (0 secs)
Input.Mask.......: ?a?a?a?a?a?a?a [7]
Input.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....: 26541.6 MH/s (62.96ms)
Speed.Dev.#2.....: 28188.7 MH/s (62.48ms)
Speed.Dev.#*.....: 54730.4 MH/s
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 50727552024576/69833729609375 (72.64%)
Rejected.........: 0/50727552024576 (0.00%)
Restore.Point....: 51380224/81450625 (63.08%)
Candidates.#1....: yS,h+j& -> /(X>n*N
Candidates.#2....: 5|f\kS* -> @;h d/;
HWMon.Dev.#1.....: Temp: 75c Fan: 90% Util: 91% Core:1835MHz Mem:5151MHz Lanes:16
HWMon.Dev.#2.....: Temp: 75c Fan: 74% Util:100% Core:1847MHz Mem:5151MHz Lanes:16

How long does it take to crack an 8 character password via brute force? A measly 1 day 7 hours:

Session..........: hashcat
Status...........: Running
Hash.Type........: MD5
Hash.Target......: acd455c44d2afc85cffad2d6af86312b
Time.Started.....: Wed May 31 11:24:58 2017 (11 secs)
Time.Estimated...: Thu Jun 01 18:26:55 2017 (1 day, 7 hours)
Input.Mask.......: ?a?a?a?a?a?a?a?a [8]
Input.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....: 29491.1 MH/s (61.53ms)
Speed.Dev.#2.....: 29892.1 MH/s (60.19ms)
Speed.Dev.#*.....: 59383.2 MH/s
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 687731638272/6634204312890625 (0.01%)
Rejected.........: 0/687731638272 (0.00%)
Restore.Point....: 0/7737809375 (0.00%)
Candidates.#1....: `7manane -> eLa&%ene
Candidates.#2....: !vbQywin -> cUBDNn23
HWMon.Dev.#1.....: Temp: 60c Fan: 33% Util:100% Core:1822MHz Mem:5151MHz Lanes:16
HWMon.Dev.#2.....: Temp: 50c Fan: 41% Util: 97% Core:1885MHz Mem:5151MHz Lanes:16

This is important as there are many sites still recommending a minimum password length of 8 characters. Even NIST recommends that:

Accordingly, at LOA2, SP 800-63-2 permitted the use of randomly generated PINs with 6 or more digits while requiring user-chosen memorized secrets to be a minimum of 8 characters long

Even though brute force password cracking is not how password crackers break passwords (they use a combination of brute force, dictionary attacks, word list permutations, l33t substitution and previously broken password lists), the one benefit brute force has is that it guarantees a cracked password of a given length within a maximum amount of time. For 8 character passwords on my rig, I can crack it guaranteed within 1 day 7 hours maximum, though on average it will take me 15.5 hours.

8 character passwords are just not safe. My point is that anybody can crack your password in less than a day if it is 8 characters long - no matter how random it is. You do not need super expensive hardware or rent Amazon EC2 nodes. And in 5 years they can use the same cost hardware to crack a 9 character password in 1 day assuming Moore's law continues.

I must admit - I am simplifying somewhat here. I assumed the password hash is stored as an MD5 hash. This is unfortunately true for the majority of sites as they have never updated to the newer SHA1 standard, which is now obsolete as it is insecure too. If a site uses something strong like PBKDF2 and multiple rounds of encryption (say 1000), then my rig will NOT even come close to 55 billion hashes per second.

My recommendation still stands: Pick a minimum length of 12 characters, preferably totally random, use a unique password per site / account and use a password manager to remember your passwords.