Hack user passwords – one of the most common crimes in the network, leaving far behind the DoS-attack and creating botnets. Why hackers so easily able to reveal passwords? And the thing is notorious human factor.
The biggest reason – we subconsciously choose such passwords that are difficult to guess and remember to strangers, but that “at times” manages a conventional personal computer. Let’s talk about how to actually hackers reveal passwords, and how to fight it.
In March 2013 the famous American online magazine Ars Technica conducted an interesting experiment: its editor Nate Anderson, had never engaged in hacking passwords, armed with freely available software on the Internet, the largest in recent years base hashes site RockYou, and within seconds found on the web and in a few short hours cracked slightly less than half of the loaded on a dedicated forum list with 16449 MD5-hashes received about eight thousand user passwords in plain text form.
Again, all of this before Anderson had never engaged broke passwords. So impressed by his success, in May 2013 edition of Ars Technica decided to repeat the experiment with the same list of MD5-hashes, but with three professional burglars. This time the results were even more devastating.
Most passwords failed to disclose expert Stricture Consulting Group Jeremy Gosney. Using a conventional serial computer based on AMD with the Radeon 7970, he was twenty hours 14734 hacked passwords, ie 90% of the list. Second place went to Jens Steuben, a leading developer of free software oclHashcat-plus, designed, of course, to crack passwords: using slightly more powerful machine with two Radeon 6990 graphics card, it just little over an hour to decode 13486 hashes, ie 82% of list. Another hacker, hiding behind a pseudonym radih, for the same hour uncovered 62% of passwords, but he also commented in detail their actions.
How do experts are hacking and why user passwords so easy to decipher?
First of all, cracked “simple” passwords, which takes the least time, and then, as in any computer game, the hacker goes to higher levels, requiring much more time and special skills.
For starters, the selection runs on the principle of “brute force” that allows to decrypt passwords for more than half the length from one to six or fewer characters, which include 26 letters upper and lower case, numbers 10 and 33 of the other characters in total – 95. As a result, we have a very modest number of combinations, which is able to calculate the average desktop in minutes. By the way, this rule is valid for all accounts. It is not only social networks, but for all other resources hidden password. For example, if you have visited a page to set the fashion for maynkraft and then making Minecraft more interesting and exciting, decided in any way ruined the game, and then there might be willing to break your creation and look at it. In other words, use complex passwords to hack you should try to use at any inofrmatsii you would like to hide.
Elongation password for just one or two characters radically increases the number of options and a complete search of all combinations will take several days. Therefore, experts usually choose, for example, a password consisting of only lowercase letters, up to 8 characters, and passwords of the numbers up to 12 characters. “Brute force” with these parameters allows you to decrypt a significant percentage of long passwords.
Using the method of selection for more complex passwords is irrational because it can drag on for years, and here burglar goes on to use a specially compiled vocabulary lists that are generated based on real user passwords, “lit up” in various leaks. For example, the largest database of the English-speaking passwords in recent years “provided” at the disposal site RockYou hackers in December 2009. As a result, SQL-injection banal hackers managed to take over a database of over 32 million users, including logins, passwords and other information in plain text form. Base RockYou immediately included in all hacking “dictionaries”, which has since been repeatedly replenished as a result of new leaks, including after breaking social network LinkedIn in 2012, when “flowed” yet 6.5 million caches password.
Databases like RockYou or LinkedIn, are particularly valuable because they provide a real user passwords, and not just arbitrary combinations. For the calculation of variations, there are special rules for the replacement and selection that gives more potential passwords. And if we analyze the theme of the site, interests and professions of its users, you can add even more subtle calculation algorithms with specific templates and masks.
Interestingly, users of large public sites, primarily of various social networks, rarely bother inventing complex passwords, naively believing that the information put there is not very interesting for attackers. Moreover, of the 32 million passwords RockYou 290,000 represented a very familiar combination of “123456”, and even tens of thousands – similar combination with a different number of digits. Finally, much to enjoy using the same passwords for different services, and with hack passwords on one site, not everyone is going to change it on all other sites. Therefore, vocabulary selection remains one of the most powerful and effective hacking technologies, allowing, according to various estimates, up to 60-70% decrypt user passwords on any public site.
To crack the remaining array of passwords used hybrid attacks, combining elements of “brute force” with the vocabulary selection. For example, when setting passwords, some prefer to add to one of their old passwords 7-8 characters in length by one or two digit at the beginning or end. It is clear that in terms of security passwords, they are no longer stand up to scrutiny. Such “usual” ways to “improve” old passwords perfectly known in the art, so these patterns did not increase their resistance.
Another type of hybrid attacks combines “brute force” with a statistical method based on Markov chains, which allows to use the data obtained about the characteristics of decrypted passwords for a particular site to predict the possible passwords of other users.
Hybrid attacks in various forms, as well as “individual” setting masks and templates can occupy a significant amount of time, but as a result they are able to open up to 100% of passwords for a particular site (srednestatistiski – from 60 to 90%). And when you consider that more than two-thirds of user passwords cracked by simple means in a few hours, providing useful information for the analysis, the talented professional can reduce the overall time hacking to a reasonable minimum.
Why hackers so simple and fast crack user passwords? First of all, because they are coming up with people. Usual patterns and habits are well known professionals and modern technology, in particular, the usual “household” graphics accelerators to quickly figure out all the possible combinations: for example, Radeon HD7970 is able to sort out more 8000000000 options per second.
It is therefore recommended for industrial use specialized password generators that use algorithms that do not allow to identify stable patterns and to prevent the possibility of breaking the “brute force” in a reasonable amount of time, during which the decrypted passwords will have been replaced by others.
Finally, another reason is that not all public sites really concerned about the security of user passwords, and used for hashing algorithms are quite simple, which would provide a low return load on the servers. Even some of the big sites still apply sadly proven algorithm SHA1 – not strengthened its stability even adding “salt”, that is a unique set of bits to each code before the encoding.
After all these details specialized site corporation Intel, «inspection» password strength causes bouts of laughter when issues 6 years hacking password BandGeek2014, the picked up by a professional, in the worst case, an hour.
How is it possible to protect against password cracking? Guaranteed – no way. The most common recommendations involve the use of passwords of at least 11-12 characters, which include alphabetic characters in different case letters, numbers and other symbols. In this case, the password should not be viewed no obvious pattern that already makes this task malovypolnimoy to humans. You can use automatic password generators, but the very fact that they are written by strangers, some doubts. And finally, do not use on different sites the same passwords, and change as often as possible for them to hack a petty one for you account has not resulted in the theft of sensitive data from another. In general, life is getting harder and harder.