6 members / 96 guests (24 hours)
$0.04
$0.00 (0.00%)
High: $0.00
Low: $0.00
Volume: 0

An Interesting IDB update! And how IDB got even faster.  IDB is fast, reliable, and FREE to use. Just join and start posting!

How hackers crack passwords and why you can't stop them

 

 

https://www.csoonline.com/article/3236716/authentication/how-hackers-crack-passwords-and-why-you-cant-stop-them.html#tk.twt_cso

 

Password crackers have access to more stolen passwords and better password hacking software and tools than ever before.

 

Experts agree that it's long past time for companies to stop relying on traditional passwords. They should switch to more secure access methods like multi-factor authentication (MFA), biometrics, and single sign-on (SSO) systems. According to the latest Verizon Data Breach Investigations Report, 81 percent of hacking-related breaches involved either stolen or weak passwords.

First, let's talk about password hacking techniques. The story is different when the target is a company, an individual, or the general public, but the end result is usually the same. The hacker wins.

 

Breaking passwords from hashed password files

If all a company's passwords are cracked at once, it's usually because a password file was stolen. Some companies have lists of plain-text passwords, while security-conscious enterprises generally keep their password files in hashed form. Hashed files are used to protect passwords for domain controllers, enterprise authentication platforms like LDAP and Active Directory, and many other systems, says Brian Contos, CISO at Verodin, Inc.

These hashes, including salted hashes, are no longer very secure. Hashes scramble passwords in such a way that they can't be unscrambled again. To check if a password is valid, the login system scrambles the password a user enters and compares it to the previously hashed password already on file.

Attackers who get their hands on a hashed password file use something called "rainbow tables" to decipher the hashes using simple searches. They can also buy special-built hardware designed for password cracking, rent space from public cloud providers like Amazon or Microsoft, or build or rent botnets to do the processing.

Attackers who aren't password-cracking experts themselves can outsource. "I can rent these services for a couple of hours, couple of days, or a couple of weeks -- and usually that comes with support, as well," Contos says. "You see a lot of specialization in this space."

 

As a result, the times it takes to break hashed passwords, even ones previously thought of as secure, is no longer millions of years. "Based on my experience of how people create passwords, you'll usually crack 80 to 90 percent in less than 24 hours," he says. "Given enough time and resources, you can crack any password. The difference is whether it takes hours, days, or weeks."

This is especially true of any password that is created by humans, instead of randomly generated by computer. A longer password, such as a passphrase, is good practice when users need something they can remember, he says, but it's no replacement for strong MFA.

 

Stolen hash files are particularly vulnerable because all the work is done on the attacker's computer. There's no need to send a trial password to a website or application to see if it works.

"We at Coalfire Labs prefer Hashcat and have a dedicated cracking machine supplemented with multiple graphics processing units that are used to crunch those password lists through the cryptographic hashing algorithms," says Justin Angel, security researcher at Coalfire Labs. "It isn’t uncommon for us to recover thousands of passwords overnight using this approach."

Botnets enable mass-market attacks

For attacks against large public sites, attackers use botnets to try out different combinations of logins and passwords. They use lists of login credentials stolen from other sites and lists of passwords that people commonly use.

According to Philip Lieberman, president at Lieberman Software Corp., these lists are available for free, or at low cost, and include login information on about 40 percent of all internet users. "Past breaches of companies like Yahoo have created massive databases that criminals can use," he says.

Often, those passwords stay valid for a long time. "Even post-breach, many users will not change their already breached password," says Roman Blachman, CTO at Preempt Security.

Say, for example, a hacker wants to get into bank accounts. Logging into the same account several times will trigger alerts, lock-outs, or other security measures. So, they start with a giant list of known email address and then grab a list of the most common passwords that people use, says Lance Cottrell, chief scientist at Ntrepid Corp. "They try logging into every single one of the email addresses with the most common password," he says. "So each account only gets one failure."

 

They wait a couple of days and then try each of those email address with the next most common password. "They can use their botnet of a million compromised computers, so the target website doesn't see all the attempts coming in from a single source, either," he added.

The industry is beginning to address the problem. The use of third-party authentication services like LinkedIn, Facebook, or Google helps reduce the number of passwords that users have to remember. Two-factor authentication (2FA) is becoming common with the major cloud vendors as well with financial services sites and major retailers.

Standards setting bodies are stepping up, as well, says James Bettke, security researcher at SecureWorks. In June, NIST released a set of updated Digital Identity Guidelines that specifically address the issue. "It acknowledges that password complexity requirements and periodic resets actually lead to weaker passwords," he says. "Password fatigue causes users to reuse passwords and recycle predictable patterns."

The FIDO alliance is also working to promote strong authentication standards, says Michael Magrath, director of global regulations and standards at VASCO Data Security. "Static passwords are not safe nor are they secure," he says.

In addition to the standards, there are also new "frictionless" technologies such as behavioral biometrics and facial recognition that can help improve security on consumer websites and mobile apps.

 

Is your password already stolen?

To target an individual, attackers check if that user's credentials have already been stolen from other sites on the likely chance that the same password, or a similar password, was used. "The LinkedIn breach a few years back is a good example," says Gary Weiss, senior vice president and general manager for security, analytics, and discovery at OpenText Corp. "Hackers nabbed Mark Zuckerberg’s LinkedIn password and were able to access other platforms because he apparently re-used it across other social media."

The average person has 150 accounts that require passwords, according to research from Dashlane, a company that offers a password management tool. That's too many passwords to remember, so most people use just one or two passwords, with some simple variations. That's a problem.

"There is a common misconception asserting that if you have one very complicated password, you can use it everywhere and remain protected," says Emmanuel Schalit, CEO at Dashlane Inc. "This is categorically false. Hacks are reported after it is too late, at which point your one very complicated password is already compromised, and so is all of your information." (You can see if your password-protected accounts have been compromised at have I been pwned?.)

 

rest of the article is at the link-