Reports of mass password leaks are almost a common-place event. In the past year passwords from the social media platform Gab, network vendor Ubiquiti, Indian stock trading site Upstox, guitar forum Chordie, dating site Manhunt, TV service Pluto TV, adult cam site CAM4 and beer site BeerAdvocate have been stolen or leaked on the internet – joining the more than 500 million leaked passwords catalogued on Have I Been Pwned? Even the webcomic XKCD, which hosted an oft-quoted cartoon extolling the virtues of stronger passwords, has been the victim of a password breach on its forum.
Fortunately, none of those are financial services or mainstream consumer or retail website, although these have been breached in the past. And because users frequently re-use passwords across different websites, such breaches compromise the security of those users on every website where they may have used the same password.
To understand how these attacks work, it helps to understand how passwords are stored in computer systems. Because anyone who obtains a user's password can effectively impersonate that user (by logging in as them), it is important that passwords are stored in a way that protects them. Passwords should never be stored in "plain-text", as they might then be visible to system support staff, as well as being vulnerable in the event of the website itself being hacked.
Hashing vs Encryption
One approach would be to encrypt the passwords before storing them. However, this would mean that anyone with access to the encryption key used could potentially decrypt all the passwords and thus gain access to all the accounts. Since the key used for encryption would need to be held within the system, anyone who gains access to the encrypted passwords (whether they be a rogue system administrator or an external attacker who manages to break into the system) has a pretty good chance of also being able to access the encryption key.
Instead, passwords are normally stored as a "one-way cryptographic hash" – a mathematical construct which has the following properties:
- Given a candidate password, it is easy to calculate its hash and then compare it with the stored hash.
- The hashes are guaranteed to match if the candidate password matches the original password from which the stored hash was calculated.
- The chance of the hashes matching if the candidate and original passwords differ is vanishingly small – even if we used all the computers in the world, full time, at full power to try to find such a "false match", it would still take billions of years.
- Given the hash, it is exceedingly hard (in practical terms, impossible) to directly determine the password (without resorting to guessing or trying every possible password in turn).
The "one-way" nature of the hash means that, even if security weaknesses in websites' code make it possible for the attacker to get access to these hashes, they cannot simply "un-encrypt" the file to recover all the passwords.
However, the attacker can still work in the other direction – guessing passwords, then generating the corresponding hash and checking whether it matches one of the stolen password hashes. That is a much slower process – but once the attacker has the password hash file, they can use their own computers to attempt to guess the passwords, working methodically through candidates. Programs such as John the Ripper and hashcat automate this process, using a combination of dictionaries of common words and phrases, password transformation rules and brute force iteration.
How long it takes to guess depends on the specific hash algorithm chosen, and on the speed of (and number of) computers the attacker can apply to the problem.
With a single computer, built from commodity parts and costing less than £5,000, an attacker can try up to ~50 billion password guesses per second, depending on the hash algorithm chosen by the website.
A completely random 8 character alphanumeric password (such as "iKJyF47z") has about 200 thousand billion possible combinations – and with a typical weak hash would take, on average, less than an hour to crack on such a machine.
The very best hash algorithms are designed to make the process as slow as possible for the attacker, limiting them to perhaps 1 million or less password guesses per second. If a stronger hash algorithm had been used, it could have taken 50,000 times longer – i.e. several years – to crack that password. Unfortunately, not all websites use strong hash algorithm, and attackers will focus on the easiest targets. It is no surprise that the password leaks that are reported are normally from websites which used an older or weaker hash.
Longer Is Better
A 3-word "diceware"-style passphrase – as recommended by the UK's NCSC just this month – is vulnerable to these offline attacks. While “RedPantsTree” is undoubtedly stronger than using a pet’s name or favourite football team, it could be brute forced relatively easily: assuming that the individual words are chosen from the most common 10,000 or so English words, and with a digit and symbol appended, there are "only" a few trillion combinations, which could be all tried in just a few minutes.
While attackers will certainly try simpler passwords first, after they’ve picked that low-hanging fruit, 2 and 3 word passphrases are likely to be next in line to be cracked. Passphrases really need to be at least 4 words long, and ideally 5, 6 or more words long (e.g. "stowaway marsupial extent silver bullseye talisman") to be secure against such brute-forcing attacks.
Forget Your Password
Even a 10 character random alphanumeric password (probably near the practical limit to impose on users who don't have a password manager) in theory would take several months to crack – this year, at least. Hashing rates, measured in billions of guesses per second per £ spent, typically double every year or so. Next year (or for an attacker with more than £5,000 to spend) it might take just a few weeks, and it may not be long before even a 10 character random password can be cracked in days or hours.
Requiring a punctuation symbol in addition to letters and numbers increases the complexity somewhat – but it is just staving off the inevitable. In any case, many users will still pick a password like "Gr4p3fru1t42!", which can be cracked in less than a second on that same £5,000 computer.
Realistically, the only passwords which are safe from this sort of attack are long (15+ character) randomly generated passwords such as those generated by password managers (“keiva-g29dj-vu2ns”).
Perhaps more importantly, with a password manager you can easily use a unique password for each site. Even if (when) a site you use is hacked and password hashes are leaked, you can relax, knowing only that one account may be compromised, and that your email, savings and investments, shopping and social media accounts are safe.
Worried about the security of your systems? Need help finding the right identity management provider? Want advice on setting security policy for your organisation? We can help. Contact us now.
Password cracking rates typically double every year or so. A password that takes a few months to crack this year might take just a few weeks next year and might be crackable in days or hours in a few years.