Thursday, May 30, 2013

Are your 16-character passwords REALLY safe?



 According to an article in the UK’s Daily Mail, hackers can crack your 16-character passwords in less than an HOUR


The above picture shows  “a 25-computer cluster that can cracks passwords by making 350 billion guesses per second It can try every possible Windows passcode in the typical enterprise in less than six hours to get plain-text passwords from lists of hashed passwords."

So if you still want complete protection, what’s the answer?  I'm working on it. Stay tuned!







4 comments:

  1. Well - the article doesn't actually say any random 16 character password can be cracked in an hour. It says that this guy was able to uncover plaintext from hashed text. That's a big difference..

    Additionally - remember that most systems (websites) won't allow 'millions' of attempts. They almost always require delayed repeated attempts and many lock an account out after a few failed attempts in a short time.

    Good (random) passwords of 16 characters are still plenty secure......

    ReplyDelete
  2. It's not as bad as it may seem. These passwords were discovered in a cryptologically weak system. (https://www.grc.com/sn/sn-406.txt) The take-away from this is that you must use a different password for everything. This isn't so bad if you use a password manager such as LastPass.

    ReplyDelete
  3. Not everybody has a "25-computer cluster".

    ReplyDelete
  4. I would not worry. As stated in the caption of the article, his pertains to:

    "A 25-computer cluster that can cracks passwords by making 350 billion guesses per second. It was unveiled in December by Jeremi Gosney, the founder and CEO of Stricture Consulting Group. It can try every possible Windows passcode in the typical enterprise in less than six hours to get plain-text passwords from lists of hashed passwords"

    Windows passwords protocol is notoriously insecure and many programs on the Internet can crack them easily using rainbow tables. The main vulnerabilities of the password protocol in Windows are:

    1. lower case characters in the passwords are mapped into upper case characters, so the number of symbols that can be put in any position is quite small. For example aB is the same as AB, so one may as well use only upper case symbols.

    2. There are not truly passwords of 16 characters but 2 passwords of 8 characters, which is really not that much different in terms of security from having a single password of 8 characters

    3. No cryptographic salt (http://en.wikipedia.org/wiki/Salt_(cryptography) ) was used in Windows passwords. http://www.network-admin.net/?p=65

    ReplyDelete

Please leave a constructive comment below. Spam and Advertising will not be posted, so it's not even worth trying - all comments are moderated.