Dr. Michael Pound’s current research focuses on image analysis for phenotyping crops, but you don’t have to be an expert in agriculture – or even computer science – to be frightened by this Computerphile video in which Pound demonstrates a deep-learning server called Beast at the University of Nottingham. Beast uses four parallel graphics processing units to test 10 billion hashes per second in a brute-force password crack using the hashcat password recovery utility.
In the first 15 minutes, Dr. Pound cracks nearly 30 percent of the entries in a 6,000-password list. He then uses a dictionary attack to reveal nearly half of the passwords in another file. And a computer like Beast costs about as much to build as a standard business server.
We contacted Dr. Pound, who is a computer science researcher and professor at the University of Nottingham, to get his insights on password vulnerability and what security administrators can do to better shore up their defenses. He was generous with his advice.
How did you get interested in this topic in the first place? It seems somewhat tangential to your principal areas of focus.
Like many computer scientists, I find security inherently interesting. In this case, I was asked to teach the core security module at the university, which meant I had to thoroughly explore the area first. I’m continuing to teach this course, so I continue to keep up with modern security concerns as much as possible.
What are the most important messages you hope viewers will take away from the video?
My hope is that people who have assumed that an attack won’t happen to them might take some notice after seeing just how easy password cracking is. I’m not necessarily an expert in password cracking tools, and yet I was able to break half of the passwords in the file within a few minutes. This tells us something about the kind of passwords people use, and about how much work we need to do to educate people on this issue.
The machine you used is powerful, but hardly supercomputer capacity. How much faster could password cracking computers theoretically be?
The only limit is your finances. I think a small cluster of computers could operate perhaps 10 times faster than our server. Then nine characters may no longer be enough. Luckily for us, it’s unlikely that the criminals would bother with this kind of expenditure. There are so many ways to crack passwords even with slow machines that their time is better spent with the most vulnerable passwords, rather than trying to crack that last 25%.
Having looked at thousands of passwords in your research, what do you see as some of the most common mistakes people make?
People make the same mistakes over and over. Aside from the obvious ones, like using your own name or common words, the ways people usually attempt to make a password more secure often offers little improvement. If they add a number, it’s usually a couple of digits at the end. Or they perform a common substitution, like replacing “I” with “1.” The same is true of symbols. Common substitutions like “@” for “a” and “$” for “s” are easily broken, yet people do that because it’s easy to remember.
You called the Rockyou list a “game-changer.” Why do you believe that’s the case?
Prior to Rockyou, attackers had intuition about the kinds of passwords people used, but still had to generate the lists themselves. Usually they’d use common dictionary words with a few rules applied. Rockyou’s list had millions of actual passwords, which can be adapted into millions more through rules changes. The number of possible password guesses that can be generated from this list is massive, and as some of the Rockyou passwords are complex, they lead to the cracking of previously “unbreakable” passwords.
The Yahoo hack is reported to have encompassed nearly half a billion passwords. Do you anticipate any fallout when that list makes it onto the Dark Web?
That would be very worrying. Rockyou may prove to have been more of an incremental change, but a half billion new passwords will allow hackers to break almost anything that doesn’t follow strict security guidelines about length and derivation. The onus will be on users to secure passwords better than ever, and on organizations to apply the best hashing algorithms.
You were pointed in your remarks about the weaknesses of the MD5 hash algorithm. What do you believe is an alternative that provides a baseline of good security?
Most modern hashing algorithms produce hashes of sufficient length to avoid naturally occurring collisions. However, as we saw in the video, we’re not waiting for these collisions to happen naturally; rather, we’re making educated guesses. An important aspect of a modern hashing function is the speed at which we can use it. PBKDF2 will perform multiple rounds of hashing using a hash function like SHA-256, so as long as the number of rounds is high enough, cracking becomes much more impractical. Other algorithms, like bcrypt, are specifically designed to be a pain to exploit on the GPU, slowing them further. The best advice I can give is to pick a hash function of suitable length and difficulty, then repeat it as many times as possible.
What do you believe is the current minimum safe length for a secure password made up of random characters? Given what you know about the rate of advance in computer technology, what do you think the minimum safe length will be five years from now?
If your password is completely random, and includes symbols, nine characters is probably a safe position to start. Dictionary attacks aren’t effective against random passwords. A brute-force attack might get lucky at nine characters, but it’s not likely. Luckily for us, the difficulty of brute-forcing a password increases exponentially, so while nine characters might be feasible to crack in five years, 10 definitely won’t be. The vast majority of my random passwords are 12 and 16 characters long, and I use a password manager to make sure I keep track of them.
Why are dictionary cracks more effective than brute force cracks?
Since people often don’t use truly random passwords, dictionary attacks can be brutally effective. While a brute-force attack becomes challenging at eight characters – and impossible at 10 – no such restriction affects dictionary attacks. If your password comprises smaller parts, each of which happens to appear in the dictionary, it could be cracked even at 20 characters or more. As always, avoiding common words and digit combinations can help a lot here.
It’s been said that quantum computers will be able to crack 512-bit encryption algorithms in seconds. Once those machines are commercially available, will passwords even be viable anymore?
Luckily for us, and perhaps counter-intuitively, many hashing algorithms can stand up to quantum attacks. Quantum computers aren’t simply computers that run very fast; they have a unique architecture. While they are capable of quickly solving problems like integer factorization, which lies at the heart of RSA encryption, they can’t cycle through bcrypt hashes much faster than a modern machine can.
This is good news, but your system is only as secure as its weakest link. If your key exchange and encryption algorithms are compromised, then the security of your password in transit is lost. Researchers are focusing their efforts on “post-quantum” cryptography, in an attempt to move towards algorithms that resist this new technology.
Any other advice for security administrators?
I would advise administrators to begin moving away from the old security models that force users into large character sets and frequent password changes. A better approach is to educate users in the use of random and unique passwords, and provide them with access to password management software to help them. If a company enforced the use of password management software for all employees, I’d guess that we’d find the instances of weak and forgotten passwords would decrease significantly.