11.8 C
London
Sunday, September 24, 2017
Home Tags Password Cracking

Tag: Password Cracking

Thanks to the continuous barrage of high-profile computer security scares and reports of cloud-scale government snooping, more of us Internet users are wising up about the security of our information. One of the smarter moves we can make to protect ourselves is to use a password manager.
Itrsquo;s one of the easiest too.A password manager is an excellent first step in securing your online identity, helping you increase the strength of the passwords that protect your online accounts because it will remember those passwords for you.

A password manager will generate a unique strong password for every account and application, without requiring you to memorize or write down these random strings of characters.

These strong passwords help shield against traditional password attacks such as dictionary, rainbow tables, or brute-force attacks.To read this article in full or to leave a comment, please click here
Suits should have done more to protect users, rather than user numbers ANALYSIS Fallen web giant Yahoo! has been branded negligent for failing to tackle the prodigious challenge of upgrading its MD5 password security before some one billion accounts were stolen. The security-battered organisation revealed today that attackers had stolen more than a billion accounts in August 2013 in history's biggest breach. Hackers stole names, addresses, phone numbers, and MD5 hashed passwords in a coup for social engineers who could use the information to compromise the very identity of users. That eye-watering news followed the company's September admission that 500 million accounts had been stolen in seperate attacks by alleged state-sponsored hackers in 2014, an incident that came two years after staff became first aware of the hack. Yahoo! has since replaced its MD5 hashing with the far superior bcrypt, moving from the world's worst password protection mechanism to the best. Yet it is little comfort for those who use legitimate personal details when signing up to Yahoo!'s service, including scores of American subscribers to major cable and DSL telcos including AT&T which use Yahoo! for its default email services, along with Kiwi carrier Spark which ditched the service in September. It is not known if the MD5 hashes were salted, since Yahoo! did not mention the critical additive in its statement.

Doing so would mitigate much risks from using MD5, says Jeffrey Goldberg, security guru at AgileBits, makers of the 1Password credential vault. "What is most important is whether the hashes, be they MD5, SHA1, or SHA256, are salted," Goldberg says. "There is absolutely no excuse to use unsalted hashes." But that the Purple Palace was even using the algorithm has drawn steep criticism from established security boffins. "The MD5 hashing algorithm has been considered not just insecure, but broken, for two decades," says Ty Miller, director of Sydney-based security firm Threat Intelligence, noting that MD5 collision vulnerabilities were found in 1996 with practical attacks developed in 2005. "I consider it negligent of an organisation such as Yahoo!, which has an obligation to protect the private data of over one billion users, to be using such an outdated and ineffective control to protect the passwords of its customers." The gossamer thin algorithm is a joke in security circles. Rainbow table databases serve as directories that transform hashes into cleartext passwords, and the internet is now littered with free and paid services that can reveal logins within seconds. Image: Kenneth White David Taylor, principal security consultant with Perth-based Asterisk Information Security, offered a similar opinion: "Yes, it would be pretty poor form on their part [to be] still using MD5 for hashing in 2013," he says. "There has been numerous issues reported for MD5 dating back to the mid 2000s." Board director with the lauded Open Web Application Security Project (OWASP) Andrew van der Stock, also chief technology officer at Threat Intelligence, is an advocate of baking security into the development process and sees shortcomings in Yahoo!'s security models. "This breach clearly shows that Yahoo!'s previous approach to security was less than ideal, and it's obvious that the Paranoids (Yahoo!'s security team) were unable to move the needle sufficiently with management to upgrade password hashing from an outdated and insecure algorithm to something more modern and acceptable," he says. "That it (MD5) is still commonly found in many of the worst breaches is an indication that the continued use of MD5 is correlated with other poor security practices." The breach comes at a notably poor time for Yahoo!: The company will soon be acquired by Verizon, possibly at a damaged-goods discount, and is conducting a security recruitment drive in Australia in a bid to attract local security talent, van der Stock says. "We all understand that without a complete revamp of senior management support for security and alignment with customer desires for privacy and security of their data, there is no point in taking on a position at Yahoo!," he says. Take this with a pinch of salt Administrators were salting password hashes in the 1980s, but many still fail to apply the complexity additive today.

The cryptography measure introduces random data into one-way functions preventing the use of rainbow tables by ensuring identical passwords have unique hashes. Goldberg points to the 2012 breach at LinkedIn to demonstrate the importance of salting, something the security boffin wrote about at the time. "LinkedIn had used SHA1, an improvement over MD5 in general, but it really didn’t matter that it was SHA1 instead of MD5," Goldberg tells The Register. "What mattered is that it was not salted.
I argued in 2012 that it was irresponsible for LinkedIn to have used unsalted hashes, and so that certainly applies to Yahoo! using unsalted hashes in 2013, if indeed, their hashes were unsalted." Put simply, a bland salt-free password earns the "contempt" of Goldberg and his kin, while the use of slow hashes like bcrypt, PBKDF2, or the upcoming Argon2 wins their praise. Attackers can guess salted passwords, whereas bcrypt and friends slow the rate at which those guesses can be made. "With a simple cryptographic hash function [like] SHA256, MD5, etcetera, an attacker might be able to make 10 million guesses per second on a single hash.

But with the 'slow hashing' functions, that might be reduced to a few tens of thousands of guesses per second," he says. The decreased rate gives users a window to change their passwords; yet even that may not have helped Yahoo! "But after four years, the details of the hashing scheme don’t really matter.

Any guessable password will have been guessed by now," he says. Not easy Yahoo!, like so many other companies offering free technology services, wants to attract the highest possible number of subscribers and has been criticised for perceived attempts to kneecap fleeing users. That mindset may have dissuaded the company from more efficiently jettisoning MD5 hashing for passwords prior to the 2013 pillaging. "The only practical way to speed up the conversion process (to bcrypt) is to force a password reset, maybe across the board, but more likely on a web property by web property basis," says noted cryptologist and director of the Open Crypto Audit Project's Kenneth White. "And therein lies the problem: there is often a very real tension between the business to be able to claim the highest user count, versus the reality that a years-old email reminds millions of people to log in to an account they had long ago forgotten." Using Yahoo! to find Yahoo! MD5 hashes, here revealing 'Password1'.
Image: Ty Miller. An email shipped to users asking them to log in so their passwords may be upgraded from MD5 hashing to bcrypt risks a "virtually overnight mass exodus of users" and a social media complaint storm that sends more rats from the burning Palace, he says. Bcrypt is the powerful hashing function designed to slow decryption attempts while minimising legitimate use performance overheads, and is favoured, along with PBKDF2 (Miller prefers the latter with hashes bearing 100,000 iterations), by each of the security boffins The Register has spoken to for this story, and many more in the broader security community including OWASP . Yet migrating to the top notch function is not as simple as just "switching to bcrypt", White says. A bootstrapping process can be followed, but it requires users to log in for bcrypt or PBKDF2 to be called and saved to a new column. Moreover, White says Yahoo! is a patchwork of web properties bearing decades-old Perl, PHP, and C code and so cannot be compared to the ease of upgrading a purpose-built modern web app. "Consider the legacy managed business mail systems," White says. "The myriad e-commerce shopping cart apps, ad accounts, to say nothing of Flickr, Yahoo! IM, and the hundreds of millions of webmail users who hadn't logged in for years, and you begin to see the scope of the engineering challenge." Van der Stock, acknowledging his outsider's position, reckons Yahoo! should immediately deploy two factor verification for all of its services, and again reset passwords, noting that the use of mere usernames and passwords puts users at "serious risk" and that leaving accounts exposed would be a "serious breach of trust". yahoo pic.twitter.com/LSxdm1wNdx December 15, 2016 Yahoo! could take a leaf from Microsoft's Xbox Live endeavours and deploy similar authentication smarts, if it has not already done so. "… I would strongly recommend some sort of real time authentication intelligence around compromised accounts, so that the authentication system itself assigns a risk score to logins to ensure that unusual patterns of abuse, such as brute force attacks, logging in from a distant country, or popping out of multiple IPs is blocked or alerted to the user for further action." Burning questions remain, not least how it took the technology giant three years to disclose that such a massive share of its accounts have been breached. "It's baffling why it's taken so long to fully scope and disclose the extent of their breach," White says. ® Sponsored: Want to know more about PAM? Visit The Register's hub
Yahoo's announcement that state-sponsored hackers have stolen the details of at least 500 million accounts shocks both through scale -- it's the largest data breach ever -- and the potential security implications for users. That's because Yahoo, unlike MySpace, LinkedIn and other online services that suffered large breaches in recent years, is an email provider; and email accounts are central to users' online lives. Not only are email addresses used for private communications, but they serve as recovery points and log-in credentials for accounts on many other websites. An email compromise is one of the worst data breaches that a person could experience online, so here's what you should know: Fifty shades of hashing Yahoo said that the "vast majority" of the stolen account passwords were hashed with bcrypt. Hashing is a one-way cryptographic operation that transforms data into a set of random-looking characters that serves as its unique representation -- this is called a hash. Hashes are not supposed to be reversible, so they're a good way to store passwords. You take input, such as a password, pass it through a hashing algorithm and compare it to a previously stored hash. This provides a way to verify passwords at log-in time without actually storing them in plain text in the database. But not all hashing algorithms offer equal protection against password cracking attacks that attempt to guess which plaintext password generated a specific hash. Unlike the ageing MD5, which is quite easy to crack if implemented without additional security measures, bcrypt is considered a much stronger algorithm. This means that in theory, the likelihood of hackers cracking "the vast majority" of Yahoo passwords is very low. But here's the problem: Yahoo's wording suggests that most, but not all passwords were hashed with bcrypt. We don't know how many passwords were hashed with another algorithm, or which one it was. The fact that this hasn't been specified in Yahoo's announcement or FAQ page suggests that it's an algorithm that's weaker than bcrypt and that the company didn't want to give away that information to attackers. In conclusion, there's no way to tell if your account was among those whose passwords were hashed with bcrypt or not, so the safest option at this point is to consider your email compromised and to do as much as damage control as possible. Don't keep emails just because you can Once hackers break into an email account they can easily discover what other online accounts are tied to that address by searching for sign-up emails. These are the welcome messages that most websites send when users open a new account, and which users rarely delete. These days most email providers offer enough storage space that users won't ever have to worry about deleting messages. Aside from exposing the links between an email address and accounts on various websites, those sign-up emails can also expose the specific account names chosen by the user, if different from their email address. If you're among the people who don't delete welcome emails and other automatic notifications sent by websites, such as password resets, then you might want to consider doing so and even go back to clean your mailbox of such communications. Sure, there might be other ways for hackers to find out if you have an account on a certain website, or even a number of websites, but why make it easier for them to compile a full list? Be careful when asked for your personal details Among the account information that hackers stole from Yahoo were real names, telephone numbers, dates of birth and, in some cases, unencrypted security questions and answers. Some of those details are sensitive and are also used for verification by banks and possibly government agencies. There are very few cases when a website should have your real date of birth, so be judicious about providing it. Also, don't provide real answers to security questions, if you can avoid it. Make something up that you can remember and use that as answer. In fact, Yahoo doesn't even recommend using security questions anymore, so you can go into your account's security settings and delete them. Check your email forwarding rules regularly Email forwarding is one of those "set it and forget it" features. The option is buried somewhere in the email account settings that you never check and if it's turned on there's little to no indication that it's active. Hackers know this. They only need to gain access to your email account once, set up a rule to receive copies of all your emails and never log back in again. This also prevents the service from sending you notifications about repeated suspicious log-ins from unrecognized devices and IP addresses. Two-factor authentication everywhere Turn on two-factor authentication -- this is sometimes called two-step verification -- for any account that supports it. This will prompt the online service to ask for a one-time-use code sent via text message or generated by a smartphone app, in addition to the regular password, when you try to access the account from a new device. It's an important security feature that could keep your account secure even if hackers steal your password. And Yahoo offers it, so take advantage of it. Don't reuse passwords; just don't There are many secure password management solutions available today that work across different platforms. There's really no excuse for not having unique, complex passwords for every single account that you own. If you do want memorable passwords for a few critical accounts use passphrases instead: sentences made up of words, numbers and even punctuation marks. Here comes phishing Large data breaches are typically followed by email phishing attempts, as cybercriminals try to take advantage of the public interest in such incident. These emails can masquerade as security notifications, can contain instructions to download malicious programs that are passed as security tools, can direct users to websites that ask them for additional information under the guise of "verifying" their accounts and so on. Be on the lookout for such emails and make sure that any instructions that you decide to follow in response to a security incident came from the affected service provider or a trusted source.
Most users lock their computer screens when they temporarily step away from them. While this seems like a good security measure, it isn't good enough, a researcher demonstrated this week. Rob Fuller, principal security engineer at R5 Industries, found out that all it takes to copy an OS account password hash from a locked Windows computer is to plug in a special USB device for a few seconds.

The hash can later be cracked or used directly in some network attacks. For his attack, Fuller used a flash-drive-size computer called USB Armory that costs $155, but the same attack can be pulled off with cheaper devices, like the Hak5 LAN Turtle, which costs $50. The device needs to masquerade as an USB-to-Ethernet LAN adapter in such a way that it becomes the primary network interface on the target computer.

This shouldn't be difficult because: 1) operating systems automatically start installing newly connected USB devices, including Ethernet cards, even when they are in a locked state and 2) they automatically configure wired or fast Ethernet cards as the default gateways. For example, if an attacker plugs in a rogue USB-to-Gigabit-Ethernet adapter into a locked Windows laptop that normally uses a wireless connection, the adapter will get installed and will become the preferred network interface. Furthermore, when a new network card gets installed, the OS configures it to automatically detect the network settings through the DHCP (Dynamic Host Configuration Protocol).

This means that an attacker can have a rogue computer at the other end of the Ethernet cable that acts as a DHCP server. USB Armory is a computer on a stick that's powered via USB and can run Linux, so no separate machine is required. Once an attacker controls a target computer's network settings via DHCP, he also controls DNS (Domain Name System) responses, can configure a rogue internet proxy through the WPAD (Web Proxy Autodiscovery) protocol and more. He essentially gains a privileged man-in-the-middle position that can be used to intercept and tamper with the computer's network traffic. According to Fuller, computers in a locked state still generate network traffic, allowing for the account name and hashed password to be extracted.

The time it takes for a rogue USB device to capture credentials from a system using this attack is around 13 seconds, he said. He tested the attack successfully on Windows and OS X. However, he's still working on confirming if OS X is vulnerable by default or if it was his Mac's particular configuration that was vulnerable. "First off, this is dead simple and shouldn’t work, but it does," the researcher said in a blog post. "Also, there is no possible way that I’m the first one who has identified this, but here it is." Depending on the Windows version installed on the computer and its configuration, the password hashes will be in NT LAN Manager (NTLM) version 2 or NTLMv1 format. NTLMv2 hashes are harder to crack, but not impossible, especially if the password is not very complex and the attacker has access to a powerful password cracking rig. There are also some relay attacks against network services where NTLM hashes can be used directly without having to know the user's plaintext password. The lesson from all this is, as Fuller noted on Twitter: "Don't leave your workstation logged in, especially overnight, unattended, even if you lock the screen."
PC Master Race rig? Get ready to crack passwords FIVE HUNDRED times faster! Ancient famed Windows cracker L0phtCrack has been updated after seven years, with the release of the "fully revamped" version seven. The password cracker was first released 19 years ago gaining much popularity in hacker circles and leading Microsoft to change the way handled password security at the time. No new versions have been released since version six in March 2009, launched at the Source Boston conference. The latest iteration sports a revamped cracking engine designed to exploit modern multi-core CPUs and GPUs, blitzing the previous version's time to crack on four-core CPUs by a factor of five. Users with expensive GPUs like the AMD Radeon Pro Duo will gain speed increase a whopping 500 times faster than the previous version. The increase in speed was not matched by Microsoft, which still relies on NTLM password hashing. So outgunned is Microsoft that cracking is easier now than it was nearly two decades ago, when L0phtCrack first landed, according to founding former L0phtCrack team members Christien Rioux, Chris Wysopal, and Peiter Mudge Zatko who run L0pht Holdings. "[L0phtCrack's] password cracking capability forced Microsoft to make improvements to the way Windows stored password hashes," L0pht Holdings says. "Microsoft eventually deprecated the weak LANMAN password hash and switched to the stronger NTLM password hash it still uses today … yet hardware and password cracking algorithms have improved greatly in the intervening years. "The new release of L0phtCrack 7 demonstrates that current Windows passwords are easier to crack today than they were 18 years ago when Microsoft started making much needed password strength improvements." A 1998 Pentium II 400 MHz CPU computer running version one of L0phtCrack would take a day to crack an eight-character long alphanumeric Windows NT password. Today L0phtCrack 7 could do the job on a gaming machine much cheaper busting a Windows 10 password in about two hours. "Windows passwords have become much less secure over time and are now much more easily cracked than in the era of Windows NT," the hacker outfit says. "Other OSes, such as Linux, offer much more secure password hashing, including the NSA recommended SHA-512." The group point to a study which found shoddy domain user passwords were the way in for most penetration testers, most of the time. To that end L0phtCrack 7 is pitched as a means for admins and testers to audit Windows domain passwords to quickly find weak passwords in a few hours. The revamped app also sports a shiny GUI and auditing wizard, plus scheduling, and reporting. It works with all versions of Windows and supports new types of UNIX password hashes, and will work with other password importers and crackers using a plug in feature. There is not yet a consensus on password selection best practice. Microsoft and Google boffins reckon passwords should be pronouceable, rather than set to the typical recommended jumble of numbers, special characters, and letters, which are difficult for users to recall. Britain's GCHQ spy agency reckons admins ought to stop punishing users with regular password resets which studies show leads to weaker combinations being set over time. Password strength meters are junk, Compound Eye developer mark stockley says, since it does not help against predictable and cliche logins that can be easily guessed. Last month Docker's security lead Diogo Mónica (@diogomonica) rubbished popular password choice and complexity debate saying password managers should be used to generate to set unique jumbled credentials for all sites. ® Sponsored: 2016 Cyberthreat defense report
If you’ve ever hacked for a living -- wearing a white hat, I hope -- you probably can’t stand the unrealistic light most shows and movies shine on hacking and hackers. On the big and small screens, supergenius hackers enjoy instantaneous success and always manage to stay one step ahead of the law. Typically they’re portrayed in one of two views: Either they dress like refugees from a cyberpunk fashion show and have hot model girlfriends, or they’re solitary fat guys juiced up on energy drinks hacking away in their trashed bedrooms. The dirty secret is that hacking tends to be tedious work -- not exactly Hollywood fare. Yet Hollywood has worked its magic on the minds of the masses. Many times I’ve had friends get upset that I couldn’t instantly crack their wireless network or Facebook account when they forgot their passwords. I’ve even seen newbies on a penetration testing team surprised that we don’t immediately break into every server we come across without a little research first. In real life, hacking is 95 percent monotony and 5 percent excitement, where focused dedication is more than a virtue. It’s almost the only trait that matters. So much for the reality-based community. Courtesy of Hollywood, here are the hacking misfires that bug me most. 1. Instant password guessing Many if not most movies with hacking scenes show the protagonist under lethal pressure to crack the master password in less than a minute. A perfect example is 2001’s "Swordfish," in which the evil character played by John Travolta holds a gun to the head of the hacker leader, Stanley, played by Hugh Jackman. Stanley sweats bullets under threat, typing different passwords so fast it’s obvious he can’t be typing anything coherent at all. At the last second, after trying hundreds of different passwords, he pulls the right one out of thin air. Has any computer system in any movie ever locked out an attacker after a certain number of password tries? In other hacker movies, the protagonist seems to guess the correct password right off the bat. The hacker looks around the office, sees a picture of the CEO playing golf, and seems to know that “Titleist” is the right password. While trying words associated with the victim’s hobby is a well-known guessing technique, I’ve never seen anyone get it right on the first pass. Real password guessing usually takes hundreds (if not hundreds of thousands) of attempts. If account lockout isn’t enabled, hackers can use automated dictionary-hybrid programs to do all the guessing. Today, because most passwords are complex and run eight characters or more in length, manual guessing isn’t very fruitful. In fact, today, most password “guessing” is really password cracking. Cracking starts by capturing the password hashes first (which takes superadmin access), then using a brute-force or dictionary automation program to convert the hashes into their plaintext equivalents. Or to be truly modern about it, the passwords aren’t guessed or cracked at all. Instead, the attackers use the captured hashes, with no conversion necessary, to authenticate to other computers. 2. Cross-platform hacking One the most cringe-inducing moments of all time appeared in 1996’s “Independence Day," when Jeff Goldblum’s character writes and inserts a computer virus into the mothership’s computers, which then brings down the shields and leads to the aliens' downfall. When I first saw that scene, I wondered: "Gee, did he use Cobol or C++?" It’s ridiculous to think an alien race would use computer systems that could run our programs. Their systems wouldn’t use the same character sets, language conversion tables, or built-in instructions on their CPUs. In real life, most malware programs have a hard time running on different versions of the same operating system, much less on different operating systems or platforms. I’ve seen movies in which a hacker on a Unix computer writes code for a Microsoft Windows victim. While that could actually be done, it would be 99 percent wasted effort. Real malware writer codes their creations on the same platform as the target system. 3. All systems are interconnected Another incredibly unrealistic portrayal: One malware program or command manipulates dozens of disparate systems all at once. Sandra Bullock’s nemesis in 1995’s “The Net” provides a case in point. After spurning a would-be paramour turned murderer, Bullock’s character suffers an attack that erases her online life (no mortgage record, no driver’s license, no credit cards, no paycheck). The best part? Her antagonist does it with a couple of commands! He even erases all paper trails and backups, not to mention everyone’s memory of her. It’s laughable on many levels, not the least of which is how interconnected the movie seems to think all these systems are. With minimum effort, dozens of unrelated systems are accessed and manipulated. In real life, you can’t find a single environment where all such systems talk so well together. Go to any organization -- a government department, a corporation, a bank, a hospital -- and you’ll invariably find a hodgepodge of systems that IT wishes could seamlessly talk to each other. In real life it takes months for a company to erase the trail of a single entity, and that’s when they own the systems, have the passwords, and know what they’re doing. If the bad guy really could do what he seems to be doing in “The Net,” he could earn millions working for corporations. He would be a data god! 4. All information pops up instantly When any information is requested, the “computer nerd” types in a single command, and the answer comes back in seconds. This seems to happen several times a week on crime shows. The protagonist will ask something like, “Where is the bad guy using his ATM card right now?” Ta-da, the screen immediately returns the exact address. Or “How many murders were committed in the upper boroughs by a guy using a knife and wearing pink shorts?” Voila, the answer is 12. Contrast this with asking your own log management system how many logons Roger had today. You can easily wait two to three minutes for the answer -- with no guarantee the answer will be accurate. 5. Every program is a hacker’s dream program Almost every hacker movie shows s great, custom-made program with an incredible graphical UI perfect for whatever the hacker is doing. In real life, almost all the programs used by hackers are created by someone else, used by millions of other hackers, and have a horrible UI. You get a CLI and a set of commands that demand an unnatural amount of human memory to recall. The commands often wrap around from one line to the next. Fact is, you don’t even need the most up-to-date program. Most successful hacks target vulnerabilities and exploits many years old. When I was a full-time penetration tester, rarely did I break in using a brand-new vulnerability. It was far more common to find a flaw from five to 10 years ago that had never been patched. One show gets hacking right You can always tell when a show cares about how it portrays hacking, but there’s nothing quite like the USA Network’s "Mr. Robot." Although the protagonist is a supergenius -- who, yes, frequently enjoys instantaneous success -- every typed command or program is a real typed command or program. What he does could really happen, albeit with the normal Hollywood hyperbole. I remember when I saw the first few episodes. I was filled with glee to see all the realness. It proved that Hollywood could produce a hacker-driven drama using actual hacker commands and tools. Not only that, but the show is a wild success. I hope others follow the path blazed by "Mr. Robot." Think of those hardcore contingents of loyal, upscale fans! I’m not holding my breath, though. Reality always demands more tedious work than most people want to watch.
A new chapter in password cracking is about to begin.Laurie Harker, Minneapolis Star Tribune / Getty Images Jeremi M Gosney (@jmgosney) is a world-renowned password cracker and security expert. He is the Founder & CEO of the password-cracking firm Sagitta HPC, and a member of the Hashcat development team. Jeremi also helps run the Security BSides Las Vegas, Hushcon, and PasswordsCon conferences. Me: "The full dump from the 2012 LinkedIn breach just dropped, so you're probably not going to see much of me over the next week." Wife: "Again?" Yes, again.
If you're just waking up from a coma you would be forgiven for thinking that it's still 2012.

But no, it's 2016 and the LinkedIn breach is back from the dead—on its four-year anniversary, no less.
If you had a LinkedIn account in 2012, there's a 98 percent chance your password has been cracked. Back in 2012, fellow professional password cracker d3ad0ne (who regretfully passed away in 2013) and I made short work out of the first LinkedIn password dump, cracking over 90 percent of the 6.4 million password hashes in just under one week.

Following that effort, I did a short write-up ironically titled The Final Word on the LinkedIn Leak.  But those 6.4 million unique hashes posted on a Russian password-cracking forum in June 2012 only accounted for a fraction of the total LinkedIn database.

This second dump, on the other hand, contains 177.5 million password hashes for 164.6 million users, which aligns perfectly with LinkedIn's user count in the second quarter of 2012.

After validating the data that I received with several individuals, I concluded that this does appear to be a nearly complete dump of the user table from the 2012 LinkedIn hack. I say "nearly complete" because there are some e-mail addresses in the dump that do not have hashes associated with them (the hash was replaced with the string "xxx"), and there are also some hashes that are not associated with an e-mail address (e-mail address is NULL.) While I presume the hashes not associated with any e-mail address are deleted accounts, I cannot even venture a guess as to why some of the password hashes are missing.

That's the way it goes when you're working with second-hand data from an unknown source—you just can't get a pristine database dump these days. You may think those 178 million password hashes is a lot, and you wouldn’t be wrong.

But some 362 million passwords, allegedly from Myspace, have recently been posted for sale on the darkweb elsewhere. What makes the LinkedIn breach more notable? While Myspace also acknowledged the breach, the data actually holds very little analytical value due to the fact the passwords were dramatically altered before being hashed.

Those passwords were all converted to lowercase and truncated to just 10 characters, so it's impossible for us to know what the original input data was.

Further, two of the top 10 passwords from the Myspace list appear to be created by spammers creating fake profiles and likely do not reflect the choices of actual end-users. So as it stands today, the LinkedIn breach is the largest and most relevant publicly-acknowledged password breach in Internet history. Password cracking and the age of enlightenment As Ars explained a few months after the first batch of LinkedIn passwords spilled, password cracking is an endless feedback loop. We crack the passwords so that we can learn about passwords which helps us to crack more passwords, which we can then analyze and use to crack more passwords. We start off with a small amount of data that enables us to crack a small number of passwords.

Those passwords then give us some insight into how passwords are created, which enables us to crack more in the future. And it’s not just passwords we’re interested in, either.

Any short, low-entropy, human-generated string—e.g. usernames and screennames, e-mail addresses, etc.—are all potentially useful.
Similar to what we’ve learned in the absence of external factors such as password complexity policies, the username selection process is not all that different from the password selection process.

The more data we can accumulate and analyze, the more successful we are at cracking passwords. Back in the early days of password cracking, we didn't have much insight into the way people created passwords on a macro scale.
Sure, we knew about passwords like 123456, password, secret, letmein, monkey, etc., but for the most part we were attacking password hashes with rather barbaric techniques—using literal dictionaries and stupid wordlists like klingon_words.txt. Our knowledge of the top 1,000 passwords was at least two decades old. We were damn lucky to find a password database with only a few thousand users, and when you consider the billions of accounts in existence even back then, our window into the way users created passwords was little more than a pinhole. Those were the dark ages of password cracking.

The age of enlightenment came after 32 million non-unique plaintext passwords from RockYou were leaked to the Internet.
Suddenly that pinhole turned into porthole, and for the first time in history we got a solid look at how users were creating passwords on a mass scale. The RockYou breach revolutionized password cracking. No longer were we using crap like list_of_kitchen_appliance_manufacturers.txt for wordlists.

Everyone was just using rockyou.txt, and they were cracking a significant percentage of passwords. Markov statistics, mangling rules, everything was being based off what we learned from the RockYou passwords. The RockYou breach coincided with another turning point in password cracking history: the advent of general-purpose GPU computing.

By harnessing the parallel processing capabilities of graphics cards we could now crack password hashes tens of times faster than with a regular CPU. Meanwhile, software like Hashcat helped bring GPU password cracking into the mainstream, displacing now-obsolete techniques like rainbow tables.
Instead of pushing pixels, we were pushing RockYou-powered passwords, and we were cracking password hashes with unprecedented speed and success.

This fueled a wave of new password research, and when other large password breaches came our way—eHarmony, Stratfor, Gawker, and LinkedIn, for instance—we were ready and waiting. But most post-RockYou breaches have paled in comparison to the latest LinkedIn leak. Breaches from Zappos, Evernote, and LivingSocial (with 24 million, 50 million and 50 million respectively) would have made for fantastic password statistics, except those hashes never saw the light of day.
I'm sure the Adobe breach (at 130 million) was an amazing win for whoever stole the encryption key, but the rest of us are stuck playing a crossword puzzle.
It’s certainly possible that there are some other large password databases slowly making their way across the darkweb from companies that don’t even know that they’ve been breached, but as far as confirmed data breaches go, RockYou was the previous password cracking standard for relevant and useful breaches. Enlarge / In light of the site's breach, those endless LinkedIn "your connection did X!" e-mails seem harmless. Bloomberg for Getty Images As in 2012, I was lucky to get my hands on this new LinkedIn data about a week after its announcement. Using a single Sagitta HPC Brutalis packed with eight Nvidia GTX Titan X graphics cards, I managed to recover 85 percent of the passwords on the first day, despite the fact that I was cracking so many passwords so quickly that the whole system slowed to a crawl. Working with the rest of the Hashcat development team, we managed to reach 88 percent by the end of the third day, and we crossed the 90 percent threshold on the fourth day.

This all happened a full two days faster than when working with the first LinkedIn dump, which contained only a small fraction of the number of hashes. On the sixth day, we teamed up with rival password cracking team CynoSure Prime to close out the effort at a solid 98 percent, cracking a total of 173.7 million passwords. While the RockYou breach revolutionized password cracking with "only" 32 million passwords, this second wave of LinkedIn data is nearly six times larger.

And given how many times this data has exchanged hands over the past two weeks, it’s surely just a matter of time before the full data is made publicly available. When it is, any password cracker worth their salt (ha!) should be able to crack 80-90 percent of the passwords on their own. This means hackers will soon have a drop-in replacement for RockYou that is over five times more effective: a new de facto wordlist, new patterns to analyze to generate new rules, and new statistics for probabilistic password cracking. When you take both RockYou and LinkedIn and combine them with eHarmony, Stratfor, Gawker, Gamigo, Ashley Madison, and dozens of other smaller public password breaches, hackers will simply be more prepared than ever for the next big breach. A global failure made worse Let's quickly remember why we hash passwords in the first place: password hashing is an insurance policy.
It ensures that should the password database be compromised in any way or through any vector, including physical theft, the passwords will not be recovered until engineers have an opportunity to identify and contain the breach, notify the public, and give users an opportunity to change their passwords anywhere else they may have used them.

The stronger and slower the password hashing is, the more time a sites buys for itself and its users in the event of a breach. Therein lies the problem. We’ve known about the necessity of slow hashing since the 1970s, yet due to a global failure in threat modeling, adoption has been extremely low.
It is only in light of a string of high-profile breaches in the last five years that slow hashing has begun to make its way into the mainstream.

Thanks to services like LinkedIn, who negligently failed to employ slow hashing (the combined 184 million passwords dumped in 2012 and this year all used unsalted SHA1), hackers have had more than a few fantastic opportunities to collect and analyze massive amounts of password data. For the love of god, do not try to downplay the incident by saying something stupid like “Most of the passwords on the list appear to remain hashed and hard to decode." What this means is even if the next big breach does employ slow hashing, it likely will not be anywhere near as effective as it would have been even five years ago. Post-LinkedIn, it will now take hackers many fewer attempts to guess the correct password than it otherwise would have. That’s not to say that online services shouldn’t employ slow hashing today.
If they aren’t using something like bcrypt or Argon2 for password storage, then they're doing things very, very wrong.

But slow hashing is no longer as effective of a solution as it could have once been had it only been adopted sooner. Hackers again have the upper hand. Examining the breach, LinkedIn didn’t have very much of an insurance policy.
It was employing raw SHA1 for password hashing, but perhaps even worse is the fact that the company never even attempted to cash in on it.

Back in, 2012 they failed to identify and acknowledge the breach in a timely fashion, and when they eventually did, they apparently only forced a password reset for the accounts belonging to the initial 6.4 million hashes.

The evidence suggests that the remaining 165 million accounts were allowed to use those same compromised passwords. That’s not the way this should work. When you suspect a password database has been compromised, even just in part, you cash in on that insurance policy immediately by activating your incident response team and your public relations team.

Companies ideally should notify the general public and users in an expedited manner, forcing a password reset for all users as soon as the breach is contained and the threat has been eradicated.

By the time LinkedIn made a statement about the breach, in contrast, I already had 70 percent of the passwords cracked.

Every moment LinkedIn hesitated was potentially devastating for its users.

And for the love of god, do not try to downplay the incident by saying something stupid like “Most of the passwords on the list appear to remain hashed and hard to decode." Instead, companies should just acknowledge the plain and simple fact that if password hashes have been accessed, users are at real and measurable risk of account takeovers. This data has been making its way around the darkweb for five years now.
If we professional password crackers could get this dump to 98 percent in six days, then surely those who have had years to work on it have achieved similar success. Who knows what such crackers have used the data for.
If you had a LinkedIn account in 2012 and have since been the victim of a hacking attempt or identity theft, this very well could be the reason why. So what actions do you, the user, need to take now? For starters, go change your passwords for LinkedIn and any other services where you may have used the same or similar password.

For as many bad passwords as there were in the LinkedIn dump, there were certainly a lot of really fantastic ones, too.

Given the fact that it may take service providers years to identify and acknowledge that your account has been compromised—as criminals could be doing literally anything with your credentials in the meantime—it is important to recognize that having a unique password per account is far more important than length, complexity, randomness, or anything else you've been told that you need.

By using a unique password for each of your accounts, you are limiting the scope of a breach to just that one account. The average person has at least 26 online accounts; IT professionals usually have hundreds.
It is absolutely crucial that you employ a good password manager, and let your password manager generate a new random password for each of your accounts.

And when you do catch wind of a site or service being compromised, always change your password immediately—even if you do not receive an e-mail from the service instructing you to do so. Finally, ensure you have multi-factor authentication or two-step verification enabled for your most critical accounts. While I personally have yet to be impressed by any vendor's MFA/2SV deployment, it does generally add an extra hurdle for hackers to jump through.
It can certainly be effective. By following this advice, you personally can stay one step ahead of hackers... even if your service providers can't.
CBSLess than two weeks after more than 177 million LinkedIn user passwords surfaced, security researchers have discovered three more breaches involving MySpace, Tumblr, and dating website Fling that all told bring the total number of compromised accoun...
EnlargeAs Microsoft pats itself on the back for its crackdown on easily cracked passwords, keep this in mind: a quick check shows users still have plenty of leeway to make poor choices. Like "Pa$$w0rd" (excluding the quotation marks). As a Microsoft program manager announced earlier this week, the Microsoft Account Service used to log in to properties such as Xbox Live and OneDrive Azure has been dynamically banning commonly used passwords during the account-creation or password-change processes.

Try choosing "12345678," "password," or "letmein"—as millions of people regularly do—and you'll get a prompt telling you to try again. Microsoft is in the process of adding this feature to the Azure Active Directory so enterprise customers using the service can easily stop employees from taking security shortcuts, as well. But a quick check finds it's not hard to get around the ban.

To wit: "Pa$$w0rd1" worked just fine.

And in fairness to Microsoft, Google permitted the same hopelessly weak choice. Saving users from themselves This shouldn't be taken as a criticism of Microsoft or Google.

Blacklisting weak passwords at the platform level is probably one of the most effective measures service providers can take to improve passcode strength.

But the measure is most likely intended to thwart only so-called online password cracking.

That's when attackers try to guess a password when logging in to a specific account on a specific service.

Guccifer—the nom-de-hack for a Romanian man now under US indictment, used online cracking to gain unauthorized access to e-mail accounts belonging to family members of two former US presidents, a former US cabinet member, a former member of the US joint chiefs of staff, and a former presidential advisor. His intrusions didn't require technical skill, just patience and luck. Blacklisting is likely to statistically lower the success of online cracking, and it's certainly better than requiring password changes every three months, as a shockingly large number of organizations continue to do.
Still, the acceptance of "Pa$$w0rd" by Google and Microsoft just goes to show that blacklisting has its limits, and there's only so much service providers can do to save users from their own poor habits. In the event of a server breach that allows an attacker to perform an off-line attack—as was the case with last week's list of more than 164 million login credentials belonging to LinkedIn users (the number has been increased from the previous estimate of 117 million)—"Pa$$w0rd" would be among the first to be cracked. With literally hundreds of millions of equally weak passwords in the public domain, banning all of them would prove to be too onerous.

A move like that would quickly come to resemble the vexing CAPTCHAs that all too often are impossible to solve on the first few tries. Of course, there's a more effective measure: any account that stores even moderately sensitive information should be protected by a password that's randomly generated, contains numbers, symbols, and upper- and lower-case letters, is at least nine characters in length, and is unique for each account.

This is the most effective protection, but the work it requires on the part of end users isn't likely to make it widely adopted.

The policies of Microsoft and Google seem to tacitly concede this. So let's give credit where it's due.

Banning hopelessly weak passwords is a great move that's long overdue.

But it is by no means a panacea.

Contrary to much of the coverage over the past few days, users still have plenty of room to pick stupid passwords.
Azure Active Directory no longer allows the likes of 'M!cr0$0ft' to gain entry With LinkedIn providing yet more fodder for attackers' rainbow tables and login bots, Microsoft has decided to start blocking too-common passwords. As a result, Azure Active Directory's 10 million or so users will no longer be able to select a password that's appeared too many times on breach lists, or commonly appears in attackers' login attempts. The new regulation is already live in Microsoft Account Service and in private preview in Azure Active Directory, Redmond says in this Technet post. “What we do with the data is prevent you from having a password anywhere near the current attack list, so those attacks won’t work”, Alex Weinart writes. The Microsoft post reiterates that the old beliefs about passwords are already obsolete: password length requirements, password “complexity” requirements, and periodic password expiration all need to be jettisoned because they make passwords less secure. That's in line with what the UK's GCHQ said earlier this month, and for pretty much the same reasons. Microsoft's ID protection team member Robyn Hicock explains in Redmond's password guidance that “people react in predictable ways when confronted with similar sets of restraints” – which exacerbates users' irritating tendency to pick bad passwords, and re-use passwords. ® Sponsored: Rise of the machines
Apple has recently come under fire over the security of its customers' data, but the company has done a “nice job” using best practices to secure iTunes backups, according to a security researcher. However, the effectiveness of the controls Apple has put in place to keep passwords secure ultimately depends on the password users choose, said James Lyne, global head of research at Sophos. In the wake of criticism of Apple’s failure to promote and ease the use of two-factor authentication, he set up a project to test the resilience of password protection for iTunes backups. For the test, Lyne asked eight iTunes users to volunteer their accounts as targets for the password cracking attempt using Elcomsoft’s Phone Password Breaker software. The software is commercially available and is ostensibly aimed at helping Apple and BlackBerry users who have forgotten the passwords to their backups. “Elcomsoft Phone Password Breaker can retrieve information from Apple iCloud and Windows Live services, provided that original user credentials for that account are known,” the firm claims on its website. The forensic edition retails at £247, while the professional edition costs £124 and the home edition is £50. Lyne used the forensic edition, but said the professional version also works well with multiple instances. The software recently came under the spotlight as the suspected attack tool used by the hackers who stole private photographs celebrities had taken on iPhones. Hacking into iTunes backup files The target of the attack was the iTunes backup manifest files for the eight volunteer accounts that were created on iPhone 6 devices using iOS 8. Lyne then carried out the attack using the password-breaking software running on 500 virtual machines in Amazon’s commercial cloud computing service. The password-breaking software was assisted by a comprehensive word list, including passwords from data breaches compiled by CrackStation, which describes itself as a security awareness project. Despite all Apple’s best practice security efforts, which includes Advanced Encryption Standard (AES) 256-bit encryption, seven of the eight passwords were cracked within two hours. In contrast, at the time of writing, the eighth was expected to take about 11 days to crack. “This shows the importance of password choices, even when state-of-the-art security is used,” said Lyne. The experiment showed that the greater the number of characters in a password, the longer it will take for attackers to crack using automated tools. “The passwords with four characters were cracked within minutes, those with six characters took hours, and those with eight characters took less than two days. The one that is expected to take 11 days is 14 characters long,” said Lyne. “Apple is consistently good at security throughout, but in this instance it is pretty decent and really shows the impact a user’s decisions can have on security. “Longer passwords and passphrases are much more secure, which makes it puzzling that web services providers still rarely require more than eight characters for passwords,” he said. Two-factor authentication for stronger security But the research also showed that encryption does not provide much security if it is not backed up by strong authentication. “Two-factor authentication [2FA] helps block attacks using password cracking because even if a password is known that is not enough for attackers to access accounts,” said Lyne. We have enough technology to move beyond password-based authentication James Lyne, Sophos “In 2FA, an additional layer of security is provided by the second factor in the form of a one-time passcode or smartcard token,” he said. Although the technology industry is yet to agree on an alternative to passwords, Lyne claimed the use of alternative authentication methods will soon be widespread. Already organisations that deal with sensitive information are using national security cards for accessing information, and these cards can also be used by individual trusts to provide local 2FA. “We have enough technology to move beyond password-based authentication, it is now a matter of time before these alternatives become widely available,” said Lyne. EU data protection could force the issue of security He believes the proposed new EU data protection legislation will also help drive better practice around online identity by raising user awareness and getting executives to focus on the issue. If implemented in its current form, the EU data protection laws will be the strictest in the world and could be backed up by fines of up to 5% of turnover or €100m. The current proposals also seek to force compliance by any company handling the personal data of EU citizens, even if those companies and data processing are outside the EU. This means big US technology firms such as Apple, Google and Microsoft will have to comply with the new rules where they are handling personal data of EU citizens. “This means that if the suspected iCloud leak of private celebrity photos had happened two years in the future, Apple would have been called to account by European authorities,” said Lyne. “Although Apple claims that none of its security measures were breached and that the iCloud backups were accessed using stolen credentials, they have not provided any more details,” he said. Lyne believes that under the forthcoming EU data protection rules, EU authorities would have required Apple to conduct a thorough investigation and explain exactly how the private iPhone photos were leaked. “At the very least, it will be much more difficult for US-based companies to dodge questions about what they are doing to keep personal data safe,” he said. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK