Some time ago I wrote about slowing down hash computation. A bit of further explanation seems to be in order.
As we updated Learning Tree Course 468, System and Network Security Introduction recently we looked at cracking Windows 7 password hashes. The idea is to extract the hashes and run a program to process them and discover the passwords. The process is that one first tries a word from a word list (often of several million “words”), hashes that and compares it to the value whose hash we’re trying to “crack”. The words could be simple (‘cat’) or complex (‘bbroygbvgw’) or even number sequences (e.g. ‘12345678’ – a common password). If no words hash to the value being processes, the software tries ‘brute force’.
Brute force hacking can work in different ways: the most common is to try ‘a’ then ‘b’ and so forth, then ‘aa’ and ‘ab’ and such until one gets to the end of the alphabet. If he password will be short, the cracking may try only up to 8 characters or so. Windows 7 allows 127 character passwords, though.
Let’s look at some math. I recently ran a cracking tool on my i7 PC. It does about 50 million tries per second. That sounds like a lot, but let’s look at 12 character passwords. If we limit ourselves to a-z,A-Z and 0-9 that’s 62 possible symbols. If we consider just passwords exactly 12 characters long we get the following.
62 possible symbols (a-zA-Z0-9),
6212 possible passwords or 3226266762397899821056, which is a lot. (The number of all possible 1 – 8 character passwords is only 221919451578090 or .000007% of that!)
Trying 50 million per second means about 64525335247958 seconds. That’s 17923704235 days or 49106039 years. Yep, 49 million years. Adding symbols like ‘@’ would make it take even longer. And if you consider passwords shorter or longer than 12 characters… Well, you get the idea.
So how do bad guys crack passwords so quickly then? First they have dictionaries – big ones. Then they rely on some characteristics common to the passwords of the overwhelming majority of users:
They also have great hardware:
Some of the high end hardware can generate in the neighborhood of 350 billion guesses per second – 7000 times more than the 50 million I could. By using the limited character sets and structures and by using fast hardware, experts can clearly crack passwords quickly.
In the earlier post mentioned above I talked about slowing down the hashing process – this is why.