Yes, I am still obsessed with authentication. This article didn’t dissuade me.
Earlier this week I was looking at password cracking tools to use in the hands-on exercise in Learning Tree’s introduction to security course. We currently use an older tool that cracks based on a limited wordlist (usually called a dictionary) and a tool for cracking using “rainbow tables” (which I will discuss next time). In light of CPU speed improvements, using GPUs (graphics processing units) for password cracking and other newer developments, I wanted to do something different. We will be, but you’ll have to take the class to find out what. Along the way I encountered a few interesting sites, stories and tools I wanted to share with you.
First, you’ve probably read about websites having their hashed passwords stolen. I wrote about LinkedIn last year. I knew some of those passwords had been cracked, but I didn’t know exactly how. It turns out it can be done fairly easily with a standard computer. There’s a company selling a password cracking dictionary of over 131 million words. That dictionary is designed to work with the popular cracking tool John the Ripper (JtR). It probably works with other tools, too, or can be made to do so.
The list is from a dictionary of English language words, as well as passwords discovered in leaks from popular websites. The database costs USD4.99. In a demonstration they took a list of half a million hashes and discovered the corresponding passwords for over 90% of them using JtR and this wordlist. They didn’t specify the time, but the success rate is impressive. (We’ve discussed good ways of protecting your password before including using KeePass to generate the passwords for you.)
The reason this is practical is that the sites are using MD5 as the hashing algorithm. MD5 is pretty fast compared to other algorithms. That’s good for logging into slow computers, but not good for keeping a password secure. With fast processors and with the affordable availability of graphics cards with multiple GPUs MD5 hashes can be computed very quickly and compared with a target hash one wants to “crack”.
Since MD5 is fast, what’s slower? One option is to do MD5 multiple times – from dozens to hundreds. Many websites are going to using actual encryption (e.g. blowfish) to create the hash. One tool that does that is bcrypt. Bcrypt allows the programmer to adjust how much time it takes to compute the hash, and likewise how much time would be required by someone to recreate the hash in order to “crack” a password. Another option is to use PKBDF2.
Another tool I found was a PC full of GPUs designed just for password cracking. I’ll talk about that next week.