Kaspersky blog posted about current research of password strength. Its always interesting to see the latest cracking standards and timelines. Here is the first part of that post …
Although World Password Day, held annually on the first Thursday in May, has passed, our — and we hope your — fascination with password security continues. Instead of analyzing artificial “test-tube” passwords created for lab studies, we stayed in the real world — examining actual passwords leaked on the dark web. The results were alarming: 59% of these passwords could be cracked in less than an hour — and all it takes is a modern graphics card and a bit of know-how.
Today’s post explains how hackers crack passwords and how to counter it (spoiler alert: use reliable protection and automatically check your passwords for leaks).
The usual way to crack passwords
First, let’s clarify what we mean by “cracking a password”. We’re talking about cracking the password’s hash — a unique sequence of characters representing the password. Companies typically store user passwords in one of three ways:
- This is the simplest and clearest way: if a user’s password is, say, qwerty12345, then it’s stored on the company server as qwerty12345. If a data breach occurs, the hacker needs only enter the password with the corresponding username to log in. That is, of course, if there’s no two-factor authentication (2FA), but even then, cybercriminals can sometimes intercept one-time passwords.
- This method utilizes hashing algorithms like MD5 and SHA-1 to transform each password into a unique hash value in the form of a fixed-length string of characters, which is stored on the server. When the user enters their password, the system converts the input sequence of characters into a hash, and compares it to the one stored on the server. If they match, the password is correct. Here’s an example: if your password is that same qwerty12345, then “translated” into SHA-1, it looks like this: 4e17a448e043206801b95de317e07c839770c8b8. Hackers obtaining this hash would need to decrypt it back to qwerty12345 (this is the “password cracking” part), for example, by using rainbow tables. A cracked password can then be used to access not only the compromised service but potentially other accounts where the password was reused.
- Hashed with salt. Nothing to do with a tasty dish from a takeaway, this method adds a random sequence of data, known as a salt, to each password before hashing. A salt can be static or generated dynamically. A password+salt sequence is fed into the algorithm, which results in a different hash. Thus, pre-computed rainbow tables become useless to hackers. Using this method of storing passwords makes them much more difficult to crack.
For our study, we formed a database of 193 million leaked passwords in plaintext. Where did we get them all from? You have to know where to look. We found them on the dark web, where such “treasures” are often freely available. We used this database to check user passwords for possible leaks — but rest assured we don’t store or even see any passwords. You can read more about the internal structure of the password vault in our Kaspersky Password Manager and how, without knowing your passwords, we match them against leaked ones.
See the full post HERE.