Such systems can only operate against off-line password lists, but given the number of system breaches leading to massive password leaks throughout 2012, it should be enough to make websites reconsider how they store user passwords, and how users choose and use their passwords.
There are two primary methods used by attackers to recover the plaintext password from a hash: brute force and dictionary attacks. Brute force involves re-hashing every possible combination of characters and comparing the result to the stored hash until a match is found and the plaintext password discovered. Dictionary attacks involve pre-computed tables of the more likely passwords: names, places, words etcetera. The target hash is checked against the dictionary to find the password. Dictionary attacks have proven very successful because users tend to use obvious passwords that they can easily remember.
Salting is used to defeat dictionary attacks. A random value is added to each plaintext password before it is hashed, making it almost impossible to include the result in a dictionary. As a result, passwords stored as salted hashes can effectively only be recovered by brute force. But what Jeremi Gosney, founder and CEO of Stricture Consulting Group, demonstrated last week is that improved software and more powerful hardware is making brute force increasingly feasible. While he used a cluster of 25 GPUs, it is worth noting that Jens Steube, the author of Hashcat, has added VCL support for up to 128 AMD GPUs in oclHashcat-plus v0.09.
In raw terms Gosney’s system processed 348 billion guesses per second against NTLM hashes, 180 billion g/s against MD5, 63 billion against SHA1, and 20 billion against LM. These are known as ‘fast’ hashes – the computation is done rapidly to benefit the user; but clearly it also benefits a brute force attacker. To make things more difficult for the attacker, cryptographers have developed ‘slow’ hashes. While the extra computing time is hardly noticeable to the user (and could be further disguised by a requirement to complete a CAPTCHA process), Gosney shows that it has a dramatic effect on brute forcing. His system processed 77 million guesses per second against md5crypt, 364,000 guesses against sha512crypt and a relatively tiny 71,000 against bcrypt.
The implication of Gosney’s findings are that websites should consider moving to or using a modern slow hash to defeat brute force attacks, with added salting to beat the dictionary attacks. Users, however, should seriously consider that 8-character passwords are no longer sufficient, and should rather use long passwords to help defeat brute forcing, and complex passwords to help defeat dictionary attacks. Furthermore, of course, users should not use the same password on multiple accounts: if it is recovered from a weakly defended website, there is no need for the attacker to expend the time and effort cracking it in a well-defended website.