Skip navigation

Password Insecurity at the Speed of 350 Billion Guesses-Per-Second

If your password is stolen during a data breach, you're probably in bigger trouble than you think

Data breaches and stolen passwords can quickly turn into a security nightmare for you and your users. When LinkedIn was breached, 60% of their SHA-1 password hashes were successfully cracked in just a few days. Sadly, while most users assume that larger entities have world-class security in place, the truth is a bit murkier.

In the early days of password cracking only a smattering of command-line tools were available, and the attackers who used them had to possess some knowledge of password security methods. But today, tools are better, processing power has increased, storage is cheaper, and attackers gain access to breached data more quickly. The days of time-intensive and cost-prohibitive password cracking are over for the majority of password-protection schemes in use by millions of companies.

For those with a little bit of cash and some patience, amazing services such as CloudCracker exist to efficiently provide the answer an attacker is looking for — "What is their password?". A password isn't useless, of course, but the idea that a password can be the only security control used to prevent access to sensitive data, personal accounts, organization VPNs, and otherwise is a dangerous proposition.

Beyond services, the DIY password cracker is provided with tutorials for nearly every plausible scenario including Graphics Processing Unit (GPU) and Field Programmable Gate Arrays (FPGA). When a single machine can make 350 billion guesses per second to crack your password, trusting in a password hash that's been stolen is like hoping a newspaper will keep you dry when someone points a fire hose in your direction.

Not all hope is lost for passwords, though

There are technologies such as scrypt which provide password protection far superior to traditional methods. They increase the computing power needed for a system to compute values, so a brute-force attack becomes computationally infeasible in most cases. General cryptographic hashing algorithms by themselves, such as SHA-1 (which was in use by LinkedIn), are meant to be extremely fast. Fast cryptography is the enemy of quality password storage algorithms. However, all of the quality technology in the world can't stop developers from utilizing insecure methods to protect your data without your knowledge.

When a company handles your passwords you will likely never know how that data is being protected. Duo’s two-factor authentication is an exception. With Duo Push you can actually see the security control that prevents an attacker from logging in — even if they have your password. The simple step of clicking 'Approve' on your phone will change how an attacker views your security. A password is a minor bump in the road for attackers. An out-of-band second factor is more like Mount Everest.

Information security is about having control of your information and trusting that those you've provided it to can actually keep it safe. Relying on password security alone isn't a sustainable path. The more quickly businesses and organizations come to grips with that fact, the less chance you’ll wake up tomorrow and have to scramble to reset your passwords and fret about your data because of another major breach.

Do you crack passwords for fun? Ever use CloudCracker for business or pleasure? We'd love to hear about your experiences in the comments!

Mark Stanislav

Security Evangelist

@markstanislav

Mark Stanislav is the Security Evangelist for Duo Security. With a career spanning over a decade, Mark has worked within small business, academia, startup, and corporate environments, primarily focused on Linux architecture, information security, and web application development. Mark has spoken internationally at over 75 events including including RSA, DEF CON, ShmooCon, SOURCE Boston, and THOTCON. He earned his Bachelor of Science Degree in Networking & IT Administration and his Master of Science Degree in Technology Studies, focused on Information Assurance, both from Eastern Michigan University.