Skip navigation

Password Insecurity at the Speed of 350 Billion Guesses-Per-Second

If your password is stolen during a data breach, you're probably in bigger trouble than you think

Data breaches and stolen passwords can quickly turn into a security nightmare for you and your users. When LinkedIn was breached, 60% of their SHA-1 password hashes were successfully cracked in just a few days. Sadly, while most users assume that larger entities have world-class security in place, the truth is a bit murkier.

In the early days of password cracking only a smattering of command-line tools were available, and the attackers who used them had to possess some knowledge of password security methods. But today, tools are better, processing power has increased, storage is cheaper, and attackers gain access to breached data more quickly. The days of time-intensive and cost-prohibitive password cracking are over for the majority of password-protection schemes in use by millions of companies.

For those with a little bit of cash and some patience, amazing services such as CloudCracker exist to efficiently provide the answer an attacker is looking for — "What is their password?". A password isn't useless, of course, but the idea that a password can be the only security control used to prevent access to sensitive data, personal accounts, organization VPNs, and otherwise is a dangerous proposition.

Beyond services, the DIY password cracker is provided with tutorials for nearly every plausible scenario including Graphics Processing Unit (GPU) and Field Programmable Gate Arrays (FPGA). When a single machine can make 350 billion guesses per second to crack your password, trusting in a password hash that's been stolen is like hoping a newspaper will keep you dry when someone points a fire hose in your direction.

Not all hope is lost for passwords, though

There are technologies such as scrypt which provide password protection far superior to traditional methods. They increase the computing power needed for a system to compute values, so a brute-force attack becomes computationally infeasible in most cases. General cryptographic hashing algorithms by themselves, such as SHA-1 (which was in use by LinkedIn), are meant to be extremely fast. Fast cryptography is the enemy of quality password storage algorithms. However, all of the quality technology in the world can't stop developers from utilizing insecure methods to protect your data without your knowledge.

When a company handles your passwords you will likely never know how that data is being protected. Duo’s two-factor authentication is an exception. With Duo Push you can actually see the security control that prevents an attacker from logging in — even if they have your password. The simple step of clicking 'Approve' on your phone will change how an attacker views your security. A password is a minor bump in the road for attackers. An out-of-band second factor is more like Mount Everest.

Information security is about having control of your information and trusting that those you've provided it to can actually keep it safe. Relying on password security alone isn't a sustainable path. The more quickly businesses and organizations come to grips with that fact, the less chance you’ll wake up tomorrow and have to scramble to reset your passwords and fret about your data because of another major breach.

Do you crack passwords for fun? Ever use CloudCracker for business or pleasure? We'd love to hear about your experiences in the comments!

Mark Stanislav

Mark Stanislav

Director of Security Engineering

Mark Stanislav is the Director of Security Engineering for Duo Security. Stanislav has spoken internationally at over 100 events, including RSA, DEF CON, SOURCE Boston, Codegate, SecTor and THOTCON. His security research and initiatives have been featured by news outlets such as the Wall Street Journal, the Associated Press, CNET, Good Morning America and Forbes. Stanislav is the Author of the book Two-Factor Authentication. Stanislav holds a BS in networking and IT administration and an MS in technology studies focused on information assurance, both from Eastern Michigan University. During his time at EMU, Stanislav built the curriculum for two courses focused on Linux administration and taught as an adjunct lecturer for two years. He holds CISSP, Security+, Linux+, and CCSK certifications.