Ian Simons Director of BlooCow Ltd, a specialist information security consultancy based in Shrewsbury, talks us through the first line of defence in computer security. Passwords are still the 'first line of defence' into company networks and user accounts. It is a secret string of characters that only the user knows so that the user can be authenticated and granted the requisite level of access to system resources. However, they are getting easier to crack than ever before. The rapid march of graphics card technology and power in particular is enabling password cracking software to try billions of password combinations per second. What used to perhaps take years may now only take months, days or even minutes. (example: a PC with a single Radeon HD 7970 graphics card, around £300 at today's prices, can try an average of 8.2 billion passwords per second). PCs equipped with two or more similar gfx cards can achieve 2, 3 or more times the speed. More importantly still, the variety and number of online password leaks from various high-profile targets in the last few years has enabled password crackers to create and tune their methods based on how users in different walks of life create passwords for different sites. How are passwords stored? Passwords are almost never stored in plain text on systems, but stored in a 'hash' format by use of a 'cryptographic hashing function'. A hashing function is a one-way process by which the password you enter is run through a mathematical equation, or algorithm, to produce a string of characters. The hashing function is was originally designed to be computationally easy to run, but computationally expensive to reverse. There are many different names given to hash functions, one of the oldest being MD5; this will produce the hash '5f4dcc3b5aa765d61d8327deb882cf99' from 'password'. How are passwords 'cracked'? The hashing function is time consuming to attempt to reverse; password cracking then becomes a process of running a plaintext password through the same hashing function as a target system and comparing the result with a hash found on the system. If the hashes match, then the password has been identified. There are two main approaches - 'Brute forcing' and using lists. Brute forcing entails trying every combination of letters, numbers and special characters to attempt a hash match; lists contain a large number of words (dictionary words, cartoon characters, pet names etc). Either method can be easily automated, and the graphics cards provide the raw power to make this as fast as possible. What is the significance of the online password leaks? As more and more passwords from various companies and social networks have become available online (usually via pastebin or similar services), attackers have gained valuable insight into the way users create passwords - attackers now know that nearly all capital letters come at the beginning of a password, almost all numbers and punctuation show up at the end and there is also a strong tendency to use first names followed by years. By becoming more familiar with how users choose and create passwords, an attacker can increase the likelihood of cracking a password by putting more likely passwords near the top of the list used to automate the cracking process. For example, 'Password1' is still one of the most common passwords used, followed by 'password' and 'Welcome1'. [From Trustwave Global Security Report 2013]. How quickly can passwords be cracked? Taking this all into account, in June 2012 6.5 million password hashes from the LinkedIn site were leaked online. Within 6 days, more than 90% of the passwords had been cracked. Example: Using brute force techniques to crack the password 'Julia1974', trying every character and number in combination, assuming a 9 character password length, would give the total number of combinations is 62 to the power of 9. This would take a PC with a Radeon 7970 up to 19 days. Using the intelligence gleaned from online password leaks, this time can be reduced to 90 seconds. The examples above assume that a 'standard' hashing function is used. Because of advances in password cracking, specially designed password hashing functions have been developed that make it more time consuming to hash a plain text password. For example, using the algorithm called 'bcrypt', it would reduce the amount of password guesses from 8 billion per second to 1,750 guesses per second. While imposing a greater burden on the site, in direct contrast to the general philosophy of hashing functions, this is now viewed as essential to provide increased security. How can I protect myself? Most importantly, a user much choose a password that is unique to each site or resource that they access. As you have no way of knowing if the site stores the passwords correctly, if the password is re-used on multiple sites and one of those sites is compromised, then that user's accounts on multiple sites will also be compromised. Secondly, the password must not conform to the rules and strategies already known - the password should be randomly generated by a computer and it would help to have at least 9 characters to make brute force attacks infeasible. Given that people are not good at remembering long strings of random letters and numbers, it is recommended that a 'password vault' program be used that can generate strong passwords, store them in an encrypted file that is accessed by a single long master password.