Think you have a strong password

Hackers crack 16-character passwords in less than an HOUR:

A team of hackers has managed to crack more than 14,800 supposedly random passwords - from a list of 16,449 - as part of a hacking experiment for a technology website.

The success rate for each hacker ranged from 62% to 90%, and the hacker who cracked 90% of hashed passwords did so in less than an hour using a computer cluster.

The hackers also managed to crack 16-character passwords including 'qeadzcwrsfxv1331'.

The hackers, working for the website Ars Technica, have now published how they cracked the codes and the traditional methods used to create an anatomy of a hack.

Rather than repeatedly entering passwords into a website, the hackers used a list of hashed passwords they managed to get online.

Hashing takes each user's plain text password and runs it through a one-way mathematical function.

This creates a unique string of numbers and letters called the hash.

Hashing makes it difficult for an attacker to move from hash back to password and it lets sites keep a list of hashes, rather than storing them insecurely as plain-text passwords.

This means if a list is stolen, the plain text passwords can't be obtained easily.

However, this experiment shows this doesn't mean its impossible.

When a user types a password into an online form or service, the system hashes the entered word and checks it against the user's stored, pre-hashed password.

When the two hashes match, the user is allowed entry to their account.

And using characters, a mix of lower and upper case letters and numbers creates slight variations of a hash.

The example, Ars Technica use is: hashing the password 'arstechnica' produced the hash c915e95033e8c69ada58eb784a98b2ed.

Adding capital letters to make 'ArsTechnica' becomes 1d9a3f8172b01328de5acba20563408e after hashing.

Jeremi Gosney, the founder and CEO of Stricture Consulting Group, managed to crack the first 10,233 hashes, or 62 percent of the leaked list, in 16 minutes.

He used a so-called 'brute-force crack' for all passwords that were one to six characters long.

The hackers, working for the website Ars Technica, have now published how they cracked the codes and the traditional methods used to create an anatomy of a hack.

Rather than repeatedly entering passwords into a website, the hackers used a list of hashed passwords they managed to get online.

Hashing takes each user's plain text password and runs it through a one-way mathematical function.

This creates a unique string of numbers and letters called the hash.

Hashing makes it difficult for an attacker to move from hash back to password and it lets sites keep a list of hashes, rather than storing them insecurely as plain-text passwords.

This means if a list is stolen, the plain text passwords can't be obtained easily.

However, this experiment shows this doesn't mean its impossible.

When a user types a password into an online form or service, the system hashes the entered word and checks it against the user's stored, pre-hashed password.

When the two hashes match, the user is allowed entry to their account.

And using characters, a mix of lower and upper case letters and numbers creates slight variations of a hash.

The example, Ars Technica use is: hashing the password 'arstechnica' produced the hash c915e95033e8c69ada58eb784a98b2ed.

Adding capital letters to make 'ArsTechnica' becomes 1d9a3f8172b01328de5acba20563408e after hashing.

Jeremi Gosney, the founder and CEO of Stricture Consulting Group, managed to crack the first 10,233 hashes, or 62 percent of the leaked list, in 16 minutes.

He used a so-called 'brute-force crack' for all passwords that were one to six characters long.

Brute-force attacks is when a computer tries every possible combination of six letters and characters, starting with 'a' and ending with '//////.'

It took Gosney just two minutes and 32 seconds to complete the first round, which found 1,316 plain-text passwords.

Gosney then used brute-force to crack all passwords seven or eight characters long that only contained lower letters. This yielded 1,618 passwords.

He repeated this for seven and eight-letter passwords using only upper-case letters to reveal another 708 passwords.

Using passwords that contained only numbers, from one to 12 digits long, Gosney managed to brute-force 312 passwords in three minutes and 21 seconds.

Gosney has spent years perfecting word lists that contain a list of all the six-letter words, for example, to make cracking the weaker passwords faster.

One hurdle Gosney had to jump during stage one of the hack was 'salted hashes', a technique where sites add random characters to passwords to make them harder to crack.

This can include adding random numbers, characters or letters to the start or end of a password during the hashing process so hackers can't automatically enter a six-letter word, for example, and match the hash automatically.

However, Gosney explained that once one weak, 'cryptographically salted' hashes are cracked it becomes easier to work out the rest.

Once Gosney had obtained the weaker passwords, even those that had been salted, using brute-force he moved onto stage two.

Using a hybrid attack - which combines a dictionary attack with a brute-force attack - he added all possible two-character strings of both numbers and symbols to the end of each word in his dictionary. Using passwords that contained only numbers, from one to 12 digits long, Gosney managed to brute-force 312 passwords in three minutes and 21 seconds.

Gosney has spent years perfecting word lists that contain a list of all the six-letter words, for example, to make cracking the weaker passwords faster.

One hurdle Gosney had to jump during stage one of the hack was 'salted hashes', a technique where sites add random characters to passwords to make them harder to crack.

This can include adding random numbers, characters or letters to the start or end of a password during the hashing process so hackers can't automatically enter a six-letter word, for example, and match the hash automatically.

However, Gosney explained that once one weak, 'cryptographically salted' hashes are cracked it becomes easier to work out the rest.

Once Gosney had obtained the weaker passwords, even those that had been salted, using brute-force he moved onto stage two.

Using a hybrid attack - which combines a dictionary attack with a brute-force attack - he added all possible two-character strings of both numbers and symbols to the end of each word in his dictionary.

Lots more to read: <a href="http://www.dailymail.co.uk/sciencetech/article-2331984/Think-strong-password-Hackers-crack-16-character-passwords-hour.html">Passwords

Submitted By: <a href="https://www.hellboundhackers.org/user/rex_mundi.html">rex_mundi

korg