Passwords under assault.

Viruses, hackers and crackers
Post Reply
Anakha56
Forum Administrator
Posts: 22136
Joined: 14 Jun 2004, 02:00
Processor: Ryzen 1700K
Motherboard: Asus X370
Graphics card: Asus 1060 Strix
Memory: 16GB RAM
Location: Where Google says

Passwords under assault.

Post by Anakha56 »

http://arstechnica.com/security/2012/08 ... r-assault/
Why passwords have never been weaker—and crackers have never been stronger
Thanks to real-world data, the keys to your digital kingdom are under assault.

In late 2010, Sean Brooks received three e-mails over a span of 30 hours warning that his accounts on LinkedIn, Battle.net, and other popular websites were at risk. He was tempted to dismiss them as hoaxes—until he noticed they included specifics that weren't typical of mass-produced phishing scams. The e-mails said that his login credentials for various Gawker websites had been exposed by hackers who rooted the sites' servers, then bragged about it online; if Brooks used the same e-mail and password for other accounts, they would be compromised too.

The warnings Brooks and millions of other people received that December weren't fabrications. Within hours of anonymous hackers penetrating Gawker servers and exposing cryptographically protected passwords for 1.3 million of its users, botnets were cracking the passwords and using them to commandeer Twitter accounts and send spam. Over the next few days, the sites advising or requiring their users to change passwords expanded to include Twitter, Amazon, and Yahoo.

"The danger of weak password habits is becoming increasingly well-recognized," said Brooks, who at the time blogged about the warnings as the Program Associate for the Center for Democracy and Technology. The warnings, he told me, "show [that] these companies understand how a security breach outside their systems can create a vulnerability within their networks."

The ancient art of password cracking has advanced further in the past five years than it did in the previous several decades combined. At the same time, the dangerous practice of password reuse has surged. The result: security provided by the average password in 2012 has never been weaker.

A new world

The average Web user maintains 25 separate accounts but uses just 6.5 passwords to protect them, according to a landmark study (PDF) from 2007. As the Gawker breach demonstrated, such password reuse, combined with the frequent use of e-mail addresses as user names, means that once hackers have plucked login credentials from one site, they often have the means to compromise dozens of other accounts, too.

Newer hardware and modern techniques have also helped to contribute to the rise in password cracking. Now used increasingly for computing, graphics processors allow password-cracking programs to work thousands of times faster than they did just a decade ago on similarly priced PCs that used traditional CPUs alone. A PC running a single AMD Radeon HD7970 GPU, for instance, can try on average an astounding 8.2 billion password combinations each second, depending on the algorithm used to scramble them. Only a decade ago, such speeds were possible only when using pricey supercomputers.

The advances don't stop there.

...
Follow the link for further reading. A very insightful article and if you still re-use passwords this article should serve as a warning to change every single password to something unique.

I personally use a password manager app and generate a huge string of passwords for individual websites. Some sites I can do that for but those passwords themselves are still random and easy enough for me to remember.

How do you keep yourself protected?
JUSTICE, n A commodity which is a more or less adulterated condition the State sells to the citizen as a reward for his allegiance, taxes and personal service.
StarBound
Registered Pervert
Posts: 6879
Joined: 30 Jul 2004, 02:00
Processor: Intel i7 4790k
Motherboard: MSI Z97 Gaming 7
Graphics card: MSI GTX780Ti Gaming
Memory: G.Skill Sniper 1866mhz 16GB
Location: The Greater Unknown
Contact:

Re: Passwords under assault.

Post by StarBound »

I wish they would implement a delay timer of a second per password entry. No idea how passwords work but I can't see any site would accept 8.2bil passwords and then allow a user to be taken over in a single instant.
My Steam Screenshots

I lived the dream ...then my PC died.
User avatar
Ron2K
Forum Technical Administrator
Posts: 9050
Joined: 04 Jul 2006, 16:45
Location: Upper Hutt, New Zealand
Contact:

Re: Passwords under assault.

Post by Ron2K »

StarBound wrote:I wish they would implement a delay timer of a second per password entry. No idea how passwords work but I can't see any site would accept 8.2bil passwords and then allow a user to be taken over in a single instant.
Something not too different is implemented here. After a few consecutive incorrect password attempts, you are then presented with the CAPTCHA; after a few more incorrect password attempts, the user account is temporarily locked out.

There are a few alternatives floating around the place (as an example, the IRC server that I run requires the operators on that server to gain their elevated privileges using an SSL client certificate rather than a password). That being said, I'm of the opinion that user education is the best solution.
Kia kaha, Kia māia, Kia manawanui.
Post Reply