Earlier this week, a hacker going by the moniker r00tbeer gained access to servers owned by Dutch technology giant Philips, and dumped a collection of databases to a public site. The leaked data included a smallish database of unencrypted passwords (for shame!), a stolen list of 200,000 email addresses, and a database containing 400 hashed passwords.
Sophos researcher Paul Ducklin reported on the initial hack, noting that as always the plaintext password collection contained some really, really bad choices. What interested me more, though, was his experiment with cracking those password hashes. In June, a breach at LinkedIn exposed more than 6 million hashed passwords. Perhaps Ducklin found the smaller collection leaked from Philips to be a bit more manageable.
Hashing is a kind of one-way encryption. The same password going in always yields the same seemingly random text as output, but there's no direct way to derive the password from the hash. However, an attacker with access to a list of password hashes can simply run millions of possible passwords through the same algorithm and see which ones match an item from the list. Adding a data element unknown to the attacker (called "salt") foils this sort of attack – but neither LinkedIn nor Philips took this precaution. Running the hash algorithm's output back through the process multiple times can make an attacker's task near impossible. They didn't do that either.
For his test, Ducklin downloaded the free open source tool John the Ripper to a "not-very-fast laptop" and passed the list of hashed passwords to the cracking tool. It cracked a quarter of the passwords in three seconds or less, and fully half of them by the 50 minute mark. When he ended the test at two hours, John the Ripper had cracked 53 per cent of the passwords.
Clearly there's a point of diminishing returns after all the easy ones have been cracked. A hacker working through millions of hashed passwords will most likely halt the process at that point.
But wait; it gets better. This initial test simply used password guessing techniques built into John the Ripper. Ducklin added a collection of dictionaries, including Dutch words, and re-ran the test. This time the tool cracked 25 per cent in two seconds or less and 50 per cent by 28 seconds. Check out Ducklin's full report on Sophos's Naked Security blog.
The lesson is clear. You really, truly must use passwords that are long and not easily guessed. A password manager will both generate such passwords and "remember" them for you.
You might also choose to construct an insanely secure password based on a favourite poem, quote, or song lyric, making it cryptic and yet memorable at the same time. For example, how about BBMshcDuhh!Fab4 for a password?
That would be "Bang Bang Maxwell's silver hammer came Down upon her head!" boiled down to the first letter of each word, with uppercase letters for emphasised words, and Fab4 tacked on to provide a number. Are you a Shakespeare fan? How about o,TtTtSFwM.A1.S2 ("O, that this too too solid flesh would melt,” from Act 1, Scene 2 of Hamlet).
Whatever method you go for, just make sure that your password isn't one of those that's crackable in seconds flat.