03 February 2020

ELI5 about passwords


I've often wondered how hackers bypass brute-force protection at login sites.  This exchange addresses that question.

Request to "explain like I'm five":
"With 26 letters in the English alphabet, a password of 4 letters would have 264 possible combinations. And that is for 1 given username. That's a lot.

Login forms could also have a brute-force protection that disables password guessing after about 10 attempts from a given IP or username.

Still, websites often ask for 8 letters, lower/upper case, numbers, symbols, etc...  It seems a bit of an over-kill, but this is very common. Can anyone explain?

Best reply:
While ~457,000 sounds like just an absolutely unfathomably large number to a human, that's actually child's play when it comes to computers. Kasperky Labs estimates that an average computer that's not even particularly specialized to password cracking can attempt roughly 7100 passwords every second. That means it could figure out a 4-letter single-case password in at most 65 seconds. I'm sure you can see why that's not very desirable.

Even just stepping up to a six-character password where lower case, upper case, and numbers (but no symbols) are allowed slows down an average computer's brute force attack to 3.5 days. This can be sped up by using known tables of common passwords that people use over and over again, or even just using a dictionary attack since most people use a password that's a word or some variant thereof (e.g. they might use "acc1d3nt" instead of "accident," but a good dictionary attack can account for these variants too).

And that's all to say nothing of the fact that people who make their living by cracking people's passwords are going to have specialized hardware that can crack passwords even faster. In 2012, ArsTechnica wrote an article about a then-new supercomputer that could guess up to 350 billion passwords every second (meaning the 6-character password from before could be cracked in a fraction of a second). And you can surely imagine that even more powerful hardware exists now, 8 years on.
Most websites also have a brute-force protection that disables password guessing after about 10 attempts.
This is true, but again people who make their living cracking passwords have ways of circumventing this. Explaining the exact specifics would probably make this explanation not ELI-5 anymore, but the basic gist is that they don't actually crack your password by going to the website and entering each potential password one at a time. Else, as you mentioned, they'd get locked out and that would make the process take a long long time.

Rather, what they usually do is they get their hands on a master password list directly from the source. This can sometimes come from a leaker who works for a particular company, but most often it comes from hackers breaking into to the company's database and getting the master list file that way. Now thankfully, any company worth their salt encrypts said password list, but that turns out not to really be a problem for hackers.

Most of the time hackers know what encryption algorithm a particular website uses to secure their passwords (e.g. the ArsTechnica article mentions that LinkedIn uses the SHA-1 algorithm. Obviously, this may no longer be the case today, but it was true as of 2012). Given this information, they can use their brute force password generator and run each one through the encryption algorithm until they find one that outputs the same string as one of the passwords in the list - they then know that user's password.

In addition to all of that, sometimes companies utterly fail at security and don't follow the industry best practices for securely storing passwords... 
More at the explainlikeimfive subreddit discussion thread.

4 comments:

  1. I recommend passwords not be created from dictionary words.
    I also recommend you vary your passwords by website, so when one site is hacked, the hacker can't guess all your other passwords.
    This was an issue a few years ago for me when Yahoo was hacked. The hackers were able to crack not only my Yahoo password, but several other sites were compromised as well, as the email and password was the same on all of them.

    To make it easier to remember, pick some phrase you remember easily, such as the first line of a song you enjoy. Then take the first letter of each word in the phrase. Select one of the letters to be capitalized.
    Then add on some number specific to the website you are making the password for- for example, if the website starts with the letter c, then use the number 03 (third letter of the alphabet). Add on some other website-specific information, such as the last character of the website.
    For example, using "Jingle Bells" to log in to Yahoo, a password might look like:
    jbJbjatw25o

    On facebook, the password would then be:
    jbJbjatw06k

    Thus if either site was hacked, the password would be useless on the other.

    Its a small pain to set up, but it is easy to use and remember, and is more secure than a variant of a dictionary word.

    ReplyDelete
  2. And then there's the issue of some companies making you change your password every 30 to 90 days. Are they afraid that the bad guys are getting close to figuring it out--what?

    We know that many people use very simplistic passwords. It would likely be the case that if we made it such that everyone had to have several WORDS, there would probably be a "sentence" that would be the most common one (SEE SPOT RUN?). However, there will ALWAYS be people like that. It can't be helped...unless maybe there was a fine or what have you for having a simplistic password?

    ReplyDelete
  3. And there are the morons who write the code that accepts the password. How many sites have you tried to create a password that's got non-alpha-numberic characters only to have the password field not accept them. Or they limit you to 8 characters or whatever "short" length. Schwab used to limit the characters to alpha-numeric AND they upper-cased the whole string behind the scenes (taking away one form of variability) AND they truncated whatever you typed to be only 8 characters (they've since cleaned up their act as far as I know). Nothing like helping to keep your investments safe.

    ReplyDelete
  4. This made me think of a story by Cory Doctorow called Knights of the Rainbow Table, about pre-generating entire sets of hashes, breaking all passwords for a particular system. I can't seem to find a text version of it:
    https://archive.org/search.php?query=knights%20of%20the%20rainbow%20table&and[]=subject%3A%22cory+doctorow%22

    ReplyDelete