What should I do? Carefully selected passwords are still under attack

Although attacks caused by easy-to-guess passwords often appear in the headlines of the media, the current password cracking system is already very advanced, it can even crack the password created by a seemingly complex notebook device. By using a ready-made graphics processor for cheap parallel computing, the current cracking technology can guess trillions of combinations of passwords every hour.

Steve Thomas, president of PwnedList, a subsidiary of InfoArmor that tracks infected accounts, said, for example, the list of hash passwords stolen from the global Intelligent Service Stratfor website contains more than 0.63 million randomly generated passwords, contains 8 letters and numbers. It took less than 24 hours to completely restore the 815000 hash parts of the stolen file, because the company did not add a random seed to the hash algorithm, that is, adding the salt value.

Thomas said, "the cracking technology has never been so advanced that you can guess the possibility of 23 billion passwords per second. When you get some hash values, you can quickly crack most or even all of them, it only takes several hours."

In the past five years, three factors have contributed to the "Revival" of password cracking ". The password recovery program has gained huge computing power, from dictionary-based intensive computing and brute-force cracking to the current graphics processor, however, the user is still using the same mnemonic to create a password. This method seems safe and easy to remember. However, the insecure website (from Linked to Stratfor and from RockYou to Sony) provides researchers with millions of hash values, they can use these hash values to intrude into the system that users use to create passwords.

At the same time as the rapid development of cracking technology, attackers and researchers are also very good at predicting how users may create passwords. Attackers and researchers can easily crack passwords by creating a better list of common words and more intelligent mixed words and phrases. Olga Koksharova, spokesman for the password recovery company ElcomSoft, said: "smart Guesses are easy to guess the password when creating a password instead of completely random passwords. For a completely random password, only brute-force cracking is feasible. At this time, the speed becomes the 'most important factor '."

However, the password cracking speed has also been improved. For example, by using a computer with a single video card, the oclHashcat-plus program can guess hundreds of thousands to billions of combinations of passwords per second, depending on the hash algorithm used for encryption entries in the password file.

Robert Graham, Chief Executive Officer of Errata Security, a Security consulting firm, said, "this technology is used in graphics cards because it can perform parallel computing well, currently, the top-level video card Radeon can carry out more than 7970 million guesses per second, targeting some popular hashing algorithms."

However, it is still a question whether the progress of the cracking technology will bring danger to users. Although some attacks rely on guesses of a few passwords, such as attacks against WordPress and Joomla earlier this year, attackers usually do not take the time to crack offline passwords. On the contrary, they use social engineering technology to obtain information about the victim's account.

Despite this, users can still take several simple steps to protect their passwords and prevent catastrophic attacks. Users should not only use word combinations, numbers, or symbols, because the attacker first attempts to attack this type of password.

Selecting a very secure password is less important than most people think, and the password files of the most important websites (such as banks and email providers) are rarely stolen. Therefore, make sure that you do not use the same password on different websites.

Robert Graham said, "For every website account you really want to protect, make sure that the password is unique and do not use it on any other website. Otherwise, when those websites are attacked, when the password is stolen, attackers may obtain your important account."

Using the Password Manager may be the best method because it generates random passwords and minimizes reuse.