Microsoft: In the face of brute-force cracking, increasing password complexity is useless.

Microsoft: In the face of brute-force cracking, increasing password complexity is useless.

We all hate passwords, but unfortunately, in the present and the future we can see, the main method for online authentication such as account logon still needs to use passwords. Password Authentication is sometimes annoying. In particular, some websites require that the password contain uppercase/lowercase letters, numbers, or special characters for password security.

According to a new research report released by Microsoft, increasing the complexity of passwords is basically meaningless. In this article, I will briefly analyze Microsoft's theory and discuss with you two new password security solutions.

What is brute-force cracking?

A brute-force cracking attack means that an attacker attempts to crack the user's account name, password, and other sensitive information by systematically combining all possibilities (such as the account name and password used for Logon. Attackers often use automated scripts to combine the correct user name and password. For more information, click me.

Enhancing password complexity is useless

After the password is powerful enough to ignore the social engineering dictionary attack, the attack is called brute-force cracking. There are two types of brute-force cracking: online and offline.

During online cracking, hackers usually use the same application interface (such as the web interface used for Logon) as the normal operation of users, and thus may be restricted by some security control rules. However, because the necessary conditions for offline cracking are that hackers have obtained password files, they often have no permission or restriction to perform brute force password cracking.

Microsoft's security researchers found that the maximum number of attempts to crack the program online until it was successful was about 1 million, while the number of offline attempts reached 1 billion.

Therefore, a relatively complex million-level password called tincan24 is a strong password for online cracking compared with a 1 billion-level password named "7Qr & 2 m, offline cracking is vulnerable. At the same time, the latter is even more difficult to remember.

This tells us that it is useless to enhance the complexity of passwords in the face of offline brute-force cracking attacks.

When the password file is leaked

To prevent offline cracking attacks after password files are leaked, we need to take some protection measures.

A general solution is mentioned in Microsoft's report:

Encrypt each password and store the key in the hardware security module (HSM. HSM does not provide an external access interface for the key, so to decrypt the ciphertext, you can only go through the normal process through the application, so that even if the ciphertext is obtained, it is not very useful.

Two innovative protection solutions

Foreign Security researchers have proposed two innovative solutions to prevent password file leaks:

1. At the Derbycon 2014 Conference, Benjamin Donnelly and Tim Tomes proposed their "ball chain" (BAC) solutions. BAC provides a way to manually fill the password file to increase the file size. Of course, the password data will be securely stored in the file and will not be lost, which makes it much more difficult to guess the password. For example, it takes at least one month for a hacker to guess a 2 TB password file online. After such a long period of time, coupled with such a large volume of data sent, there is a high possibility of hacker attacks being exposed.

2. Dyadic, an emerging Israeli company, presented its Distributed Security Module (DSM) to the public ). Using the most advanced distributed computing (MPC) encryption technology, DSM splits each group of passwords and stores them on multiple servers in a distributed manner. Hackers need to traverse multiple servers to crack passwords. Because each server has different access creden。 and even different operating systems, this greatly increases the difficulty of hacker cracking.

Conclusion

It is not scientific to put the burden of password protection on users. As a security researcher, we obviously cannot blindly ask users to increase password complexity. However, the use of symmetric/asymmetric algorithms for Password Storage, salt adding, and encryptor seems to be commonplace, and the technology is not new.

Is there any new technology or method that can improve the security of password and Password Storage? The security researchers outside China have thrown out two methods. What about domestic comrades? You are welcome to discuss and exchange in this article.

Reference Source: http://www.securityweek.com/brute-force-attacks-crossing-online-offline-password-chasm