ZDnet posted an interesting article about how cheap GPUs are making it easier to crack strong passwords.
And here’s a fascinating “GPU vs. CPU” comparison study on password cracking (via @TopHackerNews). Note how it takes less than a second for the GPU to crack a 5-character password, and the ability for the GPU to try over 3 billion passwords per second. 8-character passwords will buy you 26 days (for now).
And it doesn’t help that we keep re-using our passwords. In this analysis of a recent Sony website hack, Troy Hunt found 88 user accounts common to the Gawker hack from last year, and of those, 67% re-used their passwords. Granted, 88 is not a huge sample, but other companies out there obviously had larger samples and felt the need to take action (we talked about our own sample here).
Sooo, what do we do now?
We should use longer and longer and complex(er?) passwords, and never re-use them, right? But determined hackers will get into anything. So all that does is buy us a little time. Plus, unless you’re Rain Man, you’re probably going to need help from a password manager (which some would inevitably argue raises other security concerns). None of the above helps if you (or a family member who shares your computer) were tricked by some creative social engineering (happens to the best of us, like Google and RSA) and have malware on your machine that’s keystroke logging all your passwords.
What do we all do now? Well, no sense getting pessimistic and defeatist about it (that’s what my dev team told me when they found me crying in the fetal position under my desk after reading Fatal System Error). Keep your passwords as long and as complex as you can, and take all the security precautions that you can. But at MailChimp, we’ve decided we can’t spend 100% of our time building stronger and stronger vaults. The door’s going to get too heavy to open. We also need lasers — and maybe pitbulls with lasers on their heads — inside the vault. For example, Facebook recently started offering SMS notifications and login approvals. That way, if someone got your username and password and tries to log in, you’ll be notified. At MailChimp, we also recently launched features that will send email and SMS security notifications whenever we detect a login, attempted changes to your account, API keys are generated, Account Keys are claimed, and more. We’ll also stop logins from unknown geolocations, and ask your account security question. Not to mention a free 2-factor authentication service called AlterEgo. We’re going to do everything we possibly can to build better defenses for our users, but “advanced persistent” hackers are unstoppable, and we can’t protect you from all the ways your computer can get infected with malware.
Remember the RSA hack earlier? There’s this report that a big defense contractor has already fallen victim:
It seems likely that whoever hacked the RSA network got the algorithm for the current tokens and then managed to get a key-logger installed on one or more computers used to access the intranet at this company. With those two pieces of information they were then able to get access to the internal network.
The contractor’s data security folks saw this coming, though not well enough to stop it. Shortly after the RSA breach they began requiring a second password for remote logins. But that wouldn’t help against a key-logger attack.
The good news here is that the contractor was able to detect an intrusion then did the right things to deal with it.
In case your credentials are ever stolen, we strongly recommend you activate our new (and free) security features in order to help you better detect intrusions.
See also:
- More Security Problems, from Word to the Wise “When even the experts are compromised, what chance does the average user have?”
- Email Security Guide in MailChimp Resources
“More complex”, is how you would say that.
That’s not complicated enough, though.
I did not know that hackers were that equipped to crack password. I still wonder if they would use all of their equipment for simple email password or if they are more interested in bank accounts for instance.
I would not “bank” on anybody being more interested in other passwords (see what I did there?). I’m no security expert, but I believe that when you’re infected with keystroke logging malware, they take all your passwords, and then it’s all sold somewhere. Some people will want your bank credentials, and some will want your email credentials (also, keep in mind getting into your email list can sometimes be a way for someone to spear phish their way into bank accounts).
yes, I agree that the door should avoid being opened. Especially in the case where where the passwords are similar.
The best password/ login manager I have found is 1Password from agile bits. I am sure you guys have already heard of it, but it creates up to 50 character random passwords and then stores the password and according login locally on your machine. All you need to do is have one good password that you need to remember to unlock your login vault. For anyone who has a bunch of secure stuff, this tool is a must.
Great article!
Thanks!
Great article. I remember that around year 2000 my computer would take 100 years to crack a 8 character password through brutal force.
Talking to a friend about this article, he mentioned that quantum computers will change all that, and even RSA over https will be broken. I am no expert in this area, so I just leave this cue here. =)
I use lastpass, because I like their features, have a different 12-digit ‘crazy’ password for each site and I am not worried about keystroke logging on my own computer. I think that’s secure enough for me (for now).
Password managers are not much better than keeping a notebook. Sure they create strong passwords and are password protected as well, but they are only as good as the password to unlock them.
With the rise of GPU home supercomputers, there will be a time when even hashes will be futile. Even when passwords are encrypted on servers, if the bad guys can crack the encryption then what is the final answer to security?
Face-to-face conversation in a remote undisclosed location?
Don’t panic just yet.
These times relate to cracking a password when that password’s hash is ALREADY available to the hacker.
Usually this requires access to the hash file on the computer being hacked (which means the hacker/virus must already have access to an account with sufficient privileges).
For remote systems such as websites, these hashes are stored in databases which are then subject to further protection: more passwords, firewalls, etc.
So these are NOT realistic times for brute-force attacks on a web login form, where the hash is not already known, for example to log in to MailChimp. The hacker would have to wait each time for MailChimp to respond with a success/failure message, and also avoid detection by attacking from different locations, etc. The hacker also needs to be sure of the username’s existence before trying passwords. There are tons of security measures that web applications use to block brute force attacks, such as the CAPTCHA that Google requires after a failed login attempt.
[...] profile data breaches being reported these days, we hear a lot of talk about the importance of a good password. Unfortunately, the best password in the world can’t prevent you from being spammed. We [...]
Thanks for this info Ben. It’s pretty scary how quickly passwords can be cracked. Thanks to Mailchimp for increasing security!
But that’s only a risk if you don’t limit the attempts for logins. When someone tries ti crack your password with 3 billion requests per second your server will crash before :)
Only the case of Sony when so called “hackers” get access to the database an the passwords are cryptet (wasn’t it?) they can start a password brut force.
What are we to do now? Well, admins shouldn’t be using MD5, since it can be computed so quickly that it’s not particularly useful for this purpose–it’s only slightly better than plaintext. They should be using BCrypt; see http://codahale.com/how-to-safely-store-a-password/
That advice isn’t very helpful to users, of course, though 1password apparently uses bcrypt.
Thanks for the info Ben! We should start creating more complex passwords so that the hackers will not be able to hack our systems! I think we should start changing the passwords once in 15 days.
[...] to the public by hackers.What’s this have to do with MailChimp?And since people tend to re-use their passwords at different websites and services, this problem could extend beyond Yahoo. It’s customary in [...]