Jun 9, 2011

3 Billion Passwords Per Second. Are Complex Passwords Enough Anymore?

ZDnet posted an interesting article about how cheap GPUs are making it easier to crack strong passwords.

And here’s a fascinating "GPU vs. CPU" comparison study on password cracking (via @TopHackerNews). Note how it takes less than a second for the GPU to crack a 5-character password, and the ability for the GPU to try over 3 billion passwords per second. 8-character passwords will buy you 26 days (for now).

And it doesn’t help that we keep re-using our passwords. In this analysis of a recent Sony website hack, Troy Hunt found 88 user accounts common to the Gawker hack from last year, and of those, 67% re-used their passwords. Granted, 88 is not a huge sample, but other companies out there obviously had larger samples and felt the need to take action (we talked about our own sample here).

Sooo, what do we do now?

We should use longer and longer and complex(er?) passwords, and never re-use them, right? But determined hackers will get into anything. So all that does is buy us a little time. Plus, unless you’re Rain Man, you’re probably going to need help from a password manager (which some would inevitably argue raises other security concerns). None of the above helps if you (or a family member who shares your computer) were tricked by some creative social engineering (happens to the best of us, like Google and RSA) and have malware on your machine that’s keystroke logging all your passwords.

What do we all do now? Well, no sense getting pessimistic and defeatist about it (that’s what my dev team told me when they found me crying in the fetal position under my desk after reading Fatal System Error). Keep your passwords as long and as complex as you can, and take all the security precautions that you can. But at MailChimp, we’ve decided we can’t spend 100% of our time building stronger and stronger vaults. The door’s going to get too heavy to open. We also need lasers — and maybe pitbulls with lasers on their heads — inside the vault. For example, Facebook recently started offering SMS notifications and login approvals. That way, if someone got your username and password and tries to log in, you’ll be notified. At MailChimp, we also recently launched features that will send email and SMS security notifications whenever we detect a login, attempted changes to your account, API keys are generated, Account Keys are claimed, and more. We’ll also stop logins from unknown geolocations, and ask your account security question. Not to mention a free 2-factor authentication service called AlterEgo. We’re going to do everything we possibly can to build better defenses for our users, but "advanced persistent" hackers are unstoppable, and we can’t protect you from all the ways your computer can get infected with malware.

Remember the RSA hack earlier? There’s this report that a big defense contractor has already fallen victim:

It seems likely that whoever hacked the RSA network got the algorithm for the current tokens and then managed to get a key-logger installed on one or more computers used to access the intranet at this company. With those two pieces of information they were then able to get access to the internal network.

The contractor’s data security folks saw this coming, though not well enough to stop it. Shortly after the RSA breach they began requiring a second password for remote logins. But that wouldn’t help against a key-logger attack.

The good news here is that the contractor was able to detect an intrusion then did the right things to deal with it.

In case your credentials are ever stolen, we strongly recommend you activate our new (and free) security features in order to help you better detect intrusions.

See also: