The Science of Password Hashing (Not!)
The Science of Password Hashing (Not!)
Sometimes you see an advert on the TV or a posting on social media, and you say to yourself that’s not technically right. For me just now, it’s the “unbreakable wifi” advert on the TV. I appreciate what the message is saying, but from a scientific point-of-view, it’s mathematically incorrect. It’s amusing, though. And a recent Virgin Media advert that talked about fibre, and actually outlined DOCSIS (a copper/fibre method) and illustrated a copper cable. There’s an air gap, often, between the marketing department and those in the technical know.
And so, the elephant in the room … passwords
I know the generation and storing of passwords is a serious topic, but I had to smile at this [here]:
Well, where do I start? There are so many things going on here, that it’s difficult to know where to focus.
Who cares about octillion and nonillion years?
First, we should start with what the problem is, and it probably isn’t the brute-forcing of passwords, either from breached password databases or from brute force logins. The “brute-forcing” of passwords through login methods has long since gone, and where most companies would lock out any continual probing for the password.
In case, saying that “conditioningfuturerabbit” takes 7 quadrillion years is totally meaningless. The value of 7 quadrillion years probably relates to a completely random input of characters of the same length, and not to three common words. Anyway, what’s the hashing method used? And, as a cybercriminal even taking a few days is going to be a bit off-putting, especially as it could cost $10 per hour for a GPU cracker, and I’ll have to get the password database, too.
And what about Hashcat rules?
And, so the years to crack posted by the PDCS are a bit meaningless. With this — and a fast hashing method — Hashcat would probably find it relatively easy to be able to crack any three-word password — even with the hyphens. Overall, Hashcat has a rule which makes the first letter of a word capitalised, and also where it takes words from a common dictionary. This is a common approach in recovering a Bitcoin wallet. So saying that a three-word password is secure is not quite true, as three words are really there to help us remember our passwords.
And MD5, does anyone use that in production?
But, then asking for MD5 is perhaps a bit meaningless, too, as it would hardly ever be used to hash passwords these days. Many systems now use a slow method, such as SHA512_crypt [here], and where these methods defeat GPU cracking. Overall, these slow methods make it almost impossible to discover a three-word password even if common words are used in the password. Every security professional knows that MD5 is weak, as it just doesn’t have enough hash values. These days, for MD5 hashing to be used to protect user passwords would be negligence from companies. I would never think that your bank or your social media company would go anywhere near using MD5 hashing.
The real threat is not against passwords?
Of course, a phrase is good to remember, as we are only human. And using different passwords for your bank and your social media accounts is probably a good thing, too. But, the best advice, is to not click on phishing emails and then put your login details into intrusted sites, and to not allow backdoor software to be installed on our desktop or mobile phone.
The whole debate around passwords has moved on a whole lot, and now it’s more about good hygiene, than what you actually select for your password. It’s much better to have multi-factor authentication these days, and with out-of-band confirmation than it is to have a password that takes 9 octillion years to brute force (just crazy figures). For technical people, it’s best to understand the threat, and put in place methods that protect users, rather than throwing rocks in their way.
And the answer is … as always …
So the answer to many things in Cybersecurity is … don’t click on that dodgy email and enable multi-factor authentication!
But, it’s an infographic, and you can’t overload the viewer. An info graphic with:
ENABLE MULTIFACTOR AUTHENTICATION ON YOUR BANK APP AND DON’T CLICK ON THAT DODGY LINK!!!!!
does not have the same ring to it.
So, perhaps the Tweet encapsulate one of the problems with cybersecurity, in that we are not really articulating ourselves well? I can see it from both sides, but there’s a gulf of technical background in-between that willproperly explain things here. While, of course, all these brute force numbers matter to security engineers, but, for the general public, we need to make sure that there is no binary debate, and that we re-enforce the importance of not relying on a single method to protect ourselves online. Advice in using a three phase is a bit meaningless, and the amount of time to crack a three word phase is definitely completely meaningless.
Passwords will, of course, fade into history, and be replaced by more human focused methods. I trust the face recognition on my phone and the out-of-band authenication much more than protecting things with my password. I suppose users should demand these methods more, and that our governments need to push the industry forward, and improve authentication methods.
Anyway, here’s Hashcat in action: