The fact that "linkedin123" is not a secure password should now be clear to any IT user. But that also "311 Zwerg fields" professional password cracker does not hold long, then astonished yet: 20 characters, numbers, uppercase and lowercase letters, a special character. Actually, everything done right in the unpopular game "Think of a password".
And yet, the team of Jens Steube, nickname "atom" cracked this and 5291
"The competition has proven how problematic patterns we humans use in password thinking," says Steube , In terms of "311ergrave sheet fields," this means that when Team Hashcat realized that some of the encrypted passwords had been captured by a fictional farm, they fed the cracking software with agricultural terminology. Real data thieves would do the same thing in practice.
Among the terms was the name of a chicken breed: dwarf sheet fields. "Dwarf sheet fields is the user-selected base password and prefix 311 is an additional pattern that is likely due to a password policy that requires digits and periodic password changes," says Steube. If the password has been properly changed, the user only has to increase the number by one to create a new password. Although this corresponds to the specifications, but is uncertain.
Fallacy: My passwords are the best
These patterns are problematic, according to the developer, because people mistakenly consider their self-designed pattern unique. "People do not necessarily lack ideas but unique ideas," says the password expert. Although there are many different patterns, hundreds of thousands are known. For a software like Hashcat, however, it would be no problem to consider all these patterns and automatically try combinations of base passwords and arbitrary numbers as well as special characters. The universally popular replacement of characters – a by @, 1 by! and so on – the software also does it. Without the human cracker having to intervene.
The security problem is exacerbated by the fact that modern password cracking makes use of a special feature of graphics cards. The functions of these cards, which are otherwise responsible for the most realistic 3D effects in games, also accelerate the testing of passwords.
Or, to put it more technically, they speed up the generation of hash values, ie the derivation of a plain text password such as "Spiegel Online" to the string "c065aec1bd68cadf52a5c0d0a03e916f". The latter is then stored instead of the password in the password database of the application or the online service. If the value generated by Hashcat matches the hash found in a leaked or stolen password database, then the plaintext passwords must match as well.
For example, a $ 1000 high-end card generates up to 100 billion hashes of Windows passwords – per second. The usual advice to create as long as possible, but at the same time easy-to-remember password by the stringing of words, comes up against limitations: "Who, for example, a Windows password from four words like summer vacation, highway, dinner and mailbox composed of a 10,000 Hashcat presents his password in plain text within 24 hours, "explains Jens Steube.
Stop thinking up passwords
It is no wonder that people rely on patterns when they think passwords: policies often dictate complex, long passwords that are hard to remember anyway. If cyclical forced bills are added, the use of easy-to-crack patterns is inevitable. Therefore, Steube rejects such changes. In line with a directive from the National Institute for Standards and Technology of the United States (NIST), Microsoft IT administrators also want to take the option of mandating a timed password change.
The situation would be much less problematic if we were to stop people, ourselves To think of passwords. "If we were to use all randomly dubious passwords, then attacks would not be very effective," explains the password expert. Steube confirms that, for example, passwords created by a password manager at the same length are harder to crack than passwords generated by humans. "It is not recommended to use online generators because they could save the passwords," warns Jens Steube. Be more trustworthy on his own device installed password manager.
Even Steube itself uses such an application: He simply could not remember 200 or more passwords. Although a password manager or the cloud storage of the provider are exciting targets for data thieves. The advantages of the applications outweigh this disadvantage. Especially if the master password for unlocking the vault is correspondingly complex. It is even safer if a hardware token is needed to open the vault. "Every password cracker bites its teeth off," says Jens Steube.