How Hackers are Hacking Passwords so Easily?




 Hacking user passwords - one of the most common crimes in the web, leaving far behind the DoS-attacks and the creation of botnets. Why is it so hackers can not easily reveal passwords? 
Password Tips

The biggest reason - we subconsciously choose such passwords that are difficult to guess and remember to outsiders, but which "at times" to cope ordinary personal computer. Let's talk about how to actually hackers reveal passwords, and how to fight it.

In March 2013, the famous American online magazine Ars Technica had a curious experiment, its editor Nate Anderson, had never engaged in hacking passwords, armed with freely available software on the Internet, the largest in recent years, the base hashes site RockYou, and within seconds found on the web and in a few short hours cracked slightly less than half of the loaded on a dedicated forum list with 16449 MD5-hashes received about eight thousand user passwords in plain text form.


Also Read :
Ultimate Useful Secret Codes for Samsung Mobiles
                           How to Speed Up Your Computer with Simple Steps
                           How to Hide Friends List on Facebook from prying eyes
  Again, Anderson previously have never in my life have involved hack the passwords. So impressed by his success, in May 2013 edition of Ars Technica has decided to repeat the experiment with the same list of MD5-hashes, but with the participation of three professional burglars. This time the results were even more devastating.

Most passwords, failed to disclose the expert Stricture Consulting Group Jeremy Gosney. Using the conventional serial computer based on AMD Radeon 7970 graphics card with it for twenty hours 14734 hacked passwords, ie 90% of the list. Second place went to Jens Steuben, a leading developer of free software oclHashcat-plus , designed, of course, to crack passwords, using a slightly more powerful machine with two Radeon 6990 graphics card, it is only for an hour or so deciphered 13486 hashes, that is, 82% of list. Another hacker who escaped behind a
pseudonym radical, over the same time revealed 62% of the passwords, but he also commented in detail the actions.

As well there are experts on hacking and why user passwords so easy to decipher?

First of all, cracked the "simple" password, which takes the least time, and then, as in any computer game, the hacker goes to higher levels that require significantly more time and special skills.

Lengthening the password by only one or two characters drastically increases the number of options and a complete listing of all combinations will take several days. Therefore, experts usually choose, for example, a password consisting of only lower-case letters, up to 8 characters, and passwords of the numbers up to 12 characters. "Brute force" with these parameters allows you to decrypt a significant percentage of long passwords.

Using the method of selection for the more complex passwords is irrational because it can drag on for years, and here burglar goes on to consider the use of a specially compiled vocabulary lists that are generated based on real user passwords, "lit up" at various leaks. For example, the largest database of English-speaking passwords over the past few years, "provided" in order hacker site RockYou in December 2009. As a result, a banal SQL-injection hackers managed to take over a database of over 32 million users, including user names, passwords, and other information in plain text form. RockYou base was immediately included in all hacking "dictionaries", which has since been repeatedly replenished as a result of new leaks, including after breaking the social network LinkedIn in 2012, when "under the bridge" has 6.5 million password caches.

Save from Hacking Password Tips

Databases like RockYou or LinkedIn, are particularly valuable because they provide real user passwords, and not just arbitrary combinations. For the calculation of variations, there are special rules for the replacement and selection, which gives even more potential passwords. And if you analyze the theme of the site, the interests of the profession and its members, you can add even more subtle calculation algorithms with specific templates and masks.

It is interesting that users of large public sites, above all, all sorts of social networks, rarely bother coming up with strong passwords, naively believing that the information put there is not of particular interest to intruders. Moreover, of the 32 million passwords RockYou 290,000 represented a very familiar combination of "123456" and a few tens of thousands - like the combination with different numbers of digits. Finally, many polzovali use the same passwords for different services, and by breaking passwords on one site, not everyone is going to change it on all other sites. Therefore the vocabulary selection remains one of the most powerful and energy efficient technologies hacking, allowing, according to various estimates, 60-70% to decrypt user passwords on any public site.

To crack the remaining passwords are used array hybrid attacks that combine elements of "brute force" with the vocabulary selection. For example, when setting passwords, some prefer to add to one of their old passwords 7-8 characters in length by one or two digits of the beginning or the end. It is clear that from the point of view of security passwords, they do not stand up to scrutiny. These "usual" ways to "improve" the old well known in the art of passwords, so these patterns did not increase their resistance.

Another type of hybrid attacks combines "brute force" with a statistical method based on Markov chains, which allows you to use the data of the character of the decrypted passwords for a particular site in order to predict the possible passwords of other users.

Hybrid attacks in various forms, as well as "individual" set of masks and templates may take considerable time, but as a result they are able to open up to 100% of passwords for a particular site. And when you consider that more than two-thirds of user passwords cracked by simple means in a few hours, providing useful information for the analysis, the talented professional can reduce the overall time hacking to a reasonable minimum.

Why is it so hackers simply and quickly hack user passwords? First of all, due to the fact that people are coming up with them. The usual patterns and habits are well known to professionals and modern technology, in particular, the usual "household" graphics accelerators to quickly figure out all the possible combinations: for example, Radeon HD7970 is able to iterate over 8,000,000,000 options in a second.

It is therefore recommended for industrial use specialized password generators that use algorithms that do not allow to identify stable patterns and prevent the possibility of breaking the "brute force" in a reasonable amount of time, during which the decrypted passwords will already be replaced by others.

Finally, another reason is that not all public sites really concerned about the security of user passwords, and used to create a fairly simple hash algorithms that ensure a low return load on the servers. Even some of the major sites still apply sadly proven algorithm SHA1 - has strengthened its sustainability is not even the addition of "salt", that is a unique set of bits to each code before the encoding.

No comments:

Post a Comment