Years ago, eight-character random passwords consisting of upper and lower-case letters, symbols, and numbers were really hard to crack. In some cases, such a password took years to crack.
Thanks to today's changing technology and rentable machines, this time has been reduced to hours. But how are these passwords stored in the first place?
How Passwords Are Stored Online
Systems do not store user passwords directly in files or databases, because attackers can take over the database where the systems keep the passwords. Instead, systems encrypt user passwords, and attackers encounter an encrypted version of each password.
There are some algorithms that systems use to encrypt passwords. One of these algorithms is the symmetric algorithm. The symmetric algorithm is a type of encryption where you can use the same key for both encryption and decryption. The key you will use to encrypt the data is the same for both encryption and decryption. The security of symmetric algorithms carries some risks as there is only one key for decryption. For this reason, systems generally do not use symmetric algorithms for password encryption.
Generally, the method that systems use for encryption is hash algorithms. Hash algorithms are for verifying and representing the integrity of data, not for encrypting data. Hash algorithms convert data into a fixed-size hash. These hashes usually represent a unique hash of data.
Thanks to the hash algorithm, if an attacker has taken over the password database, the attacker cannot access the password backward from here. There is a very important nuance that you should pay attention to here. Theoretically, an attacker who compromises a system that uses the same hash algorithm for all password combinations can compare the results obtained. If the attacker produces the same value as a result of these comparisons, the attacker has found out what the open version of the password is. This method is all about trial and error, and this form of attack is generally called a brute force attack.
At the beginning of the 2000s, it could take hundreds of years to try all combinations for 8-character passwords encrypted with popular hashing algorithms. Of course, this di not include very simple combinations such as "123456" or "mypassword" in this set. With the development of today's software and hardware technologies, the method of cracking passwords has also changed a lot.
The Impact of Emerging GPUs
Parallel data processing capabilities of graphics processors (GPUs) have improved over time. GPUs are not capable of performing versatile operations like general-purpose CPUs. So even though there are so many cores and parallel processing power, it doesn't make sense to use them for almost every problem like CPU.
Yet it is possible to perform some hash algorithms used for passwords quite efficiently on the GPU. The computable hashes per second you can achieve with traditional CPUs have grown tremendously with new GPU platforms.
To get an idea, examine the hashing numbers per second of hash algorithms such as NTLM, MD5, and SHA1 in the table below. It is enough, for now, to know that these algorithms are just a hash algorithm. To create this table, I used a cluster system consisting of 25 AMD Radeon GPUs.
|
Algorithm |
Hashings Per Second |
|
NTLM |
350.000.000.000 |
|
MD5 |
180.000.000.000 |
|
SHA1 |
63.000.000.000 |
|
SHA512Crypt |
364.000 |
|
Bcrypt |
71.000 |
|
Scrypt |
33.000 |
As you can see, with such a system, you can generate NTLM hashes 350 billion times per second. This means you can try all combinations of an 8-character password in less than 6 hours. Moreover, the hardware in this example belongs to years ago. Imagine today's password-cracking power.
What Should Software Developers Do?
The way programmers should go is quite simple: they should prefer algorithms that take longer to calculate hash values when encrypting passwords. Developers need to learn not only about the performance of the algorithm they are using on the CPU but also about how resilient it is against the GPU world.
If developers are working with a software framework that also addresses password encryption processes such as Django, Ruby on Rails, and Spring Security, they should check whether the right decisions have been made within the framework in terms of security.
For example, Devise, one of the most used libraries for user operations in Ruby on Rails, uses Bcrypt as the default hash algorithm. It also allows you to use another method as the hash algorithm. The Bcrypt algorithm is reliable as it still takes a very long time for the GPU to break.
In summary, the longer the hash value calculation takes, the more secure you are.
How Many Characters Should Your Password Have?
Each extra character you use will geometrically increase the number of trials and errors needed to crack your password and make your password more secure.
Let's consider this situation through two different scenarios. Consider the values in the table above for the NTLM hash algorithm and imagine that you will try to crack the password. Imagine targeting passwords of eight characters or more.
|
Number of Characters |
Upper/Lowercase letters and numbers |
Upper/Lowercase letters, numbers, and special symbols |
|
8 |
less than 1 minute |
2 minutes |
|
9 |
2 minutes |
2 hours |
|
10 |
2 hours |
1 week |
|
11 |
6 days |
2 years |
|
12 |
1 year |
200 years |
|
13 |
more than 100 years |
more than 1000 years |
When you examine the table, you can see that the use of a minimum 12-character password is safe when you use all combinations of uppercase/lowercase letters, numbers, and special symbols. If you are not using special symbols then it turns out that you need to use 13 characters as the secure password length. If you used the Bcrypt hash method instead of NTLM hash in this system, 8 characters would be enough. However, you do not have the opportunity to know with which hash method a system you enter over the web keeps your password. That's why you should consider all possibilities.
The main problem for software developers is that it is almost impossible to convince users to have a minimum 12-character password. Today, it is possible to say that the rate of password usage of this length is low. Therefore, according to the usage scenario of the developed system, it will be necessary to find a middle ground that will be accepted by the users to improve their password security.
a last suggestion for developers is to check not only the minimum length but also the maximum length of the inputs coming through the forms you have presented to the user. Especially when you enable the use of a slow-to-calculate hash algorithm such as Bcrypt for security purposes, you may encounter some risks if you do not control the maximum length of the password entered by the user. For example, attackers can perform attacks by trying dozens of passwords of 100 thousand characters at the same time with some specially prepared requests. In such a case, it is highly likely that your system will become unresponsive to other users.
Advice to End Users
Make your password length a minimum of 12 characters and make sure to include upper and lower case letter combinations, numbers, and symbols. Never forget that the systems that store your password can be hacked, and your information can be abused. You cannot know which algorithms a system use to encrypt your password, so it is entirely up to you to take precautions and create strong passwords.