14

While password guessing is a science, not every attacker out there is up-to-date with the latest advances or cares to invest in GPUs or FPGAs.

It's easy enough to test online password guessing attacks by opening a honeypot, and they mostly focus on trivial passwords and don't even target default passwords that much. But online guesses are quite different from offline guesses when a password database has been exposed.

Have there been studies or at least cases showing how strong a password has to be in order to resist guesses by run-of-the-mill attackers? How “sophisticated” does an attacker have to be to use tools such as John the Ripper?

APT and security researchers are outside the scope of this question.

(Context: is Jeff Atwood's assertion that strong passwords are useless because attackers will stick to the “low-hanging password fruit” realistic?)

Gilles 'SO- stop being evil'
  • 51,415
  • 13
  • 121
  • 180
  • Don't have any figures to back this up so I'm just posting this as a comment: attackers don't really have to invest in large GPU arrays to obtain a major speed up. A single GPU that most people have in their computers are already insanely fast. Also, john the ripper is probably as easy as it gets as it is mostly a fire-and-forget tool unless you are configuring some specific ruleset for your attack. –  Mar 17 '13 at 02:15
  • 1
    @TerryChia Spoken like a security researcher. My question is: do *real world* attackers behave optimally? It's a fair question, since for example scammers don't — a lot of them don't even bother to write grammatically correct English. – Gilles 'SO- stop being evil' Mar 17 '13 at 02:54
  • 2
    @Gilles Often they're purposefully mis-spelling things to target only the most gullible people. – Polynomial Mar 17 '13 at 15:24

2 Answers2

5

There are essentially two types of attack: targeted attacks (APT, high value targets, personal attacks) and attacks of opportunity (low hanging fruit).

So, you're interested in offline attacks against leaked databases of passwords: the answer is that SOMEBODY will bother to put JTR, OCL Hashcat, or similar tools against that database. And that person/persons/group is looking to sell the retrieved credentials en masse to spammers, bank account hijackers, etc.

If you want an example: http://blogs.computerworld.com/20272/hackers_crowdsource_help_to_crack_nearly_6_5_million_leaked_linkedin_passwords http://nakedsecurity.sophos.com/2012/06/06/linkedin-confirms-hack-over-60-of-stolen-passwords-already-cracked/

After all, why else leak the password DB if you're not going to crack them?

David
  • 15,939
  • 3
  • 50
  • 73
  • Why leak the password DB if you're not going to crack the passwords - I don't think you can safely try to guess motives on that sort of thing any more. We've seen enough Anonymous and just plain random things (like the leaked credit reports last week) for me to believe that imputing a motive makes sense. – Bruce Ediger Mar 18 '13 at 03:20
  • Good point, but once the password DBs are leaked, someone will bother. – David Mar 18 '13 at 23:28
  • Would anyone out there that has had their DB publicly leaked, not expire all passwords? – Jim B Dec 25 '14 at 16:04
2

Not every password leak is the same. The hash function used by the application and the application's password policy should dictate what tools you use to break the hashes. A good resource on this topic is Look Back on 2012′s Famous Password Hash Leaks – Wordlist, Analysis and New Cracking Techniques. In short, they where able to break the majority of password hashes using a blended approach.

If the application isn't salting passwords, or the salt is very small then a Rainbow Table is the tool of choice. Rainbow Tables are precomputed and freely available. This is the fastest method of exhausting a key-space (especially if you have a raid 0 array!). For these reasons a rainbow table is usually the first method of cracking if one can be used.

John the Ripper is able to work with wordlists and generate "leet speak" mutations on words. If a password is just a dictionary word or leet speak of a word, then John the Ripper can crack this hash. Unlike rainbow tables, John the Ripper can work accept the salt as an argument, which does not impede cracking.

If the application is using key stretching with bcrypt or pbkdf2, then an FPGA and GPU is almost worthless. In the 2012 leaked hash analysis, GPU's where able to crack about 48% of passwords, this is mainly because bcrypt and pbkdf2 are not commonly used.

... but in practice quantity isn't everything. I completely disagree with Jeff Atwood on this "low hanging fruit" approach. The account that is the most valuable is the administrative account, often there is only a single password hash that the attacker wants to break and they will do whatever they can to break this hash. As a penetration tester, breaking an administrative password hash is a great finding in a report and an excellent link in a chained attack.

rook
  • 47,004
  • 10
  • 94
  • 182
  • Thanks for these pointers, they're interesting, but that's not what I'm asking about. You're showing tools and techniques used by security researchers. I'm asking what the run-of-the-mill bad guys (not the APTers) are using. Attackers don't always behave optimally, and my question is all about how (sub)optimal they are. – Gilles 'SO- stop being evil' Mar 19 '13 at 18:23
  • @Gilles All of these cracked passwords are freely available and the tools they are used are very easy to use. So, I don't see a distinction. – rook Mar 19 '13 at 19:56
  • bcrypt is in fact much more cost- and power-efficient on FPGAs. See [Bcrypt password cracking extremely slow? Not if you are using hundreds of FPGAs!](https://medium.com/@ScatteredSecrets/bcrypt-password-cracking-extremely-slow-not-if-you-are-using-hundreds-of-fpgas-7ae42e3272f6). – nealmcb Jun 13 '20 at 20:26