Lessons from a Professional Password Cracker

Some rules of thumb:<p>All Windows passwords shorter than about 10 characters shouldn&#x27;t be considered secure, as the NT Hash at this point is so easily reversible that it&#x27;s basically a &quot;light obfuscation&quot; at best. A single GPU can crack <i>all</i> 8-character passwords in minutes. The single best security setting on a Windows network is to increase the minimum password length to something like 14 characters. Use 20+ for privileged or service accounts.<p>The second best thing to do is to scan password hashes against &quot;top password&quot; lists and reject any that are in the top-N, where its up to your business policy what &#x27;N&#x27; is. I recommend at least the top 10,000 most common passwords being outright rejected.<p>The third thing is to match against specific leaks. E.g.: if you have john.smith@foo.com and there is a leak of his email and password where the password matches your records, force a password change immediately.<p>All of the above assumes that MFA is in place, your servers are patched, and there are extensive audit logs on all authentication attempts.

Hey, I keep seeing people claim biometrics somehow fix the password problem, but I feel like this is just a password you can&#x27;t change? I can&#x27;t change my fingerprints nor my retina, but if that data ever gets leaked, then that&#x27;s vulnerable forever?<p>In my mind, there&#x27;s no world where one could make a biometric scanner that couldn&#x27;t be spoofed (presumably with an arduino USB interface) and then when all these corporations with the worst security (Facebook, Experian, etc) leak my data, can&#x27;t anyone log into my account?

The rockyou.com insight was new to me. I hadn&#x27;t heard of this breach somehow. I was wondering how they had 32m users and read some more on Wikipedia and they had Facebook apps and some MySpace plugins.<p>From Wikipedia<p>&gt; In December 2009, RockYou experienced a data breach resulting in the exposure of over 32 million user accounts. This resulted from storing user data in an unencrypted database (including user passwords in plain text instead of using a cryptographic hash) and not patching a ten-year-old SQL vulnerability. RockYou failed to provide a notification of the breach to users and miscommunicated the extent of the breach

&gt; Instead of passwords, we should use something like FIDO, which allows users to log in using a security key or biometric information.<p>The problem &quot;in the real world&quot; is that people will lose these keys <i>all the time</i>. I mean, I agree, passwords need to die, and hopefully some of the work that is being done by Apple and others will help bring on an end to passwords, but you can&#x27;t really talk about replacing passwords with FIDO keys without talking about how to deal with account lockouts, which is a real, hard problem.<p>Similarly, biometrics may be good for a user ID but they make horrible passwords. These days fingerprints and irises can be copied from photographs.

I use this password for all my accounts: BingoBongo77. Is it secure?<p>Edit: oh crap

Yubikey is here since 2007... and Windows 10 still doesn&#x27;t support passwordless, security key only! login. They want you to register a goddamn MS account too...

This all comes down to this statement:<p>&gt;In fact, pretty much the only case where complexity and length matter is when we’re defending against offline password cracking. But for every other case in the threat model where passwords are stolen, length and complexity simply don’t matter.<p>The idea is that most passwords are stolen when they are plaintext. So it only matters that the password is unique to that system. Offline password cracking is relevant for cases like the passphrase used to protect your PGP or SSH keys. Then length and complexity <i>is</i> important. Stuff like the suggested FIDO is the same sort of thing. If you need to protect the FIDO key information then length and complexity of your passphrase is important where offline password cracking is relevant.

&gt; Another legitimate case for password cracking is if someone in accounting encrypted a spreadsheet and then got hit by a bus and other employees needed access to that document<p>Ah the good ol&#x27; bus factor.

Slightly off topic but it made me smile:<p>The linked Diceware website run by the daughter has press links about the $2 passwords she sells.<p>The FAQ notes the passwords are $4 a pop.<p>The actual price: $8

shameless plug: the EFF sells a dice set and fun sticker for use with their wordlist. <a href="https:&#x2F;&#x2F;www.eff.org&#x2F;dice" rel="nofollow">https:&#x2F;&#x2F;www.eff.org&#x2F;dice</a>

Don&#x27;t choose password to make offline cracking hard.<p>Sounds exactly like the advice an offline cracker would give. ;)

Meanwhile banks and large corps still enforce the inane &quot;minimum of 8 characters, must contain at least one symbol and one number&quot; password template.

I&#x27;m surprised a password cracker would advocate switching to biometrics, the one type of password you can&#x27;t change.

&gt; I started paying her to roll dice and make Diceware passwords for me.<p>Interesting way to incentivize their daughter to do something.

meh. pro hackers do not crack or bruteforce passwords except as a last resort. they instead find some critical vulnerability that bypasses the need for passwords, or steal the browser sesion, or use malware. this is how so many people got crypto stolen despite strong passwords.

Does this hold true even after the removal of LM hash v1 support?

You&#x27;re telling me ROT13 isn&#x27;t enough..?

“A series of dictionary words that is easy for me to remember but hard gif a computer to crack”<p><i>facepalm</i>