Skip navigation


warning: Creating default object from empty value in /var/www/vhosts/ on line 33.
Original author: 
Casey Johnston

Few Internet frustrations are so familiar as the password restriction. After creating a few (dozen) logins for all our Web presences, the use of symbols, mixed cases, and numbers seems less like a security measure and more like a torture device when it comes to remembering a complex password on a little-used site. But at least that variety of characters keeps you safe, right? As it turns out, there is some contrary research that supports both how frustrating these restrictions are and suggests it’s possible that the positive effect of complexity rules on security may not be as great as long length requirements.

Let's preface this with a reminder: the conventional wisdom is that complexity trumps length every time, and this notion is overwhelmingly true. Every security expert will tell you that “Supercalifragilistic” is less secure than “gj7B!!!bhrdc.” Few password creation schemes will render any password uncrackable, but in general, length does less to guard against crackability than complexity.

A password is not immune from cracking simply by virtue of being long—44,991 passwords recovered from a dump of LinkedIn hashes last year were 16 characters or more. The research we describe below refers specifically to the effects of restrictions placed by administrators on password construction on their crackability. By no means does it suggest that a long password is, by default, more secure than a complex one.

Read 13 remaining paragraphs | Comments

Your rating: None
Original author: 
Megan Geuss

List your passwords alphabetically, so it's easy for you and others to find them!

Give three password crackers a list of 16,000 cryptographically hashed passwords and ask them to come up with the plaintext phrases they correspond to. That's what Ars did this week in Dan Goodin's Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331.” Turns out, with just a little skill and some good hardware, three prominent password crackers were able to decode up to 90 percent of the list using common techniques.

The hashes the security experts used were converted using the MD5 cryptographic hash function, something that puzzled our readers a bit. MD5 is seen as a relatively weak hash function compared to hashing functions like bcrypt. flunk wrote, "These articles are interesting but this particular test isn't very relevant. MD5 wasn't considered a secure way to hash passwords 10 years ago, let alone now. Why wasn't this done with bcrypt and salting? That's much more realistic. Giving them a list of passwords that is encrypted in a way that would be considered massively incompetent in today's IT world isn't really a useful test."

To this, Goodin replied that plenty of Web services employ weak security practices: "This exercise was entirely relevant given the huge number of websites that use MD5, SHA1, and other fast functions to hash passwords. Only when MD5 is no longer used will exercises like this be irrelevant." Goodin later went on to cite the recent compromises of "LinkedIn, eHarmony, and LivingSocial," which were all using "fast hashing" techniques similar to MD5.

Read 14 remaining paragraphs | Comments

Your rating: None

Enlarge / An overview of a chosen-prefix collision. A similar technique was used by the Flame espionage malware that targeted Iran. The scientific novelty of the malware underscored the sophistication of malware sponsored by wealthy nation states.

Marc Stevens

The dance among blackhat, whitehat, and greyhat hackers grew ever more intricate in 2012, thanks to a steady stream of exploits, vulnerability discoveries, and data breaches. In-the-wild attacks against Internet Explorer, the Java software framework, and other perennial favorites continued, of course. They inflicted plenty of damage on end users, but given their familiarity, they hardly stood out.

What got our attention were attacks on entirely new classes of devices or victims, or in the case of passwords and cryptography, the culmination of new exploit techniques quickly eroding the protection we once took for granted.

From our perspective, here are the five biggest security stories this year.

Read 12 remaining paragraphs | Comments

Your rating: None

Enlarge / A slide from Steube's presentation outlining a more efficient way to crack passwords protected by the SHA1 cryptographic algorithm.

A researcher has devised a method that reduces the time and resources required to crack passwords that are protected by the SHA1 cryptographic algorithm.

The optimization, presented on Tuesday at the Passwords^12 conference in Oslo, Norway, can speed up password cracking by 21 percent. The optimization works by reducing the number of steps required to calculate SHA1 hashes, which are used to cryptographically represent strings of text so passwords aren't stored as plain text. Such one-way hashes—for example 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 to represent "password" (minus the quotes) and e38ad214943daad1d64c102faec29de4afe9da3d for "password1"—can't be mathematically unscrambled, so the only way to reverse one is to run plaintext guesses through the same cryptographic function until an identical hash is generated.

Jens Steube—who is better known as Atom, as the pseudonymous developer of the popular Hashcat password-recovery program—figured out a way to remove identical computations that are performed multiple times from the process of generating of SHA1 hashes. By precalculating several steps ahead of time, he's able to skip the redundant steps, shaving 21 percent of the time required to crack large numbers of passwords. Slides from Tuesday's presentation are here.

Read 10 remaining paragraphs | Comments

Your rating: None

Jon Guerrera

Former Lot18 employee Jon Guerrera is big into gamification.  So when Google offered him the chance to interview for an Associate Account Strategist position, he decided to make the process more fun.

He motivated himself to study for his interview by using a combination of milestones and rewards. He threw in time tracking, streak bonuses (i.e. studying for ten days straight unlocks a shopping spree), a progress bar, and variable rewards, which included Sencha shots and energy drinks.

He explains each motivational method on his blog, Living for Improvement:

Milestones and reward combination: Guerrera set up a few studying milestones at the 1 hour, 5 hour, 10 hour and 16 hour marks. Upon hitting each milestone, Guerrera rewarded himself with a pre-planned prize. After the first hour, for example, he was allowed two Rockstar energy drinks. After ten hours, he unlocked a $200 shopping spree. The rewards were realistic; he happily gave them to himself as he reached each goal.

Tracking: Guerrera tracked his daily studying time with a stopwatch on his web browser. He jotted down the results on post-its so he could reward himself for total hours studied and streaks. For example, if he studied for ten days straight, he allowed himself to buy a ThinkGeek item, worth up to $100.

Variable rewards: Some of his rewards were based on chance; they weren't outcomes he could control. For instance, every hour he studied, Guerrera would flip a coin twice. If it landed on heads both times, he'd be allowed an energy drink.

Progress bar: As he grew weary, Guerrera pushed himself to continue by implementing a progress bar, like the ones LinkedIn uses on profile pages to encourage users to upload more items. His progress bar was completed after 16 hours of studying.

A workaround: When he was too tired to study new information, Guerrera came up with a method he dubbed, "low energy progress enabling." In other words, he came up with a satisfactory way to study without actively learning new material. He'd record himself reciting answers to hypothetical Google interview questions, then listen to it when he was on the go. The time spent listening to his recorded answers counted towards his total study time.

Here are the gamiifcation sticky notes Guerrera created to track his progress (click to enlarge):

Jon Guerrera post its

Gamifying interview prep time sounds intense, but for Guerrera, it paid off. He landed the job at Google.

"I arrived at the interview nervous as hell, but I was incredibly well prepared," says Guerrera. "And I never would’ve been so thoroughly prepared without the system I’ve described above – every spare moment of my days leading up to the interview were filled with preparation and practice, which paid off in spades. Eight weeks later, I’m sitting in my San Francisco apartment, currently employed by my dream company. I’m so glad I was able to use gamification to help me capitalize on this once in a lifetime opportunity that presented itself to me."

Now check out what happens when you don't prep for a Google interview enough: My Nightmare Interviews with Google. Then read: This is the Application that Got me a Job Interview with Google >

Please follow SAI on Twitter and Facebook.

Join the conversation about this story »

Your rating: None