«
»

NIST’s new password security rules beg a question …..

How long does it take to hack a 16-character password?

=======

Last week, NIST ((the National Institute of Standards and Technology) issued new guidelines for password security.

After a review, NIST concluded that its former rules — passwords to include upper and lower case letters, numbers, special characters — made logins more complicated but didn’t materially improve online security.

Now, NIST is recommending using long, easy-to-remember phrases instead of relatively short strings of mixed letters, numbers and characters.

The rationale: the longer the string, the harder it is to crack.

For example some researchers concluded that it would only take 3 days to crack a password like “Tr0ub4dor&3” —  but over  550 years to crack the password “CorrectHorseBatteryStaple”

computer hacker

Oh really?

The story reminded me of a prior HomaFiles post that reported on a hacking test.

Hackers were given 1 hour to crack more than 16,000 cryptographically hashed passwords.

Her are the (frightening) results …

 

According to the Daily Mail, given a 1-hour time limit, a team of hackers cracked  more than 14,800 cryptographically hashed passwords – from a list of 16,449 – as part of a hacking experiment for tech website Ars Technica.

That’s a 90% success rate … almost 250 passwords per minute …  about 1/4th of a second per password.

How did they do it?

A mixture of brute-force attempts, wordlists, statistically generated guesses using Markov chains, and other rules to turn a list of hashed passwords into plain text.

The brute force part was accomplished  using  a 25-computer cluster that can cracks passwords by making 350 billion guesses per second.

For tech details, see the the Daily Mail article.

The process and capabilities are fascinating … and mucho scary.

=========

P.S.  My guess: a 25 letter nonsense phrase — like the one above — wouldn’t take much longer than a funky 16-character password.

So, if you really want to protect yourself, use 2-step verification — or at least ask for challenge questions.

* * * * *
Follow on Twitter @KenHoma                  >> Latest Posts

This entry was posted on August 16, 2017 at 7:00 am and is filed under Computer hints & tricks, Computers & PCs, Gotcha, Hacking - Hackers, Passwords. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “NIST’s new password security rules beg a question …..”

  1. Paul Curtin's avatar Paul Curtin Says:
    August 16, 2017 at 12:50 pm | Reply

    I get that given massive computing power and nearly unlimited tries would get through most passwords. But wouldn’t the lock-out-after-3-attempts security feature largely thwart that method in the real world?

Leave a comment