February 23, 2007, 11:57 AM — Passwords are being cracked around the world as we speak.
In the old days, we measured password strength by the time it took for attackers to crack the passwords from the hashes, or other encoded/encrypted formats that they would be retrieved in. The longer your passwords could withstand brute force cracking attacks, the stronger we considered them. From this tenet, came the wisdom that passwords that used mixed case, special characters and that were longer were stronger than shorter less special-character inclusive ones. Attackers reinforced this tenet by building tools for performing dictionary scanning tools that would quickly crack passwords based on dictionary words, even with replacements like 3 for e, or 1 for I, etc. and they've only gotten better. Attackers have made a quantum leap in password cracking in the last few years. They've developed "Rainbow" type tools that do the heavy processor and math workload up front and then use database-type storage and retrieval to search massive archives of pre-computed password hashes to retrieve the known passwords.
This change in tactic has largely led to huge increases in password cracking capabilities. Passwords that used to take days to weeks to crack can now be cracked in seconds if the attacker has suitable database capabilities, storage and access to the pre-computed cracked hashes. Attackers have even taken this a step further and created huge networks of distributed, parallel cracking systems and applications for folks to "contribute" CPU cycles to either cracking or pre-computing the hashes for later use. Right now, attackers use their machines, Bot-nets and all kinds of other ways to get massive amounts of pre-computed hashes to continually reduce the effectiveness of even the strongest of passwords.
As security practitioners, we must remain aware. In most cases, we must assume that except in extremely rare circumstances, if an attacker gets the password file or hashes, they can/will/have broken the passwords. This is a huge change in mindset for many (not all, but many) security folks. Time is no longer on our side. In many cases, it is faster to crack the password than to change it across an enterprise, especially if politics, change controls and cross-platforms are involved. Quite simply, we must checkmate the attacker before they get the password hashes. This involves utilizing continual assessment and mitigations on all systems, application risk reduction and preventing the holes that attackers exploit to get at the hashes.
http://en.wikipedia.org/wiki/Password_cracking
