Security fail: weak passwords, strong crackers, social engineering


Every week seems to bring a new warning about another hacked site exposing at least a million passwords. Is security possible anymore?

Ars Technica explores the problem in “Why passwords have never been weaker—and crackers have never been stronger.” Average user: 25 accounts, but 6.5 passwords. Sites demand email addresses as usernames, so crackers of one site immediately have user credentials for many more sites.

Graphic processors create cheap cracking machines, and about 100 million passwords were published online last year. Salting passwords by appending unique characters before encrypting makes things much safer, but many hacked sites, and many more current ones, don't salt. Then there's social engineering of password hints.

Make it harder

Okay, so it can try 8.2 billion per second. All a website had to do to foil that is to deny an more tries after 10 or so, no?

ewelch on

What a lame story. Brute force attacks are easily thwarted with a delay after an unsuccessful login.

Bill Johnson on

A 4-digit PIN with a 3 attempt lock-out (and no further information) is more secure than a 10 character password encrypted with MD5.

casca on

What seems to work best is to slow logins down rather than lock them out completely. Still lets users in, but slows down bulk attacks enough so that the risk is low.

adrianhoward on

Lock-outs are tricky to manage. I can flood 50 login requests and have the legitimate user quickly locked out.

casca on

More technical

There is a difference between an algorithm being cryptographically secure and being brute force resistant. They exist for different purposes (and adaptive hash algorithms build upon the foundation of a cryptographically secure hash).

xoa on

Use a professional grade password generator and create new ones every month, or sooner if called for.

Manuel Garcia O'Kelly on

More and more I feel like passwords are a fundamentally broken system. We need a better system of locks and keys. What is is, I don't know. I just know that it's not "passwords".

eqypturnash on

Less technical

Surely the bigger issue is Mom & Dad - are we really expecting them to use Password Managers or a different, random phrase password for every single website that they use?

deadlock on

I still believe hacking is 80% social engineering, 10% software and 10% brut force

C on

Come clean: do you or “a friend” use the same password for every site?

For the latest IT news, analysis and how-tos, follow ITworld on Twitter, Facebook, and Google+.

Now read this:

Developer declares 'I am done with the Freemium Business Model'

Khan Academy offers JavaScript as their first computer language

Study says Facebook profile can predict job performance

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon