Passwords – Who Needs Them Anyway?
The number of passwords an individual user must remember to use services in the digital space continues to grow daily. In the past, a user could get away with memorizing a single password that they could use for many services. However, now that seems to be an implausible and risky notion.
Passwords have been used in computer security since its very inception. When the world wide web began to boom in the 90s and more and more people began using the Internet, sensitive data has become more accessible to the world. Passwords and their associated strength became imperative to the protection of this data from prying eyes. However, this did and does not stop hackers and other malicious users from attempting to ‘crack’ a password.
Password cracking refers to various measures used to discover computer passwords. This can be performed in a variety of ways. Malicious actors try cracking a password by repeatedly guessing the password which is called ‘brute-forcing’ a password. This is where the importance of strong passwords lies. Many organizations now mandate that a password include eight characters including upper case, lower case, numbers and special characters. However, hackers still look for means to exploit weak passwords and the modes of travel these passwords take in-between computer systems. This is where the concept of cryptography comes into place.
Cryptography is a method of storing and transmitting data in a form so that only those for whom it is intended can read and process it. Cryptographic concepts like hashing became widely used so that computer systems could hide and obfuscate sensitive passwords from the average user to the skilled hacker. Hashing is the process by which a string of characters is transformed into a numerical code. Other security mechanisms passwords can employ within these numerical hashes is a concept called ‘salting.’ Salting further encrypts passwords by inserting random data before and/or after a password before it is then hashed. This further randomizes the password’s hash which makes it harder for an attacker to crack.
Still, there are several applications hackers use to attempt to decrypt these hashes. One popular application is called Hashcat. Hashcat is an application that can crack a password in a variety of ways. It can attack numerous hash types that various computer systems/applications utilize. While we already mentioned what a brute-force attack is, another type of password attack is a wordlist attack. This is when a hash is running against a file (or multiple) which contains hundreds to millions of different passwords. If the password of that particular hash is included in this file, it collides with the hash and thus the password is found.
While in the past, password cracking has used computer power as its ‘fuel’, now powerful graphics cards are utilized in these attacks. Graphics cards or GPUs are hundreds to thousands of times more powerful than CPUs which allow passwords to be cracked in a much less time. Multiple GPUs can also be utilized concurrently which makes cracking these passwords even faster! As these GPUs continue to fall in price and their processing power continue to increase, companies will be faced with the choice to increase the length, complexity, and rules to which a password must comply with.
The one kryptonite to hackers who try to crack passwords for exploitation is Multi-Factor Authentication. Multifactor authentication (MFA) is a security system that requires more than one method of authentication to verify the user’s identity. So, even if a password was successfully cracked, a user would have to verify their identity in another manner which that user designates. These identifying mechanisms can range from another password to a security token they may carry, or some sort of biometric verification that only that user possesses.
In the end, hackers will always attempt to gain access to places they are not allowed to be. It is up to all of us to continue to thwart these attempts by thinking of new ways to protect our passwords and our data. Long live the password!