You are on page 1of 13

Think you have a strong password?

Hackers crack 16-character passwords in less than an HOUR
During an experiment for Ars Technica hackers managed to crack 90% of 16,449 hashed passwords Six passwords were cracked each minute including 16-character versions such as 'qeadzcwrsfxv1331'
By Victoria Woollaston PUBLISHED: 16:17 GMT, 28 May 2013 | UPDATED: 17:15 GMT, 28 May 2013

853 shares 199 View comments

A team of hackers has managed to crack more than 14,800 supposedly random passwords - from a list of 16,449 - as part of a hacking experiment for a technology website. The success rate for each hacker ranged from 62% to 90%, and the hacker who cracked 90% of hashed passwords did so in less than an hour using a computer cluster. The hackers also managed to crack 16-character passwords including 'qeadzcwrsfxv1331'.

rather than plain text passwords. including 16-character passwords with a mix of numbers and letters. Cryptographic salt . and match the hash automatically.Hashing takes each user's plain text password and runs it through a one-way mathematical function. . Hashing makes it difficult for an attacker to move from hash back to password and it lets sites keep a list of hashes. The success rate for each hacker ranged from 62% to 90%. usually for cracking password hashes. the plain text passwords can't be obtained easily. Tables are usually used in recovering the plaintext password. working for the website Ars Technica.from a list of 16. The hacker who cracked 90% of hashed passwords did so in less than an hour HACKING JARGON EXPLAINED Hashed passwords .Sites will add cryptographic salt to passwords to make them harder to crack. have now published how they cracked the codes and the traditional methods used to create an anatomy of a hack. This includes adding random numbers.449 .A team of hackers have managed to crack more than 14. This creates a unique string of numbers and letters called the hash.A rainbow table is a precomputed table for reversing cryptographic hash functions.as part of a hacking experiment for tech website Ars Technica. This means if a list is stolen.800 cryptographically hashed passwords . Rainbow tables . up to a certain length consisting of a limited set of characters. The hackers. for example. characters or letters to the start or end of a password during the hashing process so hackers can't automatically enter a six-letter word.

. However. the system hashes the entered word and checks it against the user's stored.Rather than repeatedly entering passwords into a website. He repeated this for seven and eight-letter passwords using only upper-case letters to reveal another 708 passwords. starting with 'a' and ending with '//////. And using characters.233 hashes. This creates a unique string of numbers and letters called the hash. or 62 percent of the leaked list.618 passwords. Ars Technica use is: hashing the password 'arstechnica' produced the hash c915e95033e8c69ada58eb784a98b2ed. When a user types a password into an online form or service. Hashing makes it difficult for an attacker to move from hash back to password and it lets sites keep a list of hashes. the plain text passwords can't be obtained easily. When the two hashes match. managed to crack the first 10. Gosney then used brute-force to crack all passwords seven or eight characters long that only contained lower letters. Hashing takes each user's plain text password and runs it through a one-way mathematical function. Jeremi Gosney. This means if a list is stolen. Brute-force attacks is when a computer tries every possible combination of six letters and characters. This yielded 1. rather than storing them insecurely as plain-text passwords. pre-hashed password. Adding capital letters to make 'ArsTechnica' becomes 1d9a3f8172b01328de5acba20563408e after hashing. the user is allowed entry to their account. a mix of lower and upper case letters and numbers creates slight variations of a hash.316 plain-text passwords. the hackers used a list of hashed passwords they managed to get online. He used a so-called 'brute-force crack' for all passwords that were one to six characters long. the founder and CEO of Stricture Consulting Group. this experiment shows this doesn't mean its impossible. which found 1. in 16 minutes. The example.' It took Gosney just two minutes and 32 seconds to complete the first round.

449 hashed passwords based on the method used. characters or letters to the start or end of a password during the hashing process so hackers can't automatically enter a six-letter word. One hurdle Gosney had to jump during stage one of the hack was 'salted hashes'.he added all possible two-character strings of both numbers and symbols to the end of each word in his dictionary. Gosney managed to brute-force 312 passwords in three minutes and 21 seconds. This can include adding random numbers. . Gosney has spent years perfecting word lists that contain a list of all the six-letter words. It also shows how long it took to crack passwords based on how long they were. 'cryptographically salted' hashes are cracked it becomes easier to work out the rest. for example. Gosney explained that once one weak. for example. to make cracking the weaker passwords faster. even those that had been salted. Each hacker used a combination of wordlists. One hacker managed to crack 90% of the list Using passwords that contained only numbers.This graph shows how long in days it took the Ars Technica hackers to crack the list of 16. brute-force attacks and Markov chains to crack the list. and match the hash automatically. using brute-force he moved onto stage two. from one to 12 digits long. However. Once Gosney had obtained the weaker passwords.which combines a dictionary attack with a brute-force attack . a technique where sites add random characters to passwords to make them harder to crack. Using a hybrid attack .

Brute-force attack . In a six-letter attack. And because passwords usually have capital letters at the start. It took him 14 hours and 59 minutes to complete all stages MORE HACKING JARGON EXPLAINED Markov chains . A Markov attack on a seven-letter password has a threshold of 65 tries. Just as a criminal might break into. .Jeremi Gosney used a mixture of brute-force attacks. Markov attacks can crack almost as many passwords as a straight brute-force. or 'crack' a safe by trying many possible combinations. using the 65 most likely characters for each position. a brute-force cracking attempt goes through all possible combinations of characters in sequence. statistically generated guesses using Markov chains.Brute force also known as brute force cracking is a trial-and-error method used by to get plain-text passwords from encrypted data. a hybrid attack that combined wordlists with brute-force attempts.This method uses previously cracked passwords and a statistically generated brute-force attack that makes educated guesses to analyse plains and determine where certain types of characters are likely to appear in a password. and symbols and numbers at the end. lower-case letters in the middle. He next added all possible three-character strings to get another 527 hashes in 58 minutes to complete. and other rules to turn a list of hashed passwords into plain text. the hacker will start at 'a' and end at '//////' He recovered 585 plain passwords in 11 minutes and 25 seconds.

6 percent of the list. In round four he added all possible strings containing three lower-case letters and numbers and got 451 more passwords. Tables are usually used in recovering the plaintext password. rainbow tables (pictured) and an algorithm called a Markov chains. among other techniques. or 78. And because passwords usually have capital letters at the start. and determine where certain types of characters are likely to appear in a password. to crack passwords from a hashed list. in five hours and 28 minutes. A rainbow table is a precomputed table for reversing cryptographic hash functions. and symbols and numbers at the end. up to a certain length consisting of a limited set of characters TYPES OF PASSWORDS RECOVERED Some of the longer. Hackers use a mix of wordlists. in which Gosney attempted to crack the most complicated passwords. During the third stage. he added all four-digit number strings and he took 25 minutes to recover 435 passwords. Markov attacks can crack almost as many passwords as a straight brute-force.935 hashes. A Markov attack on a seven-letter password has a threshold of 65 tries. using the 65 most likely characters for each position. In five hours and 12 minutes he managed to get 2. usually for cracking password hashes. he used a mathematical system known as Markov chains.Thirdly.702 passwords. He continued to crack the rest of the passwords using a hybrid attack and cracked a total of 12. lower-case letters in the middle. This method uses previously cracked passwords and a statistically generated brute-force attack that makes educated guesses to analyse plain text passwords. stronger and more noticeable passwords that the hackers were able to recover included: k1araj0hns0n Sh1a-labe0uf Apr!l221973 Qbesancon321 DG091101% @Yourmom69 ilovetofunot .

iloveyousomuch Philippians4:13 Philippians4:6-7 and qeadzcwrsfxv1331 From this method.699 more passwords . but this time the last four letters of each word were replaced with four digits. The other two password experts who cracked this list used many of the same techniques and methods. identical passwords for the same sites. although not in the same sequence and with different tools.136 passcodes. and so. They used a wordlist that was created directly from the 2009 breach of online games service RockYou. This yielded 2. developed by password expert Peter Kacherginsky. During this third stage.three hours to cover the first 962 plain passwords in this stage and 12 hours to get the remaining 737. then three digits. to identify patterns. Gosney discovered that people who don't know each other use very similar. He then ran the 7. . and in some cases. and managed to recover 259 additional passwords. The same list was then used again. Gosney also used other wordlists and rules and it took Gosney 14 hours and 59 minutes to complete all stages. starting with a single digit. then two digits. Hacker radix then tried brute-forcing all numbers. He managed to get another 1.900 of the passwords. This hack leaked more than 14 million unique passwords in plain text and this list is the largest list of 'real-world passwords ever to be made public.windermere2313 tmdmmj17 and BandGeek2014 Also included in the list were: all of the lights i hate hackers allineedislove ilovemySister31.295 plain text passwords he'd recovered through the Password Analysis and Cracking Toolkit.' This method cracked 4.

'This helps to save disk space and also speeds up wordlist-based attacks. It can try every possible Windows passcode in the typical enterprise in less than six hours to get plain-text passwords from lists of hashed passwords Radix then used this information to run a mask attack. for example he replaced 'e' with the '3' and recovered 1. Gosney explained: 'Normally I start by brute-forcing all characters from length one to length six because even on a single GPU. He replaced common letters with numbers. 'Then I go straight to my wordlists + best64. I have all of my wordlists filtered to only include words that are at least six chars long. I can just brute-force numerical passwords very quickly. Gosney created a 25-computer cluster that can make 350 billion guesses a second. so we want to find as much low-hanging fruit as possible first. 'And because I can brute-force this really quickly.A 25-computer cluster that can cracks passwords by making 350 billion guesses per second. this attack completes nearly instantly with fast hashes. It was unveiled in December by Jeremi Gosney. In December.' . and larger rule sets take much longer to run. 'Same thing with digits. which uses the same methods as Gosney's hyrbid attack but took less time.940 passwords.rule since those are the most probable patterns. the founder and CEO of Stricture Consulting Group. so there are no digits in any of my wordlists. In an email to Ars Technica. 'Our goal is to find the most plains in the least amount of time.

Female Israeli soldiers disciplined for 'unbecoming. . Speculation rife on the internet over who is involved in.. 'He wants to be called Mujaheed Abu Hamza': Michael.. The... clutching his stomach.. The fairy-tale wedding of internet guru Sean Parker: First..... Does this chilling painting show that Reeva had a...MOST READ NEWS Previous 1 2 3 4 Next Sitting in a hospital cubicle....

... United Kingdom.Now Michael Douglas says he DOESN’T blame oral sex for.we44 .. It's oh.... 30/5/2013 16:05 Click to rate Rating (0) ... NewcastleOnTyne. so quiet: The eerie abandoned towns that have been. Comments (199) Newest Oldest Best rated Worst rated View all There are various software applications (free of charge) that you can use to generate random passwords so you don't have to remember them. Wife of Liverpool legend Ian Rush 'demands divorce after she. I've got a few on my list to look into installing this weekend. Good night out. 'whose parents starved him to death suffered... four. Heartbreaking moment K9 partner of officer gunned down in. Harry? Red-nosed prince joins brother.. Boy. .

30/5/2013 02:28 Click to rate Report abuse Well my password is an alphanumeric 23 digit one.Bobbler . Nothing is totally secure. .Will . . .rianlly . . wick.hoodoogirl. site closed. this article really isn't very impressive when you break it down. 29/5/2013 19:03 Click to rate Rating 3 Rating 6 Rating 3 Rating 1 Rating 2 Rating 1 Rating 1 .Excalibur . Hull. 29/5/2013 19:43 Click to rate Report abuse might as well keep my password as password then . BRUXELLES. Belgium. United Kingdom.Report abuse Well my password is a secret . United Kingdom. 29/5/2013 22:32 Click to rate Report abuse Three strickes and your out. United Kingdom. UK. brute forcing password over days is an unreliable and totally impracticle way of breaking security and is nothing new. I'd like to see them crack that one. 29/5/2013 22:54 Click to rate Report abuse So at the moment the recommendations are 1) AT least 10 characters 2) As random as you can (humans are very poor random letter and number generators) Nothing new there .my personal favourites are made up of 4 random words with upper case and lower case letters and number or symbols used to substitute for letters. Real time encryption uses at least 256 bits and dynamically changes depending on the point of connection. 30/5/2013 00:27 Click to rate Report abuse Internet banking is safe. I'd be impressed if this was an elegant solution but brute forcing is an antiquated and ugly way to hack. .Keith25 . 29/5/2013 19:29 Click to rate Report abuse Simply use a pass phrase rather than a word . Pretty effective but not totally secure. Mancunilandius. 28/5/2013 21:23 my simplest password in 34 digit alphanumerical+symbols password and my most complicated passwoed is over a 100 digits long and i use two stage login on everything I can . Manchester. it took these guys a week to crack 16 bits.PANAGRACE . Aberdeen.but at least this article should be an eye-opener for people using 'fred'. The worldlist/dictionary attack was being used in the time of Tim Berners Lee to crack passwords for gods sake. United Kingdom.WinSmith . Bedfordshire.

1-inch tablet and a new 'phablet' Violent images in movies. 29/5/2013 12:15 Click to rate Report abuse Share this comment The views expressed in the contents above are those of our users and do not necessarily reflect the views of MailOnline.to the nearest POUND . United States. but the ITALIANS taught them everything they know. claim researchers How man has wreaked havoc on the Brazilian rainforest: Scientists find large birds have been driven out and seeds have evolved to become SMALLER due to deforestation Are DRONES the future of delivery? U. .the more likely you are to get it AVATARS could be used to treat schizophrenia by helping control the voices patients hear inside their heads People suffering from sleep deprivation 'are more likely to cheat on their partners' The mind-reading computer that could communicate with coma patients: Groundbreaking system can understand answers to simple questions from brain scans Pebbles prove streams once flowed across Mars . firm plans vast network to deliver everything from drugs to post How the turtle got its shell: The fossil that reveals the 'missing link' and shows RIBS are the key to the animal's protection Was Neil Armstrong's Ohio accent to blame for millions mishearing his famous moon landing quote? Controversial fracking technique could make the UK self-sufficient in gas for at least 15 years Is sweat the key to male teamwork? Chemical produced when men perspire is linked to their willingness to cooperate Facebook set to take on Gmail by enabling users to send private messages from the 'status' box on the homepage Dramatic rise in plant growth in world's deserts could be down to rising CO2 levels Why Homo sapiens won the battle of human survival: Neanderthals had larger eyes but less brain power to make decisions Want a pay rise? The more specific you are . says new report Masterpieces of the universe: Stunning images which reveal how astronomers have mapped space through the ages MORE HEADLINES Acer unveils new gadget range including the world's first 8.1.2. his rules: Hands on: Deadpool (Xbox 360 / PS3 / PC) How the turtle got its shell: The fossil that reveals the 'missing link' and shows RIBS are the key to the animal's protection One in 13 of us share the same bendy.Report abuse Simply block the IP Address after X number of attempted logins and lock the account. firm plans vast network to deliver everything from drugs to post Samsung officially unveils the Galaxy S4 Mini after accidentally leaking images of the new handset on its own website It's certainly going to be cosy! Scottish explorer begins his 60-day stint living inside an 8ft box on a remote islet His game. Canada. Today's headlines Most Read The French may be the kings of wine.to the nearest POUND .s a bank deposit machine i used to pass every day had a 6 number code to open it. ..the more likely you are to get it Are DRONES the future of delivery? U. tree-climbing feet as chimps but scientists can't decide if it's down to evolution or our SHOES! Masterpieces of the universe: Stunning images which reveal how astronomers have mapped space through the ages MOST READ IN DETAIL Rating 2 Rating 6 .2. woodstock.and raise hopes of finding life on the red planet Acer unveils new gadget range including the world's first 8. i used to try a code once every day while passing it i t took me 2 weeks to guess it and open the door the number? 1.taras shevchenko . TV or computer games CAN act as triggers for aggression.S.2..reversehalo .S.1-inch tablet and a new 'phablet' Why Homo sapiens won the battle of human survival: Neanderthals had larger eyes but less brain power to make decisions Was Neil Armstrong's Ohio accent to blame for millions mishearing his famous moon landing quote? Controversial fracking technique could make the UK self-sufficient in gas for at least 15 years Facebook set to take on Gmail by enabling users to send private messages from the 'status' box on the homepage Is sweat the key to male teamwork? Chemical produced when men perspire is linked to their willingness to cooperate Want a pay rise? The more specific you are .1. Portland. 29/5/2013 16:45 Click to rate Report abuse in the 70.

Bowers and Wilkins P3 headphones You won't want to open the P3 headphones.. Yet that's the best way to describe the P3s. fully licenced.1 (Xbox 360) Beauty. Consumers want both fashion and function. If slightly expensive. It packs a punch. Tritton Warhead 7.GADGET REVIEWS Gadget of the week: Gemini JoyTAB Duo 9. LifeProof iPhone case Cracking your iPhone screen is one of the most annoying things you can do. quality sound is not enough. For the packaging is so elegant.. and that's where the iLuv headphones come in. Thankfully. brawn and a blistering sound quality. Gemini’s 10” tablet comes in at half that price at a very affordable £149. The Mail on Sunday & Metro Media Group © Associated Newspapers Ltd . stylish and boasting strong audio quality. the new LifeProof iPhone case will make this a thing of the past.art. Published by Associated Newspapers Ltd Part of the Daily Mail.7 Pro Whilst a 10” tablet would usually set consumers back at least £300. too. Tritton’s latest. Jabra Revo Wireless Bluetooth headphones Sleek. exclusive Xbox 360 headset is a joy to behold from the moment you begin unboxing. but Jabra make a decent fist of it with this wireless Bluetooth headset which is light yet well built. it feels like you're ruining a piece of art. the Jabra Revo Wireless Bluetooth headphones are something of a complete package. Jabra Sport Wireless Bluetooth headphones Sports headphones are a tricky proposition for manufacturers. iLuv ReF headphones In the current headphone market.99.