Breaches in password security are nothing new. Since the invention of the Internet, and the desire to keep private information completely safeguarded, hackers and cyber criminals have long worked hard at tearing down the barriers of Internet security to gain access to valuable data, including the harvest of personal information, banking numbers and other pertinent files.
When the Internet became an effective tool to control personal information, passwords were developed to be used in combination with the online user’s ID. This first line of defense single factor authentication tool worked well simply because of the limited population that was using online sites for such matters.
When the banking world, and other financial institutions, started taking to the Internet by providing tools to assist their customers in doing business with them online, it became obvious that single factor authentication was not going to work. Quickly, two factor authentication tools began to evolve. Along with that, simple passwords were let go in place of passphrases, because stronger phrases appeared to be harder to crack. The results of simple two factor authentication tools did not work well either.
The public soon became aware that they needed to encrypt their information before sending it over the Internet. An additional transport layer of encryption, such as SSL, was added to the process. In time that too was recognized to have limitations at safeguarding the public from hackers that were to illegally gain access into personal and business accounts.
An Ineffective Encryption Method
Today, one-way hashing algorithms are used by a large variety of websites as a way to safeguard its store passwords. Typically, this is accomplished by having the user input a password to the website. The site then computes a cryptographic hash to the password and will then store the information in some type of database. The next time the user provides their login credentials, the site will automatically compute the hash and use the results to compare the information with the data already stored. As long as no one can gain access to the password hashes, this system can work well, although with limitations.
One such limitation is that without a safeguard in place, all users that have the same password will also have stored the same hash value. This result allows hackers to develop huge databases filled with passwords that are already hashed, and compare all the information. Using GPU’s (graphic processing units) they can accelerate the process of their comparison for better hash cracking results, making encryption ineffective.
The limitation of too many websites that require a setup of a password with the user ID is that they simply do not offer the ability to set a strong password. Already proven to be an ineffective process, these sites force their users to select a series of alphanumeric choices that has at least one uppercase letter, one special character and at least one number. While this may seem like a complex password that is impenetrable, the user might simply type in “!234E”, which is hardly an impassable barrier.
A Hacker Strategy
Based on the password set up limitations of the website, hackers can develop strategies based specifically on that site’s policy that focuses on the limitations. Once the conditions are met, the hacker can develop a dictionary or list that will contain only the passwords that follow the guidelines set by the website. The next step of the strategy is to determine the shortest length of the password used by the majority of website users.
Next, the hacker will build into the list all the phrases and passwords that are the most common to the targeted users. In the end, a hacker strategy can be very successful at breaching the protective password wall and gain instant access into the account. Even worse, they will have access to every account the individual has, where they use the same password (because that method is so easy for the user to remember).
The Ineffectiveness of Passwords
In the end, if the hacker has the ability to develop an effective password cracking strategy using the best hardware and software, the complexity of a password or passphrase hardly matters. What will matter will be the overall length of the password. While it may not make it impenetrable, it will take significantly more time to crack it. Therefore, websites that only allow a specific limit to the length of the password have already eliminated one of the best protections the individual has in safeguarding their information.
What to Do
For any business or individual that is concerned about maintaining high levels of security on their information, there are only a few things that work. They can use proven security architecture, quality assurance programs, and an effective password strategy, all working in unison. By implementing an effective resilient security architecture combined with quality assurance and a longer, more complicated password, users can increase their chances of being safeguarded against brute-forced cracking.