Hackers assembled for an experiment of a technology website were able to crack over 14,800 passwords from a list of 16,449 encrypted passwords. The list included passwords using 16 characters that mix letters, symbols and numbers.
The hacking experiment was commissioned by Ars Technica as a follow-up to a password cracking experiment performed by Nate Anderson last March, the website's deputy editor. Anderson, who confessed that he is a newbie to password cracking, was able to decipher almost half of the passwords in a few hours.
The Hackers
This time Ars Technica asked password cracking experts to knockout the same list of hashed passwords. The website revealed the eye-opening results in an article by Dan Goodin.
The team of three hackers was led by Jeremi Gosney of Stricture Consulting Group. Using a commodity computer setup with an AMD Radeon 7970 graphics card, Gosney was able to crack 14,734 hashed passwords in 20 hours or a 90 percent success rate.
Doing the math, he averaged 12 passwords a minute including such passwords as "qeadzcwrsfxv1331," "n3xtb1gth1ng," "1368555av" and "LOL1313le" that can be considered by many as relatively secure. Gosney actullay cracked the first 10,233 passwords in just 16 minutes or about 640 passwords a minute.
"Normally I start by brute-forcing all characters from length one to length six because even on a single GPU, this attack completes nearly instantly with fast hashes," he explained to Ars Technica via email.
Jens Steube, who led the team that developed the free advanced password recovery software oclHashcat-plus, was able to unlock 13,486 passwords or 82 percent in just more than an hour using a more powerful computer setup. The oclHashcat-plus was the software used by all three password crackers during the experiment.
"By doing hybrid attacks, I'm getting new ideas about how people build new [password] patterns. This is why I'm always watching outputs," Steube explained.
The third cracker who went by the alias "radix" unscrambled 62 percent of the list in just an hour utilizing a computer with a 7970 card.
"There's probably not a complexity requirement for them. The hashing alone being MD5 tells me that they really don't care about their passwords too much, so it's probably some pre-generated site," Radix explained how the passwords on the list were so terrible.
How they cracked the hashed passwords
For those who might be wondering, hashing passwords is a security strategy implemented by websites. Using MD5 cryptographics, websites turn text passwords into a string of letters and numbers. For example, "password" is converted to the hash "5f4dcc3b5aa765d61d8327deb882cf99." This makes it a bit more difficult for hackers than just storing passwords in plain text.
The shorter passwords were cracked using brute force attacks where a computer unscrambles the encrypted string by combing A-Z and other characters. The short passwords were quite easy to crack but longer passwords required a bit more of technical and technological sophistication.
The team added several parameters to the brute force attacks to decode longer strings. They used Markove attacks that take into consideration common characteristics of passwords. Wordlists were also used and the team explored other hybrid attacking techniques to break the rest of the hashed passwords.
The jaw-dropping prowess demonstrated by these password crackers and security experts, who were able to decode seemingly tough passwords, is just a reminder to us all to think seriously about making our passwords better.