Source: Own Illustration
How long can your password currently withstand a hacker?
In times when cyberattacks are commonplace and current supercomputers can test billions of combinations per second (future quantum computers may be able to test many more), password security is becoming a matter of digital survival. In this article, you will find out what methods attackers use to crack passwords – and what simple measures can make the difference between data theft and digital security.
Brute force attacks
The brute force approach is one of the most basic methods for cracking passwords. All possible password combinations are tried. To illustrate why this approach reaches its limits in practice, let’s take an example:
Let’s imagine we are using the computing power of CLAIX-2023, which offers around 14 PFLOPS (14 quadrillion floating point operations per second) – an operation in this context is a computing process. Assuming that password testing only takes one operation, it would take about a year to try out all possible combinations for a randomly generated password of length 12 with a 94-character alphabet (upper- and lower-case letters, numbers and printable ASCII special characters). With 13 characters it is 100 years and with 14 characters 10,000 years. For a password of 16, it would take 84 million years. With current computing power, it would therefore be unrealistic to crack a 13-character password using brute force.
Dictionary attacks
In practice, attackers often do without the computationally intensive brute force approach. As people generally use predictable and rarely randomly generated passwords, so-called dictionary attacks are used.
In a dictionary attack, a list of frequently used passwords or other common phrases is used. These lists can come from various sources, including frequently used passwords and common terms or names from different languages.
Data leaks from other websites also provide information for an attack. As a result of security vulnerabilities, incorrect configuration or human error, the contents of databases can become publicly accessible. As these leaks can also contain login information, they pose a risk, especially if passwords are used more than once. Known data leaks have affected Facebook and Yahoo, among others.
The following therefore applies: Do not use any personal information in your passwords, avoid known patterns and do not use passwords more than once.
On the Have I Been Pwned website, you can find out for yourself whether your email address or password was part of a known data leak.
Hashing algorithms for securing passwords
In order to protect data in the event of a data leak, passwords are not stored in plain text, but as a hash. A hash is the result of a hashing algorithm – a mathematical process that converts data, especially passwords, into a fixed character length and encrypts it. This transformation is irreversible, so it is not possible to recover the original password from the hash.
In contrast to classic encryption, where a key is required to recover the data, this irreversibility is used for password protection: if someone gains unauthorized access to the database, only the hashes are stored – not the actual passwords. When logging in, the password entered is hashed again and compared with the hash stored in the database. This process makes it much more difficult for attackers to crack a password, as many hashing algorithms deliberately require a lot of computing power.
An additional protective measure is salting. Here, a random value (salt) is added to each password before it is hashed. This prevents attackers from working with ready-made lists of frequently used passwords, as a unique hash is created for each password.
Old and inadequately configured hashing algorithms are also at risk due to the continuous increase in computing power. Attackers can now access enormous computing resources with little effort, meaning that even methods previously considered secure are coming under increasing pressure.
How are databases protected against increasing computing power?
Modern hashing algorithms such as Argon2 – the winner of the Password Hashing Competition – solve the problem of continuously increasing computing power by allowing the computing power of the algorithm to be flexibly adapted. Argon2 enables developers and administrators to individually adjust parameters such as memory consumption, the number of iterations, the number of CPU cores used
and the length of the password and salt.
This allows the computing power of a hash to be controlled and ensures that the algorithm can be adapted to the increasing computing power. This ensures that attackers are hardly able to calculate large quantities of password hashes in a short time, even when using powerful hardware.
Conclusion
The security of passwords essentially depends on the complexity and the protection technique used. While brute force attacks are almost hopeless with long passwords, dictionary attacks can be successful – especially if simple or predictable passwords are used.
To further increase security, it is advisable to use password managers. These not only help to generate complex passwords and store them securely but also offer additional protection against phishing attacks. If possible, however, the master password of the password manager should be secured with an additional factor. It is particularly practical and secure if passwords are generated and managed directly in the browser.
The Federal Office for Security recommends the following to create a secure password.
Further tips on how you can best protect yourself and what you should continue to pay attention to can be found in the following articles, whereby the actual changing of the password on a certain date and not after an incident is rather obsolete, as publication by the Ruhr University Bochum (RUB), for example, explains.
– Help, my e-mail password was compromised!
Responsible for the content of this article is Marc Weerts.
Könnt ihr mir helfen, mein passwort wiederzukriegen, von meiner alten e-mail-adresse
Hallo Marc,
wenn du von deiner RWTH-E-Mail-Adresse sprichst können wir dir gerne weiterhelfen.
Sollte es noch nicht so lange her sein, dass du dich das letzte Mal angemeldet hast, kannst du dich wieder anmelden.
Informationen rund um den E-Mail-Lifecycle findest du unter nachstehendem Link: https://help.itc.rwth-aachen.de/service/1jefzdccuvuch/article/cf05b9b569cb41d48fb61358d800cb71/
Das Kennwort zur E-Mail-Adresse kann ganz leicht im Selfservice geändert werden.
Bei weiteren Fragen wende dich gerne an unseren IT-ServiceDesk.
Die Kontaktinformationen sind unter nachstehendem Link zu finden: https://www.itc.rwth-aachen.de/go/id/rbnjb/
Liebe Grüße
Das IT Center Blog Team