1.5 Billion Passwords Stolen

[syrakusos]

From the New York Times for yesterday, August 5, 2014:

http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-than-a-billion-stolen-internet-credentials.html

The original Hold Security press release (also dated August 5, 2014)

http://www.holdsecurity.com/news/cybervor-breach/

When you crunch the numbers, it really is just 500 million.

You should know that your password here is readable in plain text. It is not hashed or enciphered or otherwise encrypted.

Last year, April-June 2013, my wife and I joined in weekly security classes sponsored by OWASP, the Open Web Application Security Project (https://www.owasp.org/index.php/Main_Page). Our local Austin group met and meets at a room provided by National Instruments on their campus here. The group picks a book and reads it or works from it, depending. We worked through the Wireshark 101 book. I did three presentations to the group, in fact. Using Wireshark, I logged in to OL and saw my username and password in plain text. I did the same thing over on RoR. Their webmaster has since said that he has hashed the passwords list.

In any event, you should never use the same password for two different systems. You also should consider your username and login. Here, at least (as on RoR), your login name is not your username, so that helps. Some systems insist that you mix numbers, characters, upper and lower case. If the passwords are not encrypted, that is pretty much pointless. If for "secure" passwords, where a brute force attack would be required, mixing characters is not as powerful as length. If your password is M!x1n& that can be broken in fractions of a second compared to

MichaelStuartKellyisthefatherofmychild which at 38 characters requires testing 4*10^200 possibilities. Even if you knew that only alphas were used, it would be 1.4*10^82 tries. at 1000 tries per second is about 4.410^71 years.

[syrakusos]

Post 0 Saturday, October 12 - 4:49am Reply Bookmark Link Edit

"Dustin's computer can perform 30 billion guesses per second against standard Windows hashes. The $800 system uses four AMD Sapphire Radeon 7950 cards."

http://arstechnica.com/security/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking/3/

How the Bible and YouTube are fueling the next frontier of password cracking Crackers tap new sources to uncover "givemelibertyorgivemedeath" and other phrases.

by Dan Goodin - Oct 8 2013, 8:00am CDT

A new way

Encouraged with their results, Young, Dustin, Chrysanthou, and other crackers are tapping an ever larger pool of phrases. News websites, multilingual forums, public IRC logs, Wikipedia, Pastebin, e-books, movie scripts, and song lyrics are just some of the wells they're drawing from. And of course, Facebook and other social networking sites are goldmines. For example, in May 2012, while cracking 160,000 MD5 hashes leaked from Militarysingles.com (a dating website for members of the US armed forces), Young and Dustin turned to Twitter to increase their supply of words and phrases used by people in the military.

At 30 billion guesses per second it would take 10^63 years to guess

MichaelStuartKellyisthefatherofmychild.

[syrakusos]

The hackers will work on the list of 500 million unique accounts, parsing them into manageable sets by username and password. At 30 billion per second, they can run the entire list against any website log in 0.01 and 2/3 seconds. The problem (for them) is that no site is going to allow that. Every firewall has a limit on the frequency of accesses from the same point. Using more points just results in a "denial of service" attack and a shut-down.

That being as it may, ultimately these attacks all show the vulnerability of the standard two-factor (username/password) authentication system. Biometrics will probably be next.

Toopher, Inc. is an Austin start-up that links your computer access to your cellphone. The theory is that if the phone is "too far" from the computer, then it is not you logging in.

https://www.toopher.com/