A new method of cracking passwords hashed with SHA-1 (Secure Hash Algorithm) made the relatively unsecured algorithm even less secure by greatly decreasing the time and computing power necessary to crack it. The news came out of the Passwords^12 conference in Oslo, Norway, which focused on password and PIN code security. It might be a good time to change your password, or more importantly change the way your passwords are stored.
The SHA-1 is an algorithm that converts the text of a password like “GlenIsCool” into a long string of numbers and letters that look like this “39c395450e543c7d2a6caed5eac2f73a7ae591ca.” This allows passwords to be stored in a more secure way than just a list of the actual passwords. The purpose of a hash algorithm is that it should be impossible to convert “39c395450e543c7d2a6caed5eac2f73a7ae591ca” back to “GlenIsCool” mathematically. To crack the hash, a computer would input random passwords into the same algorithm until it got a hash that matched the one generated by the real password.
In theory, that makes for a very secure storage option, but when 6.5 million password hashes were stolen and released from LinkedIn in June, a security researcher needed only six days to crack 90% of the list. The new method of cracking SHA-1 makes it even faster.
Officially there are 1,448 steps for converting a password to an SHA-1 hash, and the lower hackers can get that number, the faster they can crack the hash to get the password. The number had already been reduced to 868 using special equipment and techniques. The new method by Jens “Atom” Steube, developer of the Hashcat password recovery program, announced at Passwords^12 lowers the number even further to 734 — nearly half the official number.
The hashes generated are stored by whatever service you find yourself logging into. There are, of course, other, more secure algorithms being used today, but SHA-1 is still hanging on. It comes down to how much you trust an online service with protecting your password with a secure algorithm.
Oh, also, “GlenIsCool” is my real password. Please don’t tell anyone. I know I can trust you, Internet.
(via Ars Technica, image via Dev.Arka)
- GNAA hacked Tumblr, but it’s fine now
- Build an airport backscatter X-ray machine at home
- Hotel locks aren’t very secure either
