In March, readers followed along as Nate Anderson, Ars deputy editor and a self-admitted newbie to password cracking, downloaded a list of more than 16,000 cryptographically hashed passcodes. Within a few hours, he deciphered almost half of them. The moral of the story: if a reporter with zero training in the ancient art of password cracking can achieve such results, imagine what more seasoned attackers can do.

Imagine no more. We asked three cracking experts to attack the same list Anderson targeted and recount the results in all their color and technical detail Iron Chef style. The results, to say the least, were eye opening because they show how quickly even long passwords with letters, numbers, and symbols can be discovered.

The list contained 16,449 passwords converted into hashes using the MD5 cryptographic hash function. Security-conscious websites never store passwords in plaintext. Instead, they work only with these so-called one-way hashes, which are incapable of being mathematically converted back into the letters, numbers, and symbols originally chosen by the user. In the event of a security breach that exposes the password data, an attacker still must painstakingly guess the plaintext for each hash—for instance, they must guess that “5f4dcc3b5aa765d61d8327deb882cf99″ and “7c6a180b36896a0a8c02787eeafb0e4c” are the MD5 hashes for “password” and “password1″ respectively. (For more details on password hashing, see the earlier Ars feature “Why passwords have never been weaker—and crackers have never been stronger.”)

While Andersons 47-percent success rate is impressive, its miniscule when compared to what real crackers can do, as Anderson himself made clear. To prove the point, we gave them the same list and watched over their shoulders as they tore it to shreds.

MORE:  Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331” | Ars Technica.

It turns out the password clues for Windows 7 and 8 are stored in the OS registry in a scrambled format that can be easily converted into human-readable form. That information would undoubtedly be useful to hackers who intercept a cryptographic hash of a targeted computer, but are unable to crack it. Jonathan Claudius, the SpiderLabs vulnerability researcher who documented the new Windows behavior, has written a script that automates the attack and added it to Metasploit, an open-source toolkit popular among whitehat and blackhat hackers alike.

The clue is added to the OS registry when users configure a Windows account to provide a hint about the password needed to access it. When he first saw the long string of letters and numbers that stored the hint, he thought it had been encrypted. Upon further examination, he learned that an eight-line Ruby script quickly decoded the text chunks.

MORE:  Password hints easily extracted from Windows 7, 8 | Ars Technica.

The warnings Brooks and millions of other people received that December weren’t fabrications. Within hours of anonymous hackers penetrating Gawker servers and exposing cryptographically protected passwords for 1.3 million of its users, botnets were cracking the passwords and using them to commandeer Twitter accounts and send spam. Over the next few days, the sites advising or requiring their users to change passwords expanded to include Twitter, Amazon, and Yahoo.

“The danger of weak password habits is becoming increasingly well-recognized,” said Brooks, who at the time blogged about the warnings as the Program Associate for the Center for Democracy and Technology. The warnings, he told me, “show [that] these companies understand how a security breach outside their systems can create a vulnerability within their networks.”

The ancient art of password cracking has advanced further in the past five years than it did in the previous several decades combined. At the same time, the dangerous practice of password reuse has surged. The result: security provided by the average password in 2012 has never been weaker.

A new world

The average Web user maintains 25 separate accounts but uses just 6.5 passwords to protect them, according to a landmark study (PDF) from 2007. As the Gawker breach demonstrated, such password reuse, combined with the frequent use of e-mail addresses as user names, means that once hackers have plucked login credentials from one site, they often have the means to compromise dozens of other accounts, too.

Newer hardware and modern techniques have also helped to contribute to the rise in password cracking. Now used increasingly for computing, graphics processors allow password-cracking programs to work thousands of times faster than they did just a decade ago on similarly priced PCs that used traditional CPUs alone. A PC running a single AMD Radeon HD7970 GPU, for instance, can try on average an astounding 8.2 billion password combinations each second, depending on the algorithm used to scramble them. Only a decade ago, such speeds were possible only when using pricey supercomputers.

MORE:  Why passwords have never been weaker—and crackers have never been stronger | Ars Technica.