We found out what could make it take centuries…
At SpyCloud, our livelihoods depend upon protecting your personal information. We also realize that not everyone is a security expert. Basic security concepts such as password hashing may mystify laymen and isolate the majority of the population. According to a 2017 survey by the Pew Research Center, fewer than 54 percent of surveyed participants could correctly identify a phishing attack. Less than 13 percent of those surveyed knew what a botnet was, and fewer than 13 percent agreed that using a VPN (virtual private network) minimizes the risks assumed while connecting to unsecured WiFi networks. Protecting passwords is not the sole responsibility of the consumer. While they have primary control over their security hygiene and password complexity, they cannot choose which hashing algorithms the third-party services use to protect passwords. As such, practicing even the best security hygiene cannot always prevent your password from being exposed.
Unfortunately, the organizations we trust with our personal information often engage in poor password security practices. Password security is a product of both strong hashing algorithms and password complexity. Even the strongest hashing algorithms cannot protect a weak password from being cracked. To prove this, SpyCloud performed our own password cracking experiment against sets of passwords varying in complexity and protected by varying hashing algorithms. The results showed that while some newer and stronger hashing algorithms can protect even the most “guessable” passwords, the best defense will always be to use the most complex password possible.
‘Round and ‘Round We Go
If you’re anything like us, you probably worry about having your password stolen. You may have even heard about a few of the recent mega-breaches in the news and how some stolen passwords were encrypted while others were not. You may even know that encrypted password hashes have to be cracked in order to be of use to a criminal dealing in account takeover. Otherwise, criminals wouldn’t be able to log into your accounts. Once hashed, your password becomes a seemingly indecipherable string of scrambled up characters.
For example, let’s consider a hashed version of the word “password”:
There are many ways to do this depending upon your chosen hashing algorithm. The example above was hashed using MD5, a widely-used and particularly vulnerable hashing algorithm.
We talk more about different hashing algorithms in our blog post “Would You Like Pepper on that Hash?” In that article, we provided a basic rundown of what encryption is and why it’s so important. We explained what hashes, salts and peppers are, and why hashed passwords look like long strings of scrambled characters with no resemblance to the original password. And that’s by design. There is a mathematical method to this madness, encrypting the plaintext password into its hashed form. Although these operations are easy to perform, they are difficult to reverse.
Cracking a strong, encrypted password can take decades and ample supercomputing power to guess. By storing passwords this way in user credential databases, companies can more effectively secure your information should they experience a data breach. While the often needlessly overcomplicated concept of cryptography is easy enough to understand, the superiority of some encryption types remains a difficult and contested topic. That’s partially because even weak and outdated hashing algorithms are still in use by some of the world’s largest organizations. In fact, the use of these outdated algorithms – or even worse, no hashing at all – has been implicated in some of the most high-profile breaches of our time. If the world’s wealthiest companies can’t understand hashing, why should the public be expected to?
While account takeover relies primarily upon password reuse, we entrust corporations and organizations to protect our information. Our 2018 Credential Exposure report reveals the responsibility of corporations in some of the largest data breaches of all time. Of the 3.5 billion credentials we recovered, only 62 percent of hashes were salted and an alarming 2.3 billion passwords were stored in plaintext.
When we consider the inevitable role that organization theory plays within the internal security of organizations, we can more easily understand why mega-breaches happen. Despite recent technological leaps in the fields of encryption and database security, account takeover remains lucrative for criminals. Among financially-motivated actors (fraudsters), there is an inextricable link between the sophistication of the tradecraft and the potential financial gain. Young fraudsters dealing in fast food application accounts may utilize rudimentary credential stuffing tools, whereas more sophisticated criminals frequently use complicated botnets that are able to take over accounts programmatically. We recently wrote about this in our blog post These Fraudsters are Hungry for Account Takeover.
The stronger the hashing algorithm, the longer it generally takes to crack an encrypted password. However, the length and sophistication of the password also determines how long it could take to crack. That’s probably why you’ve heard about the importance of using strong hashing and password complexity when it comes to good security hygiene. So, what are the different hashing types? Which algorithm is the strongest? And, most importantly, how long does it take to crack the same password based on how it’s encrypted? Like most things in life, the answers to these questions are subjective, but we’ve done some of the work for you.
It’s important to first understand that not all hashing types are created equal. The industry standard prescribes hashing algorithms such as PBKDF2, scrypt and bcrypt, which most experts generally regard as more secure. Organizations frequently avoid older hashing algorithms, such as MD5 and SHA-1, due to recent revelations that fraudsters can easily crack them. In 2012, 177 million LinkedIn accounts were breached, dehashed, and listed for sale on dark markets, even though they were hashed using SHA-1. They were even used to log into Mark Zuckerberg’s personal Twitter and Pinterest accounts.
So what are hashing algorithms and what defines their strength? The concept of password hashing was introduced in the 1970s when the dangers of storing passwords in plaintext were becoming apparent. Passwords were just beginning to be hashed, and organizations stored only the hashes in databases. This scheme was designed to prevent criminals from obtaining the passwords themselves. Criminals then created countermeasures using combo lists (lists of passwords) to repeatedly test for matches against hashing. In order to prevent this, experts developed different hashing schemes (or encryption algorithms) to defend against brute forcing. This attack method involves systematically “guessing” passwords (often from combo lists) against a targeted interface or application until a match is found.
You may not be surprised to learn that in 2018, the top ten most commonly used passwords we collected were the following:
Credential stuffing tools leverage this method using common passwords, while “dictionary attacks” use millions of likely possibilities at a time, such as words in a dictionary. Although they may seem simple, fraudsters wouldn’t use these methods if they didn’t work. That’s exactly why strong password complexity is the gold standard of protection, regardless of encryption type.
Below are the most common encryption types we’ve seen organizations use, ranked by cracking speed. In this context, speed refers to how long it takes to crack passwords encrypted using different algorithms. As such, we’ve ranked encryption types from slowest to fastest. Although overall security is a complicated and subjective topic, a password that is slower to crack is generally more secure.
Slower to crack (generally stronger)
- Drupal 7
- SHA512 (UNIX)
- DCC2/MS Cache 2
Faster to crack (avoid)
In our 2018 Credential Exposure report, we disclosed the top hashing algorithms observed among the stolen credential sets we collected:
- Alarmingly, the most common hashing algorithm we saw was MD5, which accounted for 25% of the stolen credentials we collected.
- The second most common hashing algorithm we saw was the much stronger bcrypt (22%), followed by sha1 (17%), snefru256 (10%) and sha512 (10%).
- Approximately 20% of the hashing algorithms we saw fell into the “other” category.
So, how long would it take to crack these passwords? How do different hashing algorithms affect the results? There are varying types of brute forcing attacks, and their power and success in cracking a password is largely dependent upon the resources they leverage. How long it takes to crack a given password depends not only upon the complexity of the password itself, but also the strength of the hash used to protect it. There are many ways for an attacker to attack the hashes themselves.
According to our research, the most effective method by far is a combination wordlist and rules attack. In essence, these types of attacks are like dictionary attacks in that words are “guessed” one at a time from a list, except with permutations and modifications of those words. For example, $1 $2 $3 <- means, “add 123 to the end of the word” and so0 means, “replace instances of “o” with “0”. If you use those on the password “monkey”, the results are “monkey123” and “m0nkey.”
We decided to try to crack different types of password strengths (easy, medium and hard) hashed four different ways: MD5, MD5(salted), VBulletin, and Bcrypt. MD5 is a relatively weak hashing function that produces a 128-bit hash value. We performed our tests using our proprietary infrastructure powered by our team of specialists in this area. The computing power leveraged by our setup more closely mimics the assets available to a sophisticated and well-financially resourced actor.
- MD5: Developed in 1992, MD5 has had a good run but has fallen victim to many vulnerabilities on the way. Now, it’s easier than ever to crack.
- MD5 salted: It’s a bit more challenging because this hash contains a salt, a random string of data that is appended to a password before being hashed and stored in a database. (Reminder: We talk more salts in our blog post “Would you like pepper on that hash?”)
- Vbulletin: We often see it used to encrypt passwords that are stored in association with forums running the Vbulletin software, a proprietary software package written primarily for use in internet forums. These passwords are encrypted using the Vbulletin hashing type, which uses two rounds of MD5 hashing with a salt MD5(MD5(password).salt). In other words, it’s a bit stronger than MD5 salted passwords.
- Bcrypt: The strongest hashing type we tested. Bcrypt is a 184-bit hash created in 1999. It uses a salt to guard against rainbow table attacks and is adaptive. Over time, it becomes resistant to brute-force search attacks even with increasing computational power. It’s important to note that there are many ways to evaluate a password’s entropic strength or the number of “guesses” that are needed to determine a given password. In effect, a password’s entropic strength is a product of both that password’s hashing algorithm and its intrinsic complexity.
These plaintext password categories are just typical examples of the three major “classes” of passwords we often see at SpyCloud. We ran these tests leveraging our password cracking team and our proprietary datasets in conjunction with dedicated computer power.
EASY – These passwords are just as easy to remember as they are commonly used. We included passwords such as “qwerty” and “password1.”
We tested these passwords encrypted four ways with MD5, MD5 Salted, Vbulletin and Bcrypt. All of these passwords, except for those encrypted with bcrypt, were cracked in virtually zero seconds.
MEDIUM – Passwords such as these are probably more typical of a security-conscious user who doesn’t use a password manager. With letters, numbers, and character counts of at least eight, strong hashing can make a huge difference for typical users.
Our testing of passwords of medium complexity also depended largely upon hashing type:
MEDIUM (MD5) 12 minutes and 22 seconds
MEDIUM (MD5-Salted): 17 minutes and 54 seconds
MEDIUM (VBulletin): 17 minutes and 29 seconds (the extra round of MD5 only added a bit more protection)
MEDIUM (Bcrypt): 22 years
HARD – Contain random letters, numbers and characters, and are at least 16 characters in length
All “hard” passwords, regardless of hashing algorithm used, would require centuries to crack based upon complexity alone.
According to our results, the best defense is to use as complex a password as possible – strong passwords with random letters, numbers, characters, and at least 16 characters in length. Regardless of the hashing algorithm used, these passwords would require centuries to crack.
In addition, randomly-generated passwords are less likely to be guessed using dictionary attacks or combo lists.
Medium passwords (typical of semi-security-conscious users who don’t use a password manager) encrypted by weaker hashing algorithms, such as MD5 and VBulletin, are able to be cracked in under 30 minutes. Hashing types make the most difference here, with bcrypt encrypted passwords requiring over 22 years to crack, according to our testing.
Passwords that are easily guessed (and remembered) are not recommended under any circumstances. Those were all cracked almost instantly.
Human-generated passwords tend to be of “medium” complexity at best, but if you must use those, bcrypt is the way to go. Though we doubt anyone would spend 20 years trying to crack your password, password-cracking technologies will likely continue to advance and new, stronger algorithms will emerge. Though the capabilities of future password-cracking tools remain to be seen, this possibility makes password complexity more important than ever. No matter what happens in the future, a long, complex and programmatically-generated password is your absolute best defense.
Many thanks to our researchers for their technical contributions to this report.
NOTE: At the time of publishing this blog the stable release of VBulletin was 5.4.5 updated November 14, 2018. The hashed VBulletin passwords we cracked for this research blog were obtained when VBulletin was on version 3.8.5. Therefore, these times to crack do not reflect the cryptographic strength of current hashed VBulletin passwords.