Passwords are what keep our cyber secrets safe, they’re there to keep our accounts locked, whether we’re talking email, cloud storage, Netflix, Facebook or whatever else type of account. It is believed that these passwords, which are most often than not hashed by the companies that keep them, are safe from cracking. The truth is that they’re safe only if the encryption works.
Well, it’s been revealed that researchers have managed to reverse hashes to 320 million passwords released by Troy Hunt, a researcher who runs the site Have I Been Pwned. The site is known for keeping tabs on any data dumps of email addresses, passwords and any other information that can be found online, including the dark web. Back in August, he decided to help out the security researchers who were trying to find a way to convince people that reusing their passwords was a bad decision, so he dumped 320 million plaintext passwords online.
Folks from CynoSure Prime, along with German IT security PhD student @m33x and infosec specialist Royce Williams, took on the challenge and tried to see if they could recover the hashes for these passwords. The hope is that someday soon people trying to change their passwords could see if they should avoid a specific code they were trying to input, especially if their email addresses have previously been involved in data breaches.
The password database Hunt prepared for the release was sourced from different leaks, which means it included many hashing algorithms, although most of all used SHA-1 primarily. SHA-1 has been deemed as unsuitable earlier this year, with specialists managing to demonstrate a practical SHA-1 collision, which was believed to be impossible beforehand.
Furthermore, hashing is supposed to be irreversible. Once a password is hashed, that hash gets stored in the database and it’s supposed to make the password impossible to retrieve. And yet, out of the 320 million hashes, they were able to recover all but 116 of the SHA-1 hashes. Of course, you’d need a rather powerful machine to get the job done. The researcher, for instance, ran MDXfind and Hashcat on a quad-core Intel Core i7-6700K system, with four GeForce GTX 1080 GPUs and 64GB of memory.
They also discovered that people weren’t only storing passwords in the hashes, but also email – password combinations, and other types of personally identifiable information, which wasn’t intended to be released in the first place. This happened mostly because the original owners made mistakes in parsing and leaked the user lists complete with names, despite the fact that they were supposed to include only passwords.
The thing with plaintext passwords is that hackers can run the contents of a database against your email address for the chance of you using one of them. That instantly makes any security you may think you have null. Of course, if you enable two-step authentication and other additional security measures, you will have an extra chance of protecting your secrets, whatever they may be.
With everyone living in the digital world nowadays, it’s quite possible that all our cyber secrets – from your darkest Google searches, to those opinions you shared in private, to those less than politically correct thoughts you have – will be out in the open soon. Hackers will certainly have a hand in speeding things up by exposing things that you may not want to be exposed.
That being said, perhaps it’s time to try out a password manager and randomly generated passwords to increase your chances of keeping your things private.