40 Billion Hashes a Second: ‘Beast’ Demonstrates Scary Fast Password Cracking

40 Billion Hashes a Second: ‘Beast’ Demonstrates Scary Fast Password Cracking




October is National Cybersecurity Awareness Month, and where better to start than the debate over passwords. Recent breaches at LinkedIn, TalkTalk, DropBox, Yahoo, MySpace, and others have stoked new vigor in the password and authentication debate. This year alone has witnessed breaches of more than two billion credentials, and we’re only in October.

Some advocates have used headlines to argue that we should be reconsidering the password as our main form of authentication. It seems no matter how complex we make them, hackers find ways to steal them from databased and crack their hashes, then re-use them to compromise accounts at other sites. Mark Zuckerberg, for instance, was caught in a hack of his personal Twitter account earlier this year when hackers re-used his LinkedIn password—stolen from the large LinkedIn breach in 2012—to get access.

Adding to the criticism of the age old password is the ability to crack password hashes quickly using powerful machines, dictionary attacks and databases from other password breaches that can be found online.

A few months ago YouTube channel ComputerPhile sat with Dr. Michael Pound, an associate professor at the University of Nottingham, who demonstrated how easy it can be to crack lots of passwords really quickly. The university has a computer armed with four powerful graphics processors, which are much better at processing large data sets in parallel.

With the four combined, Pound said, they can analyze about 40 billion simple password hashes per second. Per second.

Aptly named “Beast,” Pound used the computer, a popular software program called Hashcat, and a database of about 6,000 password hashes. When the passwords were only six characters, all lowercase, using MD5 hashing, it took the machine about one second to crack every possibility. At seven characters, it took a few seconds.

Pound said MD5 should never be used again. “Maybe developers are thinking, ‘Well it’s already in SHA1. Users might not be able to log in for a while. Let’s probably not.’ — Yes, do. Change your hashes to something like SHA128, quickly.” As a user, he said, you have to have a password that is much harder to crack.

Use lengthy passwords. Use multiple characters, upper and lowercase with special characters. And, better yet, use a password manager so you can store them and not have to remember them. And, most importantly, never re-use passwords.

The reason behind not re-using passwords, Pound said, is because hackers will take a database of known passwords and manipulate them. Change letters to numbers. Insert special characters. Add numbers on the end. And iterate on those combinations over and over.

You can see the rest of the video demonstration here:




October 13, 2016 / by / in , , , , , , , ,

Leave a Reply

Show Buttons
Hide Buttons

IMPORTANT MESSAGE: Scooblrinc.com is a website owned and operated by Scooblr, Inc. By accessing this website and any pages thereof, you agree to be bound by the Terms of Use and Privacy Policy, as amended from time to time. Scooblr, Inc. does not verify or assure that information provided by any company offering services is accurate or complete or that the valuation is appropriate. Neither Scooblr nor any of its directors, officers, employees, representatives, affiliates or agents shall have any liability whatsoever arising, for any error or incompleteness of fact or opinion in, or lack of care in the preparation or publication, of the materials posted on this website. Scooblr does not give advice, provide analysis or recommendations regarding any offering, service posted on the website. The information on this website does not constitute an offer of, or the solicitation of an offer to buy or subscribe for, any services to any person in any jurisdiction to whom or in which such offer or solicitation is unlawful.