CynoSure Prime, a “password research collective”, has reversed the hashes of nearly 320 million hashed passwords provided by security researcher Troy Hunt through the Pwned Passwords searchable online database.
Their effort, pulled off with the help of two other researchers, revealed many things:
- Interesting statistics regarding these real world passwords exposed in data breaches,
- The fact that this database also contains some 2.5 million email addresses and 230,000 email/password combinations (Hunt intends to purge that data from the database), and
- Some bugs in the Hashcat password recovery tool.
“The longest password we found was 400 characters, while the shortest was only 3 characters long. About 0.06% of passwords were 50 characters or longer with 96.67% of passwords being 16 characters or less,” the collective shared.
“Roughly 87.3% of passwords fall into the character set of LowerNum 47.5%, LowerCase 24.75%, Num 8.15%, and MixedNum 6.89% respectively. In addition we saw UTF-8 encoded passwords along with passes containing control characters.”
Hunt made the Pwned Passwords database available for download so that service providers could use it to prevent users from choosing any password contained in it.
“While blacklisting 320m leaked passwords might sound like a good idea to further improve password security, it can have unforeseeable consequences on usability (i.e, the level of user frustration),” Cynosure Prime noted.
“Conventional blacklist approaches typically include the 10k most common passwords to limit online password guessing attack consequences. Until now, there has been no evidence to support which blacklist size provides an optimal balance.”
“CynoSure Prime’s latest (and frankly gargantuan) reversal of password hashes serves as a timely reminder of the issues facing their use,” Dr. Jamie Graves, CEO at ZoneFox, pointed out.
“Invented during a simpler time, it’s understandable why some may argue that the humble password no longer belongs in a world rife with cyber crime that has outgrown its sophistication. However, rather than being tossed aside completely, passwords still have a pivotal role to play when combined with other layers of security within a two or multi-factor approach – a practice being well implemented by the likes of Google and Facebook. They have essentially made the password the first layer of defence, supported by more sophisticated techniques, such as a IP listing and two-factor authentication, whereby a message is sent to a user to alert them to account access from an unknown machine.”
Steve Manzuik, Director of Security Research at Duo Security, thinks that passwords shouldn’t be used as the only authentication factor, and recommends that users take advantage of password managers.
“The main problem is that people just can’t remember a litany of very long and complex passwords, it’s recommended to use a password manager (many of which are free). The benefit is that you save all your passwords in one encrypted vault and then you only need to remember a single password to access the vault,” he noted.
“In addition, two-factor authentication (2FA), which sounds daunting but is actually very simple, protects you in the event that an attacker manages to get your username and password. This extra layer of security enables you to block an attacker, or anyone that isn’t you, from being able to get into your accounts after they enter in your login credentials.”