Agregátor RSS
Vysloužilé satelity přispívají k úbytku ozonové vrstvy, myslí si vědci
Cybercriminals Exploit Free Software Lures to Deploy Hijack Loader and Vidar Stealer
Cybercriminals Exploit Free Software Lures to Deploy Hijack Loader and Vidar Stealer
Teď se dozvíte, co budete za několik měsíců hrát. Čeká nás nová Zelda, Mario & Luigi i opičák Donkey Kong
Uncle Sam ends financial support to orgs hurt by Change Healthcare attack
The US government is winding down its financial support for healthcare providers originally introduced following the ransomware attack at Change Healthcare in February.…
Tails 6.4
Disney+ a 25 nejoblíbenějších filmů a seriálů v červnu 2024. Na co se Češi nejvíc dívají
V Chromu na Androidu si necháte přečíst webovou stránku. Podporováno je 12 jazyků, doplní je překlady
KDE Plasma 6.1
Analysis of user password strength
The processing power of computers keeps growing, helping users to solve increasingly complex problems faster. A side effect is that passwords that were impossible to guess just a few years ago can be cracked by hackers within mere seconds in 2024. For example, the RTX 4090 GPU is capable of guessing an eight-character password consisting of same-case English letters and digits, or 36 combinable characters, within just 17 seconds.
Our study of resistance to brute-force attacks found that a large percentage of passwords (59%) can be cracked in under one hour.
How passwords are typically storedTo be able to authenticate users, websites need a way to store login-password pairs and use these to verify data entered by the user. In most cases, passwords are stored as hashes, rather than plaintext, so that attackers cannot use them in the event of a leak. To prevent the password from being guessed with the help of rainbow tables, a salt is added before hashing.
Although hashes are inherently irreversible, an attacker with access to a leaked database can try to guess the passwords. They would have an unlimited number of attempts, as the database itself has no protection against brute-forcing whatsoever. Ready-made password-guessing tools, such as hashcat, can be found online.
MethodologyOur study looked at 193 million passwords found freely accessible on various dark web sites. Kaspersky does not collect or store user passwords. More details are available here and here.
We estimated the time it takes to guess a password from a hash using brute force and various advanced algorithms, such as dictionary attacks and/or enumeration of common character combinations. By dictionary we understand here a list of character combinations frequently used in passwords. They include, but are not limited to real English words.
Brute force attacksThe brute-force method is still one of the simplest and most straightforward: the computer tries every possible password option until one works. This is not a one-size-fits-all approach: enumeration ignores dictionary passwords, and it is noticeably worse at guessing longer passwords than shorter ones.
We analyzed the brute-forcing speed as applied to the database under review. For clarity, we have divided the passwords in the sample into patterns according to the types of characters they contain.
- a: the password contains only lowercase or only uppercase letters.
- aA: the password contains both lowercase and uppercase letters.
- 0: the password contains digits.
- !: the password contains special characters.
The time it takes to crack a password using the brute-force method depends on the length and the number of character types. The results in the table are calculated for the RTX 4090 GPU and the MD5 hashing algorithm with a salt. The speed of enumeration in this configuration is 164 billion hashes per second. The percentages in the table are rounded.
Password pattern Share of passwords of this type in the dataset, % Share of brute-forceable passwords (by pattern, %) Maximum password length in characters by crack time < 60 s 60 s to 60 min 60 min to 24 h 24 h to 30 d 30 d to 365 d > 365 d 24 h to 30 d 30 d to 365 d > 365 d aA0! 28 0,2 0,4 5 0 9 85 — 9 10 a0 26 28 13 15 11 10 24 11 12 13 aA0 24 3 16 11 0 15 55 — 10 11 a0! 7 2 9 0 14 15 59 9 10 11 0 6 94 4 2 0 0 0 — — — a 6 45 13 10 9 6 17 12 13 14 aA 2 15 22 11 14 0 38 10 — 11 a! 1 6 9 11 0 11 62 — 10 11 aA! 0,7 3 2 12 10 0 73 9 — 10 0! 0,5 10 27 0 18 13 32 10 11 12 ! 0,006 50 9 10 5 6 19 11 12 13The most popular type of passwords (28%) includes lowercase and uppercase letters, special characters and digits. Most of these passwords in the sample under review are difficult to brute-force. About 5% can be guessed within a day, but 85% of this type of passwords take more than a year to work out. The crack time depends on the length: a password of nine characters can be guessed within a year, but one that contains 10 characters, more than a year.
Passwords that are least resistant to brute-force attacks are the ones that consist of only letters, only digits or only special characters. The sample contained 14% of these. Most of them can be cracked within less than a day. Strong letter-only passwords start at 11 characters. There were no strong digit-only passwords in the sample.
Smart brute-force attacksAs mentioned above, brute force is a suboptimal password-guessing algorithm. Passwords often consist of certain character combinations: words, names, dates, sequences (“12345” or “qwerty”). If you make your brute-force algorithm consider this, you can speed up the process:
- bruteforce_corr is an optimized version of the brute-force method. You can use a large sample to measure the frequency of a certain password pattern. Next, you can allocate to each variety a percentage of computational time that corresponds to its real-life frequency. Thus, if there are three patterns, and the first one is used in 50% of cases, and the second and third in 25%, then per minute our computer will spend 30 seconds enumerating pattern one, and 15 seconds enumerating patterns two and three each.
- zxcvbn is an advanced algorithm for gauging password strength. The algorithm identifies the pattern the password belongs to, such as “word, three digits” or “special character, dictionary word, digit sequence”. Next, it calculates the number of iterations required for enumerating each element in the pattern. So, if the password contains a dictionary word, finding it will take a number of iterations equal to the size of the dictionary. If a part of the pattern is random, it will have to be brute-forced. You can calculate the total complexity of cracking the password if you know the time it takes to guess each component of the pattern. This method has a limitation: successful enumeration requires specifying a password or assuming a pattern. However, you can find the popularity of patterns by using stolen samples. Then, as with the brute-force option, allocate to the pattern an amount of computational time proportional to its occurrence. We designate this algorithm as “zxcvbn_corr”.
- unogram is the simplest language algorithm. Rather than requiring a password pattern, it relies on the frequency of each character, calculated from a sample of passwords. The algorithm prioritizes the most popular characters when enumerating. So, to estimate the crack time, it is enough to calculate the probability of the characters appearing in the password.
- 3gram_seq, ngram_seq are algorithms that calculate the probability of the next character depending on n-1 previous ones. The proposed algorithm starts enumerating one character, and then sequentially adds the next one, while starting with the longest and most frequently occurring n-grams. In the study, we used n-grams ranging from 1 to 10 characters that appear more than 50 times in the password database. The 3gram_seq algorithm is limited to n-grams up to and including three characters long.
- 3gram_opt_corr, ngram_opt_corr is an optimized version of n-grams. The previous algorithm generated the password from the beginning by adding one character at a time. However, in some cases, enumeration goes faster if you start from the end, from the middle or from several positions simultaneously. *_opt_* algorithms check the varieties described above for a specific password and select the best one. However, in this case, we need a password pattern that allows us to determine where to start generating from. When adjusted for different patterns, these algorithms are generally slower. Still, they can provide a significant advantage for specific passwords.
Also, for each password, we calculated a best value: the best crack time among all the algorithms used. This is a hypothetical ideal case. To implement it, you will need to “guess” an appropriate algorithm or simultaneously run each of the aforementioned algorithms on a GPU of its own.
Below are the results of gauging password strength by running the algorithms on an RTX 4090 GPU for MD5 with a salt.
Crack time Percentage of brute-forceable passwords ngram_seq 3gram_seq unogram ngram_opt_corr 3gram_opt
_corr zxcvbn
_corr bruteforce
_corr Best < 60 s 41% 29% 12% 23% 10% 27% 10% 45% 60 s to 60 min 14% 16% 12% 15% 12% 15% 10% 14% 60 min to 24 h 9% 11% 12% 11% 12% 9% 6% 8% 24 h to 30 d 7% 9% 11% 10% 11% 9% 9% 6% 30 d to 365 d 4% 5% 7% 6% 8% 6% 10% 4% > 365 d 25% 30% 47% 35% 47% 35% 54% 23%
The bottom line is, when using the most efficient algorithm, 45% of passwords in the sample under review can be guessed within one minute, 59% within one hour, and 73% within a month. Only 23% of passwords take more than one year to crack.
Importantly, guessing all the passwords in the database will take almost as much time as guessing one of them. During the attack, the hacker checks the database for the hash obtained in the current iteration. If the hash is in the database, the password is marked as cracked, and the algorithm moves on to working on the others.
The use of dictionary words reduces password strengthTo find which password patterns are most resistant to hacking, we calculated the best value for an expanded set of criteria. For this purpose, we created a dictionary of frequently used combinations of four or more characters, and added these to the password pattern list.
- dict: the password contains one or more dictionary words.
- dict_only: the password contains only dictionary words.
The majority (57%) of the passwords reviewed contained a dictionary word, which significantly reduced their strength. Half of these can be cracked in less than a minute, and 67% within one hour. Only 12% of dictionary passwords are strong enough and take more than a year to guess. Even when using all recommended character types (uppercase and lowercase letters, digits and special characters), only 20% of these passwords proved resistant to brute-forcing.
It is possible to distinguish several groups among the most popular dictionary sequences found in passwords.
- Names: “ahmed”, “nguyen”, “kumar”, “kevin”, “daniel”;
- Popular words: “forever”, “love”, “google”, “hacker”, “gamer”;
- Standard passwords: “password”, “qwerty12345”, “admin”, “12345”, “team”.
Non-dictionary passwords comprised 43% of the sample. Some were weak, such as those consisting of same-case letters and digits (10%) or digits only (6%). However, adding all recommended character types (the aA0! pattern) makes 76% of these passwords strong enough.
TakeawaysModern GPUs are capable of cracking user passwords at a tremendous speed. The simplest brute-force algorithm can crack any password up to eight characters long within less than a day. Smart hacking algorithms can quickly guess even long passwords. These use dictionaries, consider character substitution (“e” to “3”, “1” to “!” or “a” to “@”) and popular combinations (“qwerty”, “12345”, “asdfg”).
This study lets us draw the following conclusions about password strength:
- Many user passwords are not strong enough: 59% can be guessed within one hour.
- Using meaningful words, names and standard character combinations significantly reduces the time it takes to guess the password.
- The least secure password is one that consists entirely of digits or words.
To protect your accounts from hacking:
- Remember that the best password is a random, computer-generated one. Many password managers are capable of generating passwords.
- Use mnemonic, rather than meaningful, phrases.
- Check your password for resistance to hacking. You can do this with the help of Password Checker, Kaspersky Password Manager or the zxcvbn
- Make sure your passwords are not contained in any leaked databases by going to haveibeenpwned. Use security solutions that alert users about password leaks.
- Avoid using the same password for multiple websites. If your passwords are unique, cracking one of them would cause less damage.
NHS boss says Scottish trust wouldn't give cyberattackers what they wanted
The chief exec at NHS Dumfries and Galloway will write to thousands of folks in the Scottish region whose data was stolen by criminals, admitting the lot of it was published after the trust did not give in to the miscreants' demands.…
The Annual SaaS Security Report: 2025 CISO Plans and Priorities
The Annual SaaS Security Report: 2025 CISO Plans and Priorities
Technologie pomohly Slovensku dobýt Belgii. Zasáhl čip schovaný ve fotbalovém míči
The Sims se konkurenta nedočkají. Chystaný simulátor života Life by You byl zrušen
The rise of AI-powered killer robot drones
Remember former Google CEO Eric Schmidt? He now makes flying AI robots that target and kill autonomously. (Really!)
His robots are in high demand for one simple reason: GPS jamming.
I’ll explain more about Schmidt’s robots below. But first, it’s time to catch up on the rising trend of GPS, cell phone and other signal jamming, which is triggering a global arms race between jamming and anti-jamming technologies.
The FCC crackdown of 2012All jamming devices in the United States were banned 90 years ago — long before jamming devices even existed. The Communications Act of 1934 explicitly prohibited deliberate interference with radio communications.
Both cell phone and GPS jamming works by “flooding the zone” with white noise in the same frequencies as phone and GPS receivers, basically a denial-of-service attack on the associated range of radio frequencies. But it was the rise in e-commerce that fueled an industry of online jammer sales. In 2012, a bus passenger in Philadelphia wanted some peace and quiet, so he used a cell phone jammer to jam all the phones on the bus. Later that year, the FCC took legal action against 20 online retailers in 12 states for illegally selling jamming devices.
Despite the crackdown, the illegal use of jammers continued. In 2013, RNM Manufacturing in Houston, TX used a jammer to block employees from using their phones at work and was fined $29,250. Not to be out-done by Houston, a Dallas company in 2022 called Ravi’s Import Warehouse also tried to jam employee calls and was also fined by the FCC, this time for $22,000.
Jammers are still available on the black market, which have led to calls for global enforcement of jamming bans. Signal jamming of every kind is illegal in the United States, which is why it might seem surprising to Americans to learn that thousands of commercial aircraft in Europe are put at risk every day by GPS jammers.
The European jamming crisisThe current dramatic rise in GPS jamming is almost certainly done by the Russian military to protect its bases and assets from Ukrainian drone attacks. More than 46,000 aircraft GPS jamming incidents have been reported over the Baltic Sea, Kaliningrad, the Black Sea, the Caspian Sea and the Eastern Mediterranean since August 2021. New incidents are reported every day.
(The website GPSJAM tracks and displays GPS interference in Europe and the Middle East.)
Major airlines like Ryanair (more than 2,300 flights), Wizz Air (nearly 1,400 flights), British Airways (82 flights) and easyJet (4 flights) have been affected by jamming. The GPS jamming has forced some flight cancellations or diversions. Finnair had to temporarily suspend flights to Tartu, Estonia. And a British Royal Air Force plane carrying the UK defense secretary experienced GPS jamming near Kaliningrad in March 2023.
The Ukraine/Russia conflict is a proving ground and laboratory for all kinds of both military and malicious cyberattack technologies.
Specifically, the conflict is the world’s first large-scale drone war. The Ukraine side alone reportedly loses more than 10,000 drones a month, and the country itself has produced more than 1 million drones since the start of the war; it’s also received an unknown number from abroad, including familiar consumer and business drones like the DJI Mavic 2 Zoom, DJI Mavic 2 Enterprise, Autel EVO II Pro, the Bayraktar TB2 and others.
Both sides are using huge numbers of drones for surveillance, reconnaissance, espionage, explosives delivery, hacking, malware delivery, counter-hacking and signal jamming. And while the Ukraine side leads in the creative use of drones, the Russian side is more advanced in drone GPS and signal jamming innovations.
Nearly every effective drone and counter-drone action pioneered and tested in the Ukraine-Russia conflict will almost certainly be used against business and other targets in the years to come. Based on what’s happening in the war, cybersecurity professionals should be aware of the three main areas drones will be increasingly used by malicious actors:
1. Bypassing physical security: Drones can fly over fences, down air ducts and land on roofs to observe security protocols and plan physical attacks using high-quality cameras.
2. Network sniffing and spoofing: Drones equipped with modifiable computers can mimic Wi-Fi networks to steal sensitive information.
3. Denial-of-Service attacks: Drones can perform de-authentication attacks and jam communications.
Another easy prediction is that businesses will be challenged by malicious drone use, given the illegality of jamming in the US.
The military industrial complex gets to workAs Western GPS-guided munitions are increasingly defeated by Russian jamming, the Pentagon is scrambling to innovate in countering the jamming threat. (This is somewhat ironic, given that the GPS system, the mobile cellular system and, in fact, the internet itself were all created by or founded upon Pentagon research programs.)
One approach is to blow up the jammers. The US Air Force awarded a contract valued at around $23.5 million to Scientific Applications and Research Associates to enable guided bombs to home in on — and destroy — jamming equipment.
The Air Force Research Lab is conducting research on using regular smartphones for real-time detection of jamming and spoofing. And while blowing up jamming devices is a short-term, immediate solution, the longer-term solution is to enable drones to work autonomously, without needing to phone home or be controlled remotely.
One fascinating project is the Pentagon’s Rapid Experimental Missionized Autonomy (REMA) program. The project is developing plug-ins or adaptors that can be fitted to ordinary commercial drones that would enable them to carry out their missions autonomously after being jammed. Contracts for the drone-autonomy adapter interface have been already awarded to companies like Anduril and RTX for the hardware and Leidos, Northrop Grumman and SoarTech for the software.
Eric Schmidt’s flying killer robotsWhite Stork is a secretive startup founded by former Google CEO Eric Schmidt. The company is building small, low-cost ($400) drones that use AI to target and fly into those targets, thus blowing them up with attached bombs. The drones don’t rely on remote control or GPS navigation, but instead use cameras and AI for navigation and targeting. And because they’re low cost, they can be manufactured and deployed on a massive scale.
Schmidt has been actively involved in supporting Ukraine’s war efforts, and travels to Ukraine frequently to meet with Ukrainian generals about using drones in combat. White Stork drones will soon enter the conflict, if they haven’t already.
The future of jamming and counter-jammingThe future of warfare, as well as industrial espionage, terrorism and cyberattacks in general will involve drones in increasing numbers. History tells us that everything the Pentagon builds and buys for the good guys eventually ends up in the hands of the bad guys. That means we’ll likely need not only jamming, but also defensive technologies to counter weaponized drones that don’t rely on radio signals, but instead use AI for autonomous targeting and attacking. Drones are cheap. AI is free. The autonomous drones are coming. We need defenses that are legal to use.
The Olympics this summer will be our first test run. The terrorist group ISIS has circulated detailed manuals on adapting commercially available drones to carry explosives. The idea is to get the how-to information into the hands of “lone wolf” terrorists operating autonomously. The group has also explicitly called on its followers in Europe to launch drone attacks on Paris landmarks like the Eiffel Tower during this year’s summer Olympics.
France has established an anti-drone coordination center at a military base near Paris in light of the threat. And it’s planning to use antiquated technologies like special guns called SkyWall Patrol that shoot nets designed to capture drones mid-flight, and even laser beam devices. That might be sufficient for the low-tech drones they face today, but the AI drones of tomorrow will require more advanced defenses.
While American businesses, enterprises, and law enforcement remain mostly oblivious to the coming threat from drone-based attacks, Europe is proving to be a laboratory for what’s possible there now, and what’s coming to the United States in the future.
Pokročilá Einsteinova gravitační observatoř spustí novou éru astronomie
New Malware Targets Exposed Docker APIs for Cryptocurrency Mining
New Malware Targets Exposed Docker APIs for Cryptocurrency Mining
Qsynth 1.0.0
- « první
- ‹ předchozí
- …
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- …
- následující ›
- poslední »
![Security-Portal.cz agregátor Syndikovat obsah](/misc/feed.png)