We don’t want to scare anyone, but Dan Goodin’s Ars Technica article published late Monday illustrates at length why everyone who uses the Internet for anything at all should consider changing their passwords. Actions that once required supercomputing can be done from desktops now and when it comes to security, that’s spooky stuff:
Newer hardware and modern techniques have also helped to contribute to the rise in password cracking. Now used increasingly for computing, graphics processors allow password-cracking programs to work thousands of times faster than they did just a decade ago on similarly priced PCs that used traditional CPUs alone. A PC running a single AMD Radeon HD7970 GPU, for instance, can try on average an astounding 8.2 billion password combinations each second, depending on the algorithm used to scramble them. Only a decade ago, such speeds were possible only when using pricey supercomputers.
The warning notes only sound more ominous as Mr. Goodin uses high profile hacks from the last few years to illustrate just how far the dark art of breaking into your online life has come.
For example, the epic hack of 32 million passwords from RockYou.com in 2009 was a watershed moment in cracking. Thanks to a SQL injection attack that allowed hackers to publish them online, Mr. Goodin writes that “almost overnight, the unprecedented corpus of real-world credentials changed the way whitehat and blackhat hackers alike cracked passwords.”
The RockYou attack basically made old dictionary-style password cracking, in which cracking programs rotate through giant lists of words in attempt to establish a key, obsolete. Using patterns culled from RockYou and other sources as well as profiling possible password selection, crackers have made huge leaps in breaking both weak encryption and in taking advantage of Internet users’ lazy thinking.
Per Thorsheim, one of the security experts consulted by Goodin, says a basic, long-standing piece of advice about protecting passcodes remains golden: use a new password for every site.
Crackers can probably break anything involving your childhood pet, street address and grandma’s birthday, but at least the damage might be contained to one site if they do. Which is fine, unless we’re talking about your bank account.