All your passwords belong to us

All your passwords belong to us

Summary: Password hacks and new cracker tools surfaced this week to reinforce passwords are indeed sitting ducks. Will anything be done about it?


I think I detected a discernible sigh of relief this week from billions of Internet users with 56-character passwords.

I could be wrong. Likely I am.

People try all sorts of crazy things to manage passwords, but 55 character strings are not anywhere near the top of the list.

This week has been another example of the hacker blitz on passwords; leading off with the password-cracker program oclHashcat-plus, which was infused with upgrades that allow it to break passwords as long as 55 characters

Talk about bringing down barriers to entry. Perhaps the last of our defenses are gone. And by the way, oclHashcat-plus is a free download if you're looking for a cheap and sinister hobby.

I've argued for a while now that it's the infrastructure that needs to change more so than the tired password system. Users need to understand the value of their personal data and they need to take steps to protect it. Why? Because the bad guys are actively after it.

It was a phished password that brought down the New York Times this week. But it wasn't a password that belonged to someone at the newspaper. The password was spear phished out of an Australian DNS registrar by the Syrian Electronic Army and used to poison DNS records and direct traffic away from

Security firm Sophos reported an attack going on this week trying to get Gmail users to click on a Google Docs link in order to see a "secure document" from their banking institution.

Not to pick only on Google users, the poisoned page said it would accept Google credentials, as well as, Yahoo,, Hotmail, AOL, Comcast, Verizon, or any other email account.

The ultimate target was passwords.

Also this week, a new mobile Trojan is creating havoc for online mobile banking customers who use two-factor authentication. Called Perkele, it infects your PC or laptop along with your mobile device to steal two-factor passcodes sent to the mobile devices.

Victims are being duped by text message or email to open malicious links or attacked via drive-by downloads. Versafe, which discovered Perkele, told the Bankinfo Security web site that "banking institutions have to build security into their mobile and online banking platforms that goes beyond authenticating the user."

What do hackers do with stolen passwords? Those pilfered in large chunks are used, among other ways, to update rainbow tables, which progressively makes it easier to crack additional stolen passwords.

Once the passwords are cracked, email addresses coupled with stolen passwords are the two ingredients in spear phishing attacks (see: New York Times). In addition, those email/password combinations are loaded into a program and run against other websites. Ones where end-users may have reused the password.

This lingering password problem has been a tough issue to fix, especially given that the weak link in the chain, end-users, are reluctant to change their behavior, and the fact hackers  are becoming more sophisticated. 

Two-factor authentication has been dominating the news as a solution, but Perkele begins to show its vulnerabilities. What else can be done? Where do researchers, vendors and others begin to look for answers?  

Topics: Security, Banking, Networking


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I don't think passwords will ever go away...

    The only thing worse than passwords is... everything else.

    Biometrics are only as good as the measuring device - and anything that can be measured can also be duplicated.

    Smart cards are nice... until the interface to them is hacked (been there done that during testing). Then they don't work very well. Another problem with them is reverse engineering - once that is done, none of them are secure.

    Challenge/response PIN cards are nice... until the card is reverse engineered, or misplaced, or stolen...

    Facial recognition? All it needs is a higher resolution image to fake it. Those that try to include 3D... still tricky, but a 3D printed head just might do the trick (might have to project a color image on it though).

    The only thing really guaranteed is something you know. Anything else is just a physical measurement.
    • This is just another alarmist article on ZDnet.

      8 billion passwords a second sounds like a lot and if you couple that with the update that allows oclHashcat-plus to break passwords as long as 55 characters. I guess that means any of us with less than 56 characters are doomed to having our passwords cracked so its time to get rid of passwords right?

      Well first... how about a little fun with math and Google?

      If you assume any combination of the easily accessible characters and symbols on the keyboard that might be used in formulating your password (a total of 94) and the cracker can try 8 billion per second (8*10^9) then formula would be: (94^passlength)/(8*10^9)/60secs/60mins/24hours/365days/num-years.

      You can try this in Google:

      A 9 character password of the randomly accessible characters would up to just over 2 years. (94^9)/(8*10^9)/60/60/24/365/1= 2.27 years.

      A 10 character password? 213 years. 11 characters? 20068 years. 11 characters? 20068 years. 12 characters? 1.8 million years. 55 characters? 9.6253114e+98 times the age of the universe.

      The Pass phrase: "The quick brown fox jumped over the lazy blue dog." with punctuation but without any cumbersome special characters (54 combinations; 50 characters long) would take 1.6511685e+69 times the age of the universe to crack with the latest update to oclHashcat-plus so I think it would be reasonably secure from a brute force attack in the foreseeable future.

      Yes, 8 billion passwords a second makes short 8 character passwords fairly crackable at only 8 days but just adding one more character turns into two years so lets not panic just yet. The exponential increase in time factor beyond 8 characters means that our biggest security concern is not brute force cracking software but phishing attacks, trojans, keyloggers, social engineering tricks, etc.
  • excellent article but...

    ... lets get the grammar correct eh? Its 'all your passwords ARE belong to us'... there, fixed...

  • GovComm 3334p

    Why use passwords in the first place, they are obsolete.
    PRISM blast past any password "protection" as if it were nonexistant.
    Do you have something to hide?
    • Nonesense.

      Even certificates are password encoded...

      Otherwise they could be used as if there were no security in the first place...
  • Password Articles!

    For all these Password Articles, I have never seen a real world situation where they show you how it works. Right now for most of us, it is a esoteric subject. My financial institution would give you 3 tries to get it right, so how many tries do they have to use before they can break a password. As far as I can see, a password has to be tried in a real world situation to see it can be broken in 3 tries. Financial Institutions will normally limit the amount of tries you get to open an account. Why not a real world situation in one of these articles. I will not respond to any e-mail that makes an unreasonable request of me. Sometimes you click on a site that they have in the e-mail to try it, and it will not open any page. Also WOT, Avast and Zone Alarm are at the ready, so I have not suffered any of my passwords being stolen. I take these articles with a grain of salt.
    • the cracking is Offline

      The Ars technica article explains where ZD net fails to mention these crackers like OCL hashcat plus are OFFLINE programs meaning they steal the database then spend as much time and attempts as needed to crack the passwords no login failure detection in this case read the real article on Ars technica
  • Just a rehash of the Ars Technica Article

    people wont listen people wont change they will be hacked
  • Title has incorrect grammar.

    It should be "All your password are belong to us."

    I didn't say it has "poor," or "improper" grammar, I just said it was incorrect. The correct way is poor and improper grammar.
    Jacob VanWagoner
  • Right about everything else

    Something you carry may be stolen (that's why ATM and credit cards have PIN's, although 4 digits are not too secure). A body part characteristic such as a fingerprint can be copied (Mythbusters did it; it was a tedious process, but if the reward is high enough ...), or the finger amputated; and of course people who are already amputees would have to use an alternate body part. Voiceprint of an unchanging passphrase can be recorded and played back; and with enough voice-to-text samples in a Siri or Google server, a voice synthesizer could reproduce any text on demand in a simulated voice. Retina scans are useless for a blind person whose eyeballs were surgically removed (and in "Angels and Demons" by Dan Brown, the bad guys killed the authorized user and removed an eyeball on the scene to unlock a door); typing patterns will change with nerves, temporary or permanent changes causing pain in certain digits (e.g. sore thumb); voice patterns may also change with stress. Any of these factors can either be faked, or lost to the legitimate user (even if temporarily), or unavailable for some users from the beginning.

    This leaves us with passwords, unless someone has other ideas.
  • Here are my findings

    Here is a table I created and will maintain as the authentication landscape changes, comparing various methods to confirm identity:

    As a disclaimer, these are all my own assessments and not purporting to be the findings of any sort of vast industry consortium study. I also haven't written expanded definitions what each column means.
  • Secure Access

    Many years ago before the Internet fully took off we used the call back method, where you called the "Modem" at the far end and it responded by calling you back to your known "modem" that was set in its firmware.
  • What about 2FA?

    I believe, that two factor authentication is the very good solution to the mentioned problem - especially now, when a completly new way of 2fa hits the market - Rublon. I'm not gonna describe it here, but it is really worth checking out at
    Strongly recomend!
    Bruno Zaczkowski
  • If you're going to use a meme, use it right for heaven's sake!

    The title should be:

    All Your Password Are Belong To Us.
    Jacob VanWagoner