All your passwords belong to us

Summary:Password hacks and new cracker tools surfaced this week to reinforce passwords are indeed sitting ducks. Will anything be done about it?

I think I detected a discernible sigh of relief this week from billions of Internet users with 56-character passwords.

I could be wrong. Likely I am.

People try all sorts of crazy things to manage passwords, but 55 character strings are not anywhere near the top of the list.

This week has been another example of the hacker blitz on passwords; leading off with the password-cracker program oclHashcat-plus, which was infused with upgrades that allow it to break passwords as long as 55 characters

Talk about bringing down barriers to entry. Perhaps the last of our defenses are gone. And by the way, oclHashcat-plus is a free download if you're looking for a cheap and sinister hobby.

Must See Gallery

10 technologies that made me more productive in 2014

Hardware. Software. Services. We live in amazing times, and the technologies we use every day would have been considered magical just a few short years ago. Here are 10 small pieces of magic that made my life easier this year.

I've argued for a while now that it's the infrastructure that needs to change more so than the tired password system. Users need to understand the value of their personal data and they need to take steps to protect it. Why? Because the bad guys are actively after it.

It was a phished password that brought down the New York Times this week. But it wasn't a password that belonged to someone at the newspaper. The password was spear phished out of an Australian DNS registrar by the Syrian Electronic Army and used to poison DNS records and direct traffic away from nytimes.com.

Security firm Sophos reported an attack going on this week trying to get Gmail users to click on a Google Docs link in order to see a "secure document" from their banking institution.

Not to pick only on Google users, the poisoned page said it would accept Google credentials, as well as, Yahoo, Outlook.com, Hotmail, AOL, Comcast, Verizon, 163.com or any other email account.

The ultimate target was passwords.

Also this week, a new mobile Trojan is creating havoc for online mobile banking customers who use two-factor authentication. Called Perkele, it infects your PC or laptop along with your mobile device to steal two-factor passcodes sent to the mobile devices.

Featured Review

Gift idea: JayBird BlueBuds X wireless earbuds for iPhone (review)

Looking for a last minute gift for an iPhone owner? These wireless earbuds do double duty as a headset for calls and listening to music.

Victims are being duped by text message or email to open malicious links or attacked via drive-by downloads. Versafe, which discovered Perkele, told the Bankinfo Security web site that "banking institutions have to build security into their mobile and online banking platforms that goes beyond authenticating the user."

What do hackers do with stolen passwords? Those pilfered in large chunks are used, among other ways, to update rainbow tables, which progressively makes it easier to crack additional stolen passwords.

Once the passwords are cracked, email addresses coupled with stolen passwords are the two ingredients in spear phishing attacks (see: New York Times). In addition, those email/password combinations are loaded into a program and run against other websites. Ones where end-users may have reused the password.

This lingering password problem has been a tough issue to fix, especially given that the weak link in the chain, end-users, are reluctant to change their behavior, and the fact hackers  are becoming more sophisticated. 

Two-factor authentication has been dominating the news as a solution, but Perkele begins to show its vulnerabilities. What else can be done? Where do researchers, vendors and others begin to look for answers?  

Topics: Security, Banking, Networking

About

John Fontana is a journalist focusing on access control, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he writes and edits a blog, as well as, directs several social media channels and represents Yubico at the FIDO Alliance. Prior to Yubico, John spent five y... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.