All your passwords belong to us

Password hacks and new cracker tools surfaced this week to reinforce passwords are indeed sitting ducks. Will anything be done about it?

I think I detected a discernible sigh of relief this week from billions of Internet users with 56-character passwords.

I could be wrong. Likely I am.

People try all sorts of crazy things to manage passwords, but 55 character strings are not anywhere near the top of the list.

This week has been another example of the hacker blitz on passwords; leading off with the password-cracker program oclHashcat-plus, which was infused with upgrades that allow it to break passwords as long as 55 characters

Talk about bringing down barriers to entry. Perhaps the last of our defenses are gone. And by the way, oclHashcat-plus is a free download if you're looking for a cheap and sinister hobby.

I've argued for a while now that it's the infrastructure that needs to change more so than the tired password system. Users need to understand the value of their personal data and they need to take steps to protect it. Why? Because the bad guys are actively after it.

It was a phished password that brought down the New York Times this week. But it wasn't a password that belonged to someone at the newspaper. The password was spear phished out of an Australian DNS registrar by the Syrian Electronic Army and used to poison DNS records and direct traffic away from

Security firm Sophos reported an attack going on this week trying to get Gmail users to click on a Google Docs link in order to see a "secure document" from their banking institution.

Not to pick only on Google users, the poisoned page said it would accept Google credentials, as well as, Yahoo,, Hotmail, AOL, Comcast, Verizon, or any other email account.

The ultimate target was passwords.

Also this week, a new mobile Trojan is creating havoc for online mobile banking customers who use two-factor authentication. Called Perkele, it infects your PC or laptop along with your mobile device to steal two-factor passcodes sent to the mobile devices.

Victims are being duped by text message or email to open malicious links or attacked via drive-by downloads. Versafe, which discovered Perkele, told the Bankinfo Security web site that "banking institutions have to build security into their mobile and online banking platforms that goes beyond authenticating the user."

What do hackers do with stolen passwords? Those pilfered in large chunks are used, among other ways, to update rainbow tables, which progressively makes it easier to crack additional stolen passwords.

Once the passwords are cracked, email addresses coupled with stolen passwords are the two ingredients in spear phishing attacks (see: New York Times). In addition, those email/password combinations are loaded into a program and run against other websites. Ones where end-users may have reused the password.

This lingering password problem has been a tough issue to fix, especially given that the weak link in the chain, end-users, are reluctant to change their behavior, and the fact hackers  are becoming more sophisticated. 

Two-factor authentication has been dominating the news as a solution, but Perkele begins to show its vulnerabilities. What else can be done? Where do researchers, vendors and others begin to look for answers?