Lower hacking costs. The kind of hardware used to crack passwords has plunged in price. According to Robert Imhoff-Dousharm, information security officer at SanDisk, for $3,000 you can buy a PC with the password-cracking power of the fastest supercomputer in 1994, which cost $30 million then. A PC with that power can be assembled from parts you can buy from a computer retailer, and it can crack any eight-character password in just 23 hours, he says. Have a tighter budget but more time? No problem. An $800 starter version can do it in 40 days.
Better hacking tools. The power of password-cracking tools has surged. The key technology is the same speedy graphics card, also known as a graphics processing unit (GPU), that personal computers use to speed up action games.
The latest GPUs are also ideally suited for password-cracking software, Imhoff-Dousharm explains. “GPU technology has advanced so quickly, and password crackers have taken advantage of it to the point where pretty soon nine characters won’t be usable anymore,” he says. It’s fairly easy to find free software online that can crack passwords. John the Ripper, a popular program available from security expert Alexander Peslyak, is intended for legitimate security testing. And Cain & Abel, offered by security consultant Massimiliano Montoro, is a password-recovery tool. But those programs can also be used for illegal password cracking.
More potential hackers. With hardware so cheap and powerful software readily available, it’s no surprise that many people have recently taken to password cracking as a hobby, if not an occupation. According to Imhoff-Dousharm, the size of the online community that exchanges tips about the four most popular cracking utilities and the latest GPUs has skyrocketed from a couple of thousand people three years ago to more than 80,000 today.
There’s growing evidence that criminals have begun taking advantage of all those trends in a significant way. Two consumer sites, Gawker.com and Sony Pictures, experienced data breaches in the past year, exposing millions of consumers’ passwords to hackers. If those passwords were also used for other accounts, then hackers had access to them, too. In October the FBI arrested a man for hacking into the e-mail accounts of 50 people, including actress Scarlett Johansson and singer Christina Aguilera. He told authorities that he had guessed Johansson’s password by mining publicly available data and social networks for personal information about her.
The 2011 Consumer Reports State of the Net survey, published in June, projected that 3.7 million online U.S. households had been notified in the past year by a company, organization, or the government that their personal information had been lost, stolen, or hacked. The same survey also projected that the Facebook log-in information and accounts of almost 1 million members had been used for unauthorized purposes in the past year.
Of course, no matter how secure your passwords, you still have to be vigilant about other ways unauthorized people can gain access to your accounts.
Phishing sites, for example, are fraudulent sites that use official-looking e-mail to lure victims, posing as a bank or other familiar institution. Once you have entered your ID and password or PIN, the phisher can use them to steal from your account. The 2011 Consumer Reports State of the Net survey projected that approximately 6.4 million online users had in the previous year submitted personal information in response to an e-mail linking to such a site.
Then there are keyloggers. That malicious software, which stealthily captures and discloses your keystrokes, can be planted on your computer online if it gets hacked or by someone with physical access to it. Security software might be able to detect a keylogger. Anti-keylogger utilities are also available online, though we haven’t tested them. A keylogging device (about the size of a battery) can also be attached to your keyboard’s cable.
You still must watch your own practices. If you disclose a password to someone you don’t personally know and trust, or if you write it down but don’t secure the written version, you have exposed your account to unauthorized access.