I recently came across an interesting article that describes how a group of hackers approached a challenge by Ars Technica to crack 90% of 16,499 hashed static passwords in an amazingly short time!

Though I definitely knew about most of the techniques used in the challenge (the article is from 2013), what surprised me was that even seemingly long (16 char) passwords built from very random patterns can be hacked in as little as hours already a few years ago.  This makes it even scarier today where we have faster and cheaper systems that can be used to mimic what was used in the challenge.  The conclusion to draw from this is that long, complex passwords alone do NOT protect you.

Only static passwords combined with OTPs (One-Time Passwords), i.e. two-factor authentication (2FA), stand up to the challenge of keeping your login secure.

The challenge also shows that password manager applications which tout that long complex password launched from a password manager app solves the problem is completely inadequate today.  They really need to be updated to use 2FA to protect internet-reachable assets going forward.

The following list is a summary drawing from the information in the article of why 2FA is needed to protect logins:

  • Even seemingly random 16-char passwords can be broken in a matter of hours with cheap hardware
  • Wordlists and large lists of hacked passwords give even the unsophisticated hacker a base to crack from
  • Salted hashes make it significantly more difficult to crack, but it is just a matter of time to crack even with salt
  • Applied analytics techniques for the most common way to enter passwords (Capital at the start, lower in the middle and symbols and numbers at the end) helped make cracking faster
  • 2FA does not lend itself to attacks described in the article because hackers cannot use brute force or recalculated lists to attack
  • With 2FA, even seemingly weak first-factors (i.e. passwords) become secure when combined with an OTP (One-Time Password)

2FA saves the day once again!