CynoSure Prime reports that it has cracked the hashes of virtually all 320 million passwords which security researcher Troy Hunt had put on his ‘HaveIBeenPwned' website by early August.
Out of the 320 million plaintext passwords, compiled from various non-hashed data breaches, primarily in the form of SHA-1 hashes, CynoSure Prime says that, “We were able to recover all but 116 of the SHA-1 hashes, a roughly 99.9999% success rate.” The group says that in collaboration with @m33x and @tychotithonus it decided to make an attempt to crack/recover as many of the hashes as possible, and succeeded with pretty much all of them.
It explains online how this was achieved.
Different sources make up Hunt's total tally, and using the MDXfind tool some 15 different hashing algorithms found to have been used, but most were SHA-1, which was demonstrated to have been compromised in February this year, and most of the actual passwords are between seven and 10 characters long.
It was also shown that among the hashes was junk data, in some cases including usernames, but Hunt was reported as telling The Register that he's working with CryptoSure Prime data to purge it from the hashed lists hosted at HaveIBeenPwned.
Despite the size of the password compromise, it's not as bad as it first appears for the future of passwords, suggests Dr Jamie Graves, CEO & Founder, ZoneFox who emailed SC to comment:"CynoSure Prime's latest (and frankly gargantuan) reversal of password hashes serves as a timely reminder of the issues facing their use. Invented during a simpler time, it's understandable why some may argue that the humble password no longer belongs in a world rife with cyber-crime that has outgrown its sophistication. However, rather than being tossed aside completely, passwords still have a pivotal role to play when combined with other layers of security within a two or multi-factor approach – a practice being well implemented by the likes of Google and Facebook. They have essentially made the password the first layer of defence, supported by more sophisticated techniques, such as a IP listing and two-factor authentication, whereby a message is sent to a user to alert them to account access from an unknown machine.
He adds, “There is also the ability to use machine learning and similar techniques to protect data further – providing a real-time 360-degree overview of what activities users are carrying out – which can identify and alert IT administrators to unusual behaviour on IT networks. It is these kinds of trends that need to grow in popularity - like many elements of our increasingly digital world, password security needs to adapt, rather than disappear."