Advanced Password Cracking Countermeasures

When you look at the level of sophistication of the advanced

password cracker things might look bleak. Defenders aren't without
hope, though. There are a number of different measures you can
put in place to help protect you even against advanced password
cracking techniques.

Diceware Passphrases

If you are faced with an attacker that uses the entire Internet for a
dictionary, you have to modify your approach. The simplest
approach is to use a password vault to store all of your password
and use the vault to generate long, unique, truly random strings for
each site. Then pick a strong passphrase to unlock your password
vault that would not show up on the Internet. This means that song
lyrics and the like are out. If you have trouble coming up with a
good

passphrase that meets these restrictions, you could try the

diceware approach. This approach to passphrase generation was
first described in 1995 and assigns a five digit number containing
numbers one through six to a huge database of short English words
you can download from the site. You then decide how many words
you want in your passphrase (six words are recommended) and
then roll a die five times for each word in the passphrase. Since the
words were completely chosen at random, and are placed in a
random order for your passphrase, it is incredibly hard for someone
to crack but is still something you can memorize with some effort.

http://world.std.com/~reinhold/diceware.html

Password Peppers

It's no longer enough for a hacker to compromise a site, or even to

dump the database. These days it's more common for the full
database including hashed passwords to be dumped to the public
Internet. While it's more common (and in some cases required) to
protect password hashes with a salt, since that salt is stored
alongside the password hash it still ends up being exposed in a
database dump so while crackers can't use rainbow tables against
it, they can still brute force it and apply other techniques.

Some defenders are adding an additional layer of defense to their

password hashes to protect them even in the case of a database
dump. In addition to a salt some defenders are choosing to also add
a ​pepper ​to their hashing algorithm. Like a salt, a pepper is another
constant string (usually a large random value) you add with the salt
to the password input when computing the hash. Unlike the salt, the
pepper is stored outside of the database, sometimes hard-coded
into the application code itself. The idea here is that there are a
number of different common attacks that expose the database but
don't necessarily compromise the application code itself (for
instance, a SQL injection that allows the attacker to copy the full
database). In those circumstances the attacker would be able to
see the salt, but without the pepper, they would not be able to brute
force the password hashes. To get the pepper they would have to
move past an attack like a SQL injection to something that exploited
the application itself so they could read that constant.

Dictionary Password Filters

Another common approach to protect user passwords is to check

whether a password is in the English dictionary before you accept it.
Many password authentication systems support adding a dictionary
the system can reference before accepting a password. Since
password crackers have access to these huge, widely-available
dictionaries of commonly-used passwords like the RockYou
database, why not add those to your own dictionary of bad
passwords? You can perform a regular Internet search for
password cracking dictionary should give you a good start. Now
when a user submits a new password, in addition to checking that it
meets your site's password policy you can check whether it's
present in your bad password list and if so, reject it. This not only
discourages users on your site from reusing passwords, it makes
password crackers have to work that much harder to break into
your site.

Advanced Multi-Factor Authentication

In the previous section we discussed some of the most common

methods for two-factor authentication. While each of those methods
have their strengths and weaknesses, it tends to be that the
methods that are most convenient tend to be the least secure. Most
recently a new two-factor standard called Universal 2nd

Factor (U2F) has been developed that aims to provide a secure

method of "something I have" authentication that's also convenient.
This approach to authentication was started by Google and Yubico
(maker of the Yubikey--a that implements this standard) but is now
an open authentication standard that is starting to see wider use
among large security-focused tech companies including Google,
Dropbox, Github, Gitlab, Bitbucket, Nextcloud, and Facebook
among others.

In the case of U2F, the "something you have" happens to be a

small electronic device that looks like a USB thumb drive and is
designed to use with a USB port. After you authenticate with a
password on a computer, you can insert your U2F device into the
USB port and press a button on it that generates a cryptographic
proof unique to that particular key and communicates it over USB to
your application. Once you are done you can remove the U2F
device and put it back in your pocket. This provides similar security
to a hardware TOTP key in the sense that an attacker needs to
physically steal the U2F device from you, but with similar
convenience to a push notification since instead of having to type in
a code that changes every 30 seconds you can just insert the
device and push a button.