How Does Eliminating Passwords Equal More Security?

At first glance, the idea of eradicating passwords sounds ludicrous. How would we unlock our phones? How would we get into our social media accounts? How would our computers protect our personal info? The thought of getting rid of password protection goes so far beyond this, too: What about big companies responsible for safely and securely and privately storing our data? Or the world’s banks tasked with protecting the world’s financial info? How could a future without passwords somehow be safer? It all comes down to some tricky wording.

You see, getting rid of passwords doesn’t mean getting rid of protection — It actually means increasing that protection and making it more impenetrable than ever before. That’s because the movement is less about getting rid of protection and more about improving it to make it safer. This includes everything from a shift to passphrases instead of passwords, implementing two-factor or multi-factor authentication that requires additional info in order to allow users to log in, and moving toward physical security keys instead of passwords.

Why WebAuthn Has Been Pushing For a Passwordless Future for Years Now

While Bill Gates alluded to a passwordless future all the way back in 2004, Microsoft isn’t the one that started leading the charge as of late: WebAuthn is actually to thank for this. Formally known as Web Authentication API, WebAuthn relies on asymmetric cryptography instead of passwords to grant users access to their device or profile. Your device transmits a digital “signature” unique to you, and then WebAuthn verifies your identity — all without ever having to enter a password of any kind. Many tech companies currently use WebAuthn as a second factor, used in conjunction with a password for an added layer of super security, but it seems that the hope is for it to become much more than just an added measure sooner rather than later.

Thanks in part to WebAuthn’s innovation on this front, experts predict over 60% of the world’s largest and most elite companies and 90% of the world’s midsize businesses will have gone passwordless by 2022. That’s less than a year from now, which means that there’s about to be a lot of change happening in the very near future. It explains why Apple is now joining Google and Microsoft in pushing for passwordless devices across the board.

Apple’s Latest Update Brings Them Up to Speed With Google and Microsoft

While Google and Microsoft have already taken steps to become less reliant on passwords with their devices, Apple’s iOS 15 and macOS Monterey are expected to bring the company’s ever-popular phones and computers up to the competition’s level by embracing WebAuthn standards. It’s called Passkeys, and it’s going to remove the need to ever create a password to log into an app or a website.

Explaining the feature further in their latest presentation back in June, Apple engineers said that the new feature only requires a username, then can save your Face ID or Touch ID as a Passkey instead of typing in a password. This is similar to the Keychain feature that allowed users to manage their passwords with a passcode, Face ID, or Touch ID, but it takes it a step further by eliminating the password altogether and relying solely on that Face ID or Touch ID. This is comparable to Microsoft’s Authenticator app and Google’s FIDO2 (or Fast Identity Online).

What’s Next for Passwords?

Even with all this movement toward a passwordless future, it’s hard for some to imagine a future completely devoid of all passwords. The problems with passwords are almost universally known at this point: They’re easy to crack, they’re easy to lose, they’re easy to reuse, and they’re easy to steal. However, they’ve been the standard for decades now — comprehending a future without them is hard, and it’s no doubt going to create some resistance from users who just aren’t willing to embrace.

Still, when has user reluctance ever stopped a company from innovating? With such a united front at this point, it’s improbable that companies would suddenly turn away from the direction of a password-free future just because some are unwilling to go with the flow. Passwords are being phased out by tech companies whether us users are ready for it or not. It’s not going to happen overnight, but in just a few years’ time, it wouldn’t be outlandish to look back on this time in technology’s history and remember being on the brink of a passwordless existence. Think of it this way: If it results in fewer attacks, less stolen information, and increased security across the board, then it’s a change that is no doubt for the best.

The post Are We Moving Toward a Future without Passwords? appeared first on Datarecovery.com.

As more and more components of our daily life move from the real world to the internet, the value of security cannot be overstated. Each new innovation we embrace — from Zoom to TikTok to the latest video game system — comes with a username and password that joins the ranks of our dozens of other usernames and passwords, and odds are, each individual login in a person’s deck of passwords probably resembles the others in at least some shape or form. It’s not necessarily a bad thing (if your password is secure, that is) — after all, common variations on the same password is how people remember their login info.

But, if just one of those passwords were to leak, it’s possible that every single one of a person’s passwords could be compromised as a result. Imagine the threat a leak of 8.5 billion passwords would pose. It’s our current reality, and you might not have even heard of it. Hackers called it RockYou2021, and the few who reported on it treated it like a game-changing security threat the likes of which we’ve never seen before. Is this an overreaction? Was RockYou2021 really that bad if none of us even heard about it? Let’s separate the truth from the fiction.

RockYou2021: What Happened?

When news of RockYou2021 first broke at the start of June, 2021, it was immediately dubbed “the largest password leak in the history of the internet,” far surpassing the earlier RockYou leak of 2009 that included over 32 million passwords. Originally, RockYou2021 was said to include 82 billion passwords — in reality, the number is about 1/10th of that: 8.459 billion passwords. To be clear, at over 250 times the size of RockYou2009, this is still a remarkable number of passwords to be leaked.

RockYou2021 was posted as a 100 GB text file on a very popular (unnamed) online forum for hackers. Each of the nearly 8.5 billion passwords is between 6 and 20 characters long, with all white spaces and non-ASCII characters removed from the text. Large collections like these allow for hackers and cybercriminals to do what’s known as “password spraying,” which involves trying a great many number of usernames and passwords in a very short amount of time in order to gain access to an account.

How RockYou2021 Compares to Password Leaks of the Past

Some of the biggest password leaks of the past include the aforementioned RockYou data breach of 2009, the Compilation of Many Breaches (COMB) of February 2021, and Breach Compilation of 2017. Passwords in the billions were leaked in each of these breaches combined, but they all share one thing in common (RockYou2021 included): They’re actually a collection of countless smaller leaks put into one large document.

With this, RockYou2021 is simply an enormous compilation of other leaks, COMB included — this February breach alone accounts for over 3 billion of RockYou2021’s 8.5 billion passwords. This doesn’t make it any less of a potential threat, but it definitely helps bring some context to the sheer size of these leaks: As it turns out, many of these enormous password breaches are simply reusing past information and including it in newly-named leaks in an attempt to fluff them up and make them seem more menacing. It’s all about optics, and a claim like “8.5 billion passwords” is destined to generate buzz, even if nearly half or more of those 8.5 billion have already been leaked in the past.

What the Leak Actually Consists Of

We know that this leak is comprised of many leaks of the past, but what about the other billions of passwords? Where did they come from? As it turns out, after some thorough investigating, the bulk of RockYou2021 is actually just a collection of many different cracking dictionaries. These cracking dictionaries consist of commonly used and easy-to-guess passwords that are used in password spraying attacks. To be clear, these aren’t necessarily passwords tied to anyone specific, but rather passwords that are commonly used by many different accounts.

This means that, ultimately, RockYou2021 is actually nothing new: It’s repackaged leaks of the past and cracking dictionaries under a new name in an attempt to look more threatening than it actually is. These aren’t 8.5 billion passwords taken from individuals by skilled hackers like thieves in the night, but rather a compilation of the work of other hackers and cybercriminals of the past. If it were a movie, it’d be an extended edition re-release chock full of deleted scenes.

How to Keep Your Passwords From Leaking

This isn’t to say that RockYou2021 shouldn’t be taken seriously, especially if one of your simple passwords is included in the text file. Thankfully, your best line of defense is also the simplest one: Change your password so that it’s impenetrable. Cracking dictionaries and the like depend on basic, easy-to-guess passwords like “Summer2021!” or “Password123!” in order for cybercriminals to gain access to any and all accounts they can get their hands on.

If your password is a complex and impossible-to-guess combination of letters, numbers, and symbols — like the passwords provided and stored securely by a password manager — then you probably won’t have to worry about being compromised anytime soon. Your first line of defense against hackers and cybercriminals is also the best line of defense: Change your password often, keep it complex, and store it securely in your preferred password manager.

The post Nearly 8.5 Billion Passwords Were Leaked Online. Here’s Why It Might Not Be as Bad As It Seems appeared first on Datarecovery.com.

The past year has seen popular cryptocurrency Bitcoin (BTC-USD) go from just over $9,000 back in May of 2020 to well over $60,000 in April of 2021 down to under $40,000 the following month. This came as quite the shock to cryptocurrency investors, especially ones who had gotten in on the ground floor of Bitcoin a decade prior and now had plenty to reap as a result of their patience over the years.

Bitcoin’s not the only one to see a massive boom in the past twelve months, either. Dogecoin (DOGE-USD), Ethereum (ETH-USD), Cardano (ADA-USD)… the list of cryptocurrencies with massive potential earnings for early investors goes on and on. Each new cryptocurrency creates a unique new opportunity for those willing to wait years and years down the line to cash out.

This sit-and-wait strategy has created one major problem in recent months, and it’s one that’s proving to be a huge hurdle for cryptocurrency investors trying to access the coins they purchased years prior: the issue of lost or forgotten passwords. According to a Datarecovery.com, Inc. report, it’s responsible for an estimated 90% of cryptocurrency loss. This simply won’t do, especially when a lost password is all that’s standing between you and huge returns. But what can you do?

The Fast-Paced Nature of Cryptocurrency

One thing that all this cryptocurrency boom has proven in the past year or so is that crypto doesn’t work like the New York Stock Exchange — not by a long shot. In addition to being traded all hours of the day and night, cryptocurrency can shoot to a record high and then dip to a new low in the blink of an eye. This fast-paced rising and falling seems to be the definition of cryptocurrency in 2021.

Take, for example, the day Tesla and SpaceX entrepreneur Elon Musk took the stage over at NBC’s Saturday Night Live on May 8th of 2021. A longtime and infamous purveyor of cryptocurrency like Bitcoin and Dogecoin and so-called “meme stocks” like AMC Entertainment (AMC) and GameStop (GME), Musk’s hosting was expected to take the price of Dogecoin to $1 USD. The crypto had just hit $0.71 early that same morning, so the projected leap wasn’t too outlandish — especially considering it had risen from around $0.001 in the year leading up to that point. Anything seemed possible.

By the end of the night, Dogecoin had dropped to nearly $0.45 instead of rising to $1. Musk and countless other crypto investors had lost billions, only for the crypto to rise back up to $0.55 later in the week, then drop down to $0.35 the week after. These unpredictable peaks and valleys are inherent to cryptocurrency, and not having the password to your cryptocurrency wallet will only make those highs and lows painful to watch.

The Frustration of a Lost Password

Take the story of German programmer Stefan Thomas, whose 7,002 bitcoins could have earned him nearly half a billion dollars if not for the fact that he was locked out of his cryptocurrency wallet after too many incorrect password attempts. He’s not alone in his agony, either: Reports of people going dumpster diving, digging through city dumps, and scouring storage units for hard drives in hopes of them having the key to bitcoin fortunes have been abundant in 2021. And to think: all this frustration because of lost passwords.

If you’ve lost the password to your cryptocurrency wallet, before you do anything, you should consider contacting an expert to help you recover your password.

What to Do if You’ve Lost Your Password and Need to Access Your Cryptocurrency

No matter if you’ve invested in Bitcoin, Dogecoin, Ethereum, or some other up-and-coming coin that has now reached the point of major payoff, a lost password is not something to take lightly. The password experts at Datarecovery.com have seen many instances of lost passwords and have helped to recover millions in cryptocurrency once considered lost for good. They can do the same for your lost password or wallet in just a matter of days. From something as serious as accidental deletion to something as unpredictable as hardware failure, the highly trained engineers at Datarecovery.com have utilized their expertise across dozens of varieties of cryptocurrencies to recover passwords and get the funds back in the hands of the investors.

To learn more, contact Datarecovery.com to get a free quote today.

The post Lost Passwords Responsible For an Estimated 90% Of Cryptocurrency Loss According to Datarecovery.com, Inc. Report appeared first on Datarecovery.com.

At Datarecovery.com, we frequently recover lost passwords for everything from Word documents and RAR files to encrypted Linux volumes (LUKS encryption) and Bitcoin wallets. Our customers often ask about our methods; do we simply try every possible password, or is there more to it?

To put it simply: There’s more to it. Password recovery services require a solid understanding of the various possible password cracking methods used in modern cryptography. Our engineers work with our clients to choose an appropriate methodology, then use dedicated equipment to complete the crack as efficiently as possible.

Some of the common password cracking methods used by software password cracker tools such as hashcat are listed below. For more information or to discuss password recovery services, call 1-800-237-4200 to speak with a specialist.

Brute-force attack – A brute-force attack exhaustively tries every possible combination of letters, numbers, and symbols to crack a password. It’s the simplest way to crack a password, but also the most ineffective, since it wastes a lot of time making unlikely guesses.

Most types of encryption effectively prevent a brute-force attack by using hashing algorithms to slow down password entry. Longer passwords can also defeat this technique. For example, a brute-force attack might take 5 minutes to crack a 9-character password, but 9 hours for a 10-character password, 14 days for 11 characters, and 3.9 years for 12 characters.

While we have specialized hardware that allows for extremely fast brute-force cracking, this technique is rarely effective.

Dictionary attack – The name says it all: A dictionary attack enters every word in a dictionary as a password. This removes some of the randomness of a brute-force attack, reducing the amount of time needed to find the password—provided that the password is in the dictionary, of course.

Note that “dictionary” doesn’t literally refer to a simple English dictionary; the entries in a cryptography dictionary may include common substitutions (for instance, “4pple” for “apple”) and numeric entries.

A common example is a rainbow-table attack. A rainbow table is essentially a dictionary optimized for common hash values as well as passwords. A rainbow-table attack is, therefore, a dictionary attack, but with a specialized dictionary optimized for the cracking attempt.

Combinator attack – This attack appends dictionary entries to other dictionary entries. It’s effective because users often choose passphrases that combine a few common, easy-to-remember phrases, for instance “password123.”

Let’s say that the dictionary for a combinator attack has the words “dog” and “cat.” The combinator would try “dogcat” and “catdog” as possible passwords. A combinator attack can be extraordinarily effective at cracking user-generated passphrases, but it’s not too effective for cracking machine-created passphrases.

Fingerprint attack – This is a fairly new type of attack, and its method is fairly sophisticated. It breaks possible passphrases down into “fingerprints,” single- and multi-character combinations that a user might choose. For the word “dog,” the technique would create fingerprints including “d,” “o,” “g,” along with “do,” and “og.”

This can be an especially effective attack when a user remembers part of a password. However, due to its sophistication, it requires extraordinary computing power.

Hybrid attack – This is a blend of a dictionary and a brute-force attack. It makes a dictionary attack stronger by placing a string of brute-force characters to the beginning or end of the dictionary entries.

For instance, “software” might be appended with “software001,” “software002,” “001software” and so on.

Mask attack – Similar to a brute-force attack, but with rules to reduce the number of errant entries. It’s extremely useful if some of the characters are known, or if character types are known. For instance, if a user knows that his password has a capital letter at the beginning and three numbers at the end, the mask attack would be far more effective than a simple brute-force attack. The masks are often generated by the password cracker.

Permutation attack – A permutation attack uses a dictionary, but each entry in the dictionary also generates permutations of itself. For the word “dog,” a permutation attack would create the candidates “god,” “ogd,” “odg,” “gdo,” and “dgo.”

PRINCE attack – Stands for “PRobability INfinite Chained Elements.” The PRINCE attack uses an algorithm to try the most likely password candidates with a refined combinator attack. It creates chains of combined words by using a single dictionary.

Rule-based attack – As the name implies, a rule-based attack uses rules to eliminate possibilities. It’s one of the more complex types of attacks, but the possibilities are effectively endless. A password recovery engineer could create any criteria necessary to weed out unlike or impossible guesses.

Table-Lookup attack – Each word in a dictionary generates masks for a mask attack while creating new words by consulting a table. Simply put, it’s effective for guessing passwords when the user replaced one or more characters with numbers or symbols (for instance, “m$ney” instead of “money”).

Toggle-Case attack – This attack creates every possible case combination for each word in a dictionary. The password candidate “do” would also generate “Do” and “dO.”

If you’ve lost your password or if you need access to an encrypted file that you legally own, Datarecovery.com can help. Call us at 1-800-237-4200 to get started.

The post Cracking Passwords: 11 Password Attack Methods (And How They Work) appeared first on Datarecovery.com.