Before I say anything on this post, I hereby urge you to change your VyRT password immediately, as well as any services that shares a same password with it, NOW! Read on to see why.
This is going to be the most disturbing part of this series on VyRT hacking. Brace yourself when reading.
After the hacker dumped the database of VyRT, they can start dwelling in their lair of evil and start figuring out your passwords. If you are technologically savvy you may start to think that it would take them forever to figure out those securely hashed passwords one by one. No, think again before proceeding.
Speed of Commodity Hardware (or Password Strength)
Websites store passwords in irreversibly encrypted forms now, called hashes. However this does not really protect your password from hackers cracking it too well.
I ran a quick test with John the Ripper on my 3-year-old MacBook Pro, and it can calculate about 7.9 million SHA-1 hashes, which is pretty common on websites to encrypt passwords, every second.
However there are about 6.63e15 8-character passwords that can be typed out of an US keyboard, hence it takes a little shy of 26 years and 7 months to go through all of them using my computer. I chose 8-character password as it is a minimum requirement for most websites. A 6-character password can be cracked, usually under a day on my computer.
However we usually do not include special symbols in our passwords. This reduces the 8-character password count to 2.18e14 and hence the cracking time to about a year.
A lot of us don’t even bother to use capital letters. This turns into 2.82e12 8-character passwords and me not turning off my computer for a little more than 4 days.
For those that don’t even bother using letters, cracking a 8-digit password on my computer takes mere 12.66 seconds based on my benchmarks.
And due to the very nature of this brute-force method of cracking passwords (called embarrassingly parallel problems) throwing more equipment at this problem brings significant improvement on cracking speeds, every processor core, every GPU counts. I have a workstation with a processor as powerful as my laptop but a GPU that is 1000+ times as powerful, so if I throw the problems above at that workstation the 26-year job on my laptop finishes in 10 days.
Hackers Don’t Have to Go Through Them One by One!
When their workstations churned out a hash, they can mark everyone with this password hash as cracked, no matter whether this is really your password or not. This is leveraging a phenomenon called hash collision. Those hashes are supposed to generate a unique result for every password input, but there are chances that two passwords get hashed into the same result.
So they just need to go through the entire cracking once, and they can recover all passwords. With their state-of-the-art workstations with 4 processors 30+ times faster and 4 GPU’s that is 30000+ times faster (!!!) than my slouchy years old laptop, your passwords may be recovered by hackers in minutes or even seconds.
So, go change your passwords, now!