The Firecracker program unveiled at the recent ProHakathon sponsored by Fort Smith-based Propak on May 11 drew heavy attention from onlookers, who expressed conflicting emotions at what they were seeing unfold.
In an atmosphere bordering on carnival-like, developers Nathan Voss and Andrew Farney gave “step right up” presentations, allowing visitors to enter their chosen passwords into a program. From there, the visitor was told a demonstration later in the evening would keep real time stats on the numbers of passwords correctly guessed and the accuracy percentage along with the number of guesses it took to get there. Visitors whose passwords were compromised would receive a text message as soon as the device/program hybrid figured it out.
If looking strictly at the percentage on number of guesses to number of passwords compromised, you wouldn’t be impressed. As the program fired up at the promised time, it ran for several minutes and appeared to compromise only 33% of the passwords entered through more than 4 trillion guesses (yes, trillion with a “T”).
As a baseball designated hitter, that average wouldn’t be good enough to make a T-ball team let alone the Major Leagues. But when you see the video cards powering the program are capable of making 80 billion guesses against as many as 1 million users per second, it doesn’t take long for the ratio of compromised passwords to climb even as the percentage of guesses to passwords dwindles. Furthermore, states project director Keenan Adkins, “We do all the variables, even special characters, numbers, case sensitivity — all that stuff.”
So all that advice about, “Include an ‘@‘ or a ‘#,’ at least one capital letter, and a number when creating your password, no one will be able to get you that way’?” Think again.
Speed is key, and Firecracker has mastered it.
When the program demonstration rolled out last Thursday, it wasn’t long before experiment participants started getting text messages showing them their passwords had been compromised, with some taking as little time as 28 seconds and many occurring in under a minute. Gradually, throughout the course of the one-hour demo, the percentage of passwords compromised grew to 35%, then 40%, then 50%, revealing a startling reality.
The longer the program runs, the greater the likelihood it will compromise a user’s — or group of users’ — passwords. This realization prompted several giggling guests to remark how terrifying the program was, likening it to the cybersecurity equivalent of a nuclear weapon. Adkins’ description of how far Firecracker has come since the team began acquiring hardware in January or building the initial software (in just three days) does little to calm the nerves.
“We’ve improved on it drastically since then,” Adkins said. “For example, we ran it against a list of 500 users and in one week, broke 50 percent. In four weeks, we broke 70 percent. Now we’ve optimized to the point where in three days, we can break 70 percent.”
If you’re thinking, “Great, that’s all we need; hyper-accurate password-cracking software,” Adkins would advise you to not be so sarcastic.
“Look at it as a teaching device,” he explains. “What we’re trying to prove on this are two things: 1) The longer your password is, the better off you are; and 2) Don’t use the same password that you use anywhere else because, if you do, there’s a good chance your password is not secure.”
To those worried about what a piece of technology like Firecracker means for the future of cybersecurity, Adkins acknowledges there are risks, and that’s why “we don’t connect it to the Internet, so nobody’s going to be coming in that way.”
“Of course, on the flip side of that, the information we’re running against it, is the same information that’s pulled off Windows Active Directory Services. That has the same risk as the Windows Active Directory server, which everyone already has connected to the Internet, so there is no more risk involved than what is already there. But just for peace of mind, it’s like we’re putting everything on a USB, and physically moving it over and plugging in the USB, then we run it and disconnect.”
In other words, for this particular program, one would need physical access to the hardware to use it in a malicious way, making the odds of abuse slim.
“Our hope is if we get a long-term engagement with a customer or company doing this, eventually they will get to the point where their passwords are so secure they never have to be changed,” Adkins said.
While never-changing passwords is a reality still in the distance, what’s not is Firecracker’s roll-out. Adkins told Talk Business & Politics he expected the company to offer a service model to businesses in the next 60 days, or by July 2017. The price for a one-time engagement will be $5,000, he noted, “and it doesn’t matter how many users you have. It can be 100 or 1 million.”
There will also be an annual subscription model that involves a monthly analysis that “would be drastically reduced” in price. “It’s really designed for a business. It’s not designed for a Mom and Pop,” Adkins said, adding Firecracker is a program “100 percent-funded” by Propak and it was developed entirely on-site at downtown Fort Smith’s Friedman-Mincer building (Propak’s current headquarters). While it’s not the only technology of its kind, no one is yet offering it as a service.
“Facebook has built their own box. They run it against their own internal data. They don’t offer that to anybody else. It’s their own proprietary stuff,” Adkins explained, adding that hardware (i.e. video cards) can be bought from a store, but “the software is all proprietary to us — the software, all the password lists, everything that runs against it.”
He added: “Are there others? Yes. Are they the same? No. Are they as good? In my opinion, no.”