homepage Welcome to WebmasterWorld Guest from 54.198.140.148
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Local / Foo
Forum Library, Charter, Moderators: incrediBILL & lawman

Foo Forum

    
Cracking Tough Passwords Appears Just Too Easy
engine




msg:4578655
 5:09 pm on May 28, 2013 (gmt 0)

When reading this article, it makes me wonder, what's the point of spending time on a password?

In March, readers followed along as Nate Anderson, Ars deputy editor and a self-admitted newbie to password cracking, downloaded a list of more than 16,000 cryptographically hashed passcodes. Within a few hours, he deciphered almost half of them. The moral of the story: if a reporter with zero training in the ancient art of password cracking can achieve such results, imagine what more seasoned attackers can do.Cracking Tough Passwords Appears Just Too Easy [arstechnica.com]

 

lucy24




msg:4578704
 7:02 pm on May 28, 2013 (gmt 0)

I got stuck on
momof3g8kids

--cited at least three times, so it can't be a typo. I guess it means that misspelling a password doesn't make it any more secure.

Leosghost




msg:4578712
 7:25 pm on May 28, 2013 (gmt 0)

g8kids..

We used to call them "latchkey kids"..:)

lucy24




msg:4578800
 11:43 pm on May 28, 2013 (gmt 0)

Dang. I would never have thought of that. Britishism maybe? (But if so, wouldn't she have said "Mum"?)

I once used "open" as a password. It was perfectly safe and appropriate for the specific purpose :)

cmendla




msg:4579045
 2:33 pm on May 29, 2013 (gmt 0)

From what I recall ,there are reversible and one way hashes.. One way hashes should not be recoverable.

(PLEASE correct me if I am wrong on this)


However, a dictionary attack could break a one way encrypted password.

Suppose your password is fido and that gets encrypted as (*#&$#(87

There is no way to restore the gibberish to fido.

However, if you build a list of all possible words and run those through the same encryption algo, then you will have a list with the encrypted (*#&$#(87 being in the table. So, if your list has all the possible words and combos of words, then you can crack the password.

Now, people start getting smart and use a 'tough' password.. ie F!d() That could encrypt to something like #&^#*&$^#*

Now you can brute force this with either a massive dictionary or just an app that does a brute force. ie trying every character and combo of characters, running it through the one way encryption, then matching that against the encrypted hash you are trying to crack.

A couple of years ago that would have been a nightmare. However, with zombie bot nets out there, you could hand that job off. Thousands of hacked machines working on the problem on a distributive basis would work eventually.

I suppose we will start moving toward dongles or some other 2 part authentication

chris

Leosghost




msg:4579049
 3:06 pm on May 29, 2013 (gmt 0)

When they have discredited every other method..they'll spring the surprise.. "DNA based authentication"..

for everything..

from Gmail and facebook to receiving your pension..or even combine DNA authentication with implanted NFchips or NF magnetic data holding tattoos..

Of course it will only work with "live" DNA ..or chip or tattoo carriers..to avoid "spare parts" fraud..

And there will be a market in stolen live tissue samples..etc etc ..

Lapizuli




msg:4579059
 3:33 pm on May 29, 2013 (gmt 0)

Yes, passwords will stop being cracked when the second law of thermodynamics reverses...or the opposite happens and the universe is just a sea of random stuff. I think I'm happy passwords can still be cracked...

cmendla




msg:4579060
 3:36 pm on May 29, 2013 (gmt 0)

Based on some of the browser caches I've seen on client's machines, I'd guess there is a boatload of DNA on keyboards and mice alone.

(going to wash my brain out with Clorox now)

Dideved




msg:4579231
 10:17 pm on May 29, 2013 (gmt 0)

If it makes everyone feel better, the password list was easy to crack largely because the security measures were poor. No salting and no iterations.

Leosghost




msg:4579236
 10:39 pm on May 29, 2013 (gmt 0)

Glad you told us that.."the children were startled"..:)..do you have an ebook ? ..

Dideved




msg:4579255
 11:38 pm on May 29, 2013 (gmt 0)

Glad you told us that.."the children were startled"..:)..do you have an ebook ? ..


I'm actually very glad you found it obvious. I can only hope that everyone found it obvious. Unfortunately I still encounter developers who implement security but don't know about these techniques. Sadly, even big companies with vast resources sometimes don't know. It's usually worth repeating to be sure. :)

Leosghost




msg:4579260
 11:49 pm on May 29, 2013 (gmt 0)

I agree with Birdbrain's most recent post..

and..

Glad you are "looking out for all of us"..... :)

lucy24




msg:4579270
 12:08 am on May 30, 2013 (gmt 0)

I agree with Birdbrain's most recent post.

C'mon, give us a hint. Did the moderators disagree so vigorously that it was promptly deleted-- or do you have multiple windows open concurrently again?

Leosghost




msg:4579272
 12:20 am on May 30, 2013 (gmt 0)

C'mon, give us a hint. Did the moderators disagree so vigorously that it was promptly deleted
'Tis here ..just a short step through the wood to to the pool..
[webmasterworld.com...]

or do you have multiple windows open concurrently again?

always..how else would one sip..to do otherwise one might become entrapped by ones own reflection..or the moon..

frontpage




msg:4579543
 5:06 pm on May 30, 2013 (gmt 0)

It's great to have hashes, yet if you get locked out after 3-5 incorrect password attempts; it kind of defeats the whole 'the sky is falling'.

diberry




msg:4579557
 5:39 pm on May 30, 2013 (gmt 0)

Of course it will only work with "live" DNA ..or chip or tattoo carriers..to avoid "spare parts" fraud..

And there will be a market in stolen live tissue samples..etc etc ..


Glad I wasn't sipping my coffee when I read this!

Dideved




msg:4579559
 5:51 pm on May 30, 2013 (gmt 0)

It's great to have hashes, yet if you get locked out after 3-5 incorrect password attempts; it kind of defeats the whole 'the sky is falling'.


For our Web UI, that's definitely a security feature to consider. Password hashing is most relevant when the database is exposed.

Sgt_Kickaxe




msg:4579598
 7:26 pm on May 30, 2013 (gmt 0)

DNA based security


I think that should be added to this list of unethical human experimentation in the United States [en.wikipedia.org...]

[edited by: Sgt_Kickaxe at 7:36 pm (utc) on May 30, 2013]

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Local / Foo
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved