Welcome to WebmasterWorld Guest from 107.20.5.156

Forum Moderators: incrediBILL & lawman

Message Too Old, No Replies

Cracking Tough Passwords Appears Just Too Easy

     

engine

5:09 pm on May 28, 2013 (gmt 0)

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month



When reading this article, it makes me wonder, what's the point of spending time on a password?

In March, readers followed along as Nate Anderson, Ars deputy editor and a self-admitted newbie to password cracking, downloaded a list of more than 16,000 cryptographically hashed passcodes. Within a few hours, he deciphered almost half of them. The moral of the story: if a reporter with zero training in the ancient art of password cracking can achieve such results, imagine what more seasoned attackers can do.Cracking Tough Passwords Appears Just Too Easy [arstechnica.com]

lucy24

7:02 pm on May 28, 2013 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



I got stuck on
momof3g8kids

--cited at least three times, so it can't be a typo. I guess it means that misspelling a password doesn't make it any more secure.

Leosghost

7:25 pm on May 28, 2013 (gmt 0)

WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



g8kids..

We used to call them "latchkey kids"..:)

lucy24

11:43 pm on May 28, 2013 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



Dang. I would never have thought of that. Britishism maybe? (But if so, wouldn't she have said "Mum"?)

I once used "open" as a password. It was perfectly safe and appropriate for the specific purpose :)

cmendla

2:33 pm on May 29, 2013 (gmt 0)

10+ Year Member



From what I recall ,there are reversible and one way hashes.. One way hashes should not be recoverable.

(PLEASE correct me if I am wrong on this)


However, a dictionary attack could break a one way encrypted password.

Suppose your password is fido and that gets encrypted as (*#&$#(87

There is no way to restore the gibberish to fido.

However, if you build a list of all possible words and run those through the same encryption algo, then you will have a list with the encrypted (*#&$#(87 being in the table. So, if your list has all the possible words and combos of words, then you can crack the password.

Now, people start getting smart and use a 'tough' password.. ie F!d() That could encrypt to something like #&^#*&$^#*

Now you can brute force this with either a massive dictionary or just an app that does a brute force. ie trying every character and combo of characters, running it through the one way encryption, then matching that against the encrypted hash you are trying to crack.

A couple of years ago that would have been a nightmare. However, with zombie bot nets out there, you could hand that job off. Thousands of hacked machines working on the problem on a distributive basis would work eventually.

I suppose we will start moving toward dongles or some other 2 part authentication

chris

Leosghost

3:06 pm on May 29, 2013 (gmt 0)

WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



When they have discredited every other method..they'll spring the surprise.. "DNA based authentication"..

for everything..

from Gmail and facebook to receiving your pension..or even combine DNA authentication with implanted NFchips or NF magnetic data holding tattoos..

Of course it will only work with "live" DNA ..or chip or tattoo carriers..to avoid "spare parts" fraud..

And there will be a market in stolen live tissue samples..etc etc ..

Lapizuli

3:33 pm on May 29, 2013 (gmt 0)

5+ Year Member Top Contributors Of The Month



Yes, passwords will stop being cracked when the second law of thermodynamics reverses...or the opposite happens and the universe is just a sea of random stuff. I think I'm happy passwords can still be cracked...

cmendla

3:36 pm on May 29, 2013 (gmt 0)

10+ Year Member



Based on some of the browser caches I've seen on client's machines, I'd guess there is a boatload of DNA on keyboards and mice alone.

(going to wash my brain out with Clorox now)

Dideved

10:17 pm on May 29, 2013 (gmt 0)



If it makes everyone feel better, the password list was easy to crack largely because the security measures were poor. No salting and no iterations.

Leosghost

10:39 pm on May 29, 2013 (gmt 0)

WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Glad you told us that.."the children were startled"..:)..do you have an ebook ? ..

Dideved

11:38 pm on May 29, 2013 (gmt 0)



Glad you told us that.."the children were startled"..:)..do you have an ebook ? ..


I'm actually very glad you found it obvious. I can only hope that everyone found it obvious. Unfortunately I still encounter developers who implement security but don't know about these techniques. Sadly, even big companies with vast resources sometimes don't know. It's usually worth repeating to be sure. :)

Leosghost

11:49 pm on May 29, 2013 (gmt 0)

WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



I agree with Birdbrain's most recent post..

and..

Glad you are "looking out for all of us"..... :)

lucy24

12:08 am on May 30, 2013 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



I agree with Birdbrain's most recent post.

C'mon, give us a hint. Did the moderators disagree so vigorously that it was promptly deleted-- or do you have multiple windows open concurrently again?

Leosghost

12:20 am on May 30, 2013 (gmt 0)

WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



C'mon, give us a hint. Did the moderators disagree so vigorously that it was promptly deleted
'Tis here ..just a short step through the wood to to the pool..
[webmasterworld.com...]

or do you have multiple windows open concurrently again?

always..how else would one sip..to do otherwise one might become entrapped by ones own reflection..or the moon..

frontpage

5:06 pm on May 30, 2013 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



It's great to have hashes, yet if you get locked out after 3-5 incorrect password attempts; it kind of defeats the whole 'the sky is falling'.

diberry

5:39 pm on May 30, 2013 (gmt 0)

WebmasterWorld Senior Member



Of course it will only work with "live" DNA ..or chip or tattoo carriers..to avoid "spare parts" fraud..

And there will be a market in stolen live tissue samples..etc etc ..


Glad I wasn't sipping my coffee when I read this!

Dideved

5:51 pm on May 30, 2013 (gmt 0)



It's great to have hashes, yet if you get locked out after 3-5 incorrect password attempts; it kind of defeats the whole 'the sky is falling'.


For our Web UI, that's definitely a security feature to consider. Password hashing is most relevant when the database is exposed.

Sgt_Kickaxe

7:26 pm on May 30, 2013 (gmt 0)

WebmasterWorld Senior Member sgt_kickaxe is a WebmasterWorld Top Contributor of All Time 5+ Year Member



DNA based security


I think that should be added to this list of unethical human experimentation in the United States [en.wikipedia.org...]

[edited by: Sgt_Kickaxe at 7:36 pm (utc) on May 30, 2013]