Welcome to WebmasterWorld Guest from 23.20.239.237

Forum Moderators: incrediBILL & lawman

Message Too Old, No Replies

Cracking Tough Passwords Appears Just Too Easy

     
5:09 pm on May 28, 2013 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:22825
votes: 304


When reading this article, it makes me wonder, what's the point of spending time on a password?

In March, readers followed along as Nate Anderson, Ars deputy editor and a self-admitted newbie to password cracking, downloaded a list of more than 16,000 cryptographically hashed passcodes. Within a few hours, he deciphered almost half of them. The moral of the story: if a reporter with zero training in the ancient art of password cracking can achieve such results, imagine what more seasoned attackers can do.Cracking Tough Passwords Appears Just Too Easy [arstechnica.com]
7:02 pm on May 28, 2013 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13056
votes: 299


I got stuck on
momof3g8kids

--cited at least three times, so it can't be a typo. I guess it means that misspelling a password doesn't make it any more secure.
7:25 pm on May 28, 2013 (gmt 0)

Senior Member from FR 

WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Feb 15, 2004
posts:6717
votes: 230


g8kids..

We used to call them "latchkey kids"..:)
11:43 pm on May 28, 2013 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13056
votes: 299


Dang. I would never have thought of that. Britishism maybe? (But if so, wouldn't she have said "Mum"?)

I once used "open" as a password. It was perfectly safe and appropriate for the specific purpose :)
2:33 pm on May 29, 2013 (gmt 0)

Preferred Member from US 

10+ Year Member

joined:May 6, 2004
posts: 650
votes: 0


From what I recall ,there are reversible and one way hashes.. One way hashes should not be recoverable.

(PLEASE correct me if I am wrong on this)


However, a dictionary attack could break a one way encrypted password.

Suppose your password is fido and that gets encrypted as (*#&$#(87

There is no way to restore the gibberish to fido.

However, if you build a list of all possible words and run those through the same encryption algo, then you will have a list with the encrypted (*#&$#(87 being in the table. So, if your list has all the possible words and combos of words, then you can crack the password.

Now, people start getting smart and use a 'tough' password.. ie F!d() That could encrypt to something like #&^#*&$^#*

Now you can brute force this with either a massive dictionary or just an app that does a brute force. ie trying every character and combo of characters, running it through the one way encryption, then matching that against the encrypted hash you are trying to crack.

A couple of years ago that would have been a nightmare. However, with zombie bot nets out there, you could hand that job off. Thousands of hacked machines working on the problem on a distributive basis would work eventually.

I suppose we will start moving toward dongles or some other 2 part authentication

chris
3:06 pm on May 29, 2013 (gmt 0)

Senior Member from FR 

WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Feb 15, 2004
posts:6717
votes: 230


When they have discredited every other method..they'll spring the surprise.. "DNA based authentication"..

for everything..

from Gmail and facebook to receiving your pension..or even combine DNA authentication with implanted NFchips or NF magnetic data holding tattoos..

Of course it will only work with "live" DNA ..or chip or tattoo carriers..to avoid "spare parts" fraud..

And there will be a market in stolen live tissue samples..etc etc ..
3:33 pm on May 29, 2013 (gmt 0)

Full Member from US 

5+ Year Member Top Contributors Of The Month

joined:Oct 9, 2009
posts:301
votes: 6


Yes, passwords will stop being cracked when the second law of thermodynamics reverses...or the opposite happens and the universe is just a sea of random stuff. I think I'm happy passwords can still be cracked...
3:36 pm on May 29, 2013 (gmt 0)

Preferred Member from US 

10+ Year Member

joined:May 6, 2004
posts: 650
votes: 0


Based on some of the browser caches I've seen on client's machines, I'd guess there is a boatload of DNA on keyboards and mice alone.

(going to wash my brain out with Clorox now)
10:17 pm on May 29, 2013 (gmt 0)

Junior Member

joined:Apr 6, 2013
posts:149
votes: 0


If it makes everyone feel better, the password list was easy to crack largely because the security measures were poor. No salting and no iterations.
10:39 pm on May 29, 2013 (gmt 0)

Senior Member from FR 

WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Feb 15, 2004
posts:6717
votes: 230


Glad you told us that.."the children were startled"..:)..do you have an ebook ? ..
11:38 pm on May 29, 2013 (gmt 0)

Junior Member

joined:Apr 6, 2013
posts:149
votes: 0


Glad you told us that.."the children were startled"..:)..do you have an ebook ? ..


I'm actually very glad you found it obvious. I can only hope that everyone found it obvious. Unfortunately I still encounter developers who implement security but don't know about these techniques. Sadly, even big companies with vast resources sometimes don't know. It's usually worth repeating to be sure. :)
11:49 pm on May 29, 2013 (gmt 0)

Senior Member from FR 

WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Feb 15, 2004
posts:6717
votes: 230


I agree with Birdbrain's most recent post..

and..

Glad you are "looking out for all of us"..... :)
12:08 am on May 30, 2013 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13056
votes: 299


I agree with Birdbrain's most recent post.

C'mon, give us a hint. Did the moderators disagree so vigorously that it was promptly deleted-- or do you have multiple windows open concurrently again?
12:20 am on May 30, 2013 (gmt 0)

Senior Member from FR 

WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Feb 15, 2004
posts:6717
votes: 230


C'mon, give us a hint. Did the moderators disagree so vigorously that it was promptly deleted
'Tis here ..just a short step through the wood to to the pool..
[webmasterworld.com...]

or do you have multiple windows open concurrently again?

always..how else would one sip..to do otherwise one might become entrapped by ones own reflection..or the moon..
5:06 pm on May 30, 2013 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 23, 2002
posts:659
votes: 0


It's great to have hashes, yet if you get locked out after 3-5 incorrect password attempts; it kind of defeats the whole 'the sky is falling'.
5:39 pm on May 30, 2013 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:Jan 1, 2011
posts:1358
votes: 18


Of course it will only work with "live" DNA ..or chip or tattoo carriers..to avoid "spare parts" fraud..

And there will be a market in stolen live tissue samples..etc etc ..


Glad I wasn't sipping my coffee when I read this!
5:51 pm on May 30, 2013 (gmt 0)

Junior Member

joined:Apr 6, 2013
posts:149
votes: 0


It's great to have hashes, yet if you get locked out after 3-5 incorrect password attempts; it kind of defeats the whole 'the sky is falling'.


For our Web UI, that's definitely a security feature to consider. Password hashing is most relevant when the database is exposed.
7:26 pm on May 30, 2013 (gmt 0)

Senior Member

WebmasterWorld Senior Member sgt_kickaxe is a WebmasterWorld Top Contributor of All Time 5+ Year Member

joined:Apr 14, 2010
posts:3169
votes: 0


DNA based security


I think that should be added to this list of unethical human experimentation in the United States [en.wikipedia.org...]

[edited by: Sgt_Kickaxe at 7:36 pm (utc) on May 30, 2013]

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members