![]() ![]() The information would have allowed radix to craft custom rule sets targeted at the specific hashes he was trying to crack. "If I knew the site, I would go there and find out what the requirements are," he said. What's more, like the other two crackers profiled in this article, radix didn't know where the password list was taken from, eliminating one of the key techniques crackers use when deciphering leaked hashes. Unless the user takes great care, passwords that are easy to remember are sitting ducks in the hands of crackers. The increasing power of hardware and specialised software makes it trivial for crackers to combine these ingredients in literally billions of slightly different permutations. Their basic components - "mom," "kids," "oscar," "emmy," and numbers - are a core part of even basic password-cracking lists. The characteristics that made "momof3g8kids" and "Oscar+emmy2" easy to remember are precisely the things that allowed them to be cracked. The other variable was the account holders' decision to use memorable words. Examples of other similarly "slow" hashing algorithms include bcrypt, scrypt, and PBKDF2. ![]() This hurdle would limit the same one-GPU cracking system to slightly less than 2,000 guesses per second. For instance, the SHA512crypt function included by default in Mac OS X and most Unix-based operating systems passes text through 5,000 hashing iterations. By contrast, algorithms specifically designed to protect passwords require significantly more time and computation. Armed with a single graphics processor, they can cycle through more than eight billion password combinations each second when attacking "fast" hashes. Like SHA1, SHA3, and most other algorithms, MD5 was designed to convert plaintext into hashes, also known as "message digests," quickly and with a minimal amount of computation. The hashing alone being MD5 tells me that they really don't care about their passwords too much, so it's probably some pre-generated site." "There's probably not a complexity requirement for them. ![]() "These are terrible passwords," radix, who declined to give his real name, told Ars just a few minutes into run one of his hour-long cracking session. So how did they do it? The short answer boils down to two variables: the website's unfortunate and irresponsible use of MD5 and the use of non-randomised passwords by the account holders. ":LOL1313le" is in there, as are "Coneyisland9/," "momof3g8kids," "1368555av," "n3xtb1gth1ng," "qeadzcwrsfxv1331," "m27bufford," "J21.redskin," "Garrett1993*," and "Oscar+emmy2."Īs big as the word lists that all three crackers in this article wielded - close to 1 billion strong in the case of Gosney and Steube - none of them contained "Coneyisland9/," "momof3g8kids," or the more than 10,000 other plains that were revealed with just a few hours of effort. But sprinkled among the overused and easily cracked passcodes in the leaked list are some that many readers might assume are relatively secure. Despite the additional tweaking, "123456789j," "letmein1!," and "LETMEin3" are equally awful. "123456," "1234567," and "password" are there, as is "letmein," "Destiny21," and "pizzapizza." Passwords of this ilk are hopelessly weak. The list of "plains," as many crackers refer to deciphered hashes, contains the usual list of commonly used passcodes that are found in virtually every breach involving consumer websites. And he probably would have cracked more had he not been peppered with questions throughout the exercise. A third cracker who goes by the moniker radix deciphered 62 percent of the hashes using a computer with a single 7970 card - also in about one hour. (oclHashcat-plus is the freely available password-cracking software both Anderson and all crackers in this article used.) Steube unscrambled 13,486 hashes (82 percent) in a little more than one hour, using a slightly more powerful machine that contained two AMD Radeon 6990 graphics cards. Jens Steube, the lead developer behind oclHashcat-plus, achieved impressive results as well. Using a commodity computer with a single AMD Radeon 7970 graphics card, it took him 20 hours to crack 14,734 of the hashes, a 90-percent success rate. The most thorough of the three cracks was carried out by Jeremi Gosney, a password expert with Stricture Consulting Group. The Ars password team included a developer of cracking software, a security consultant, and an anonymous cracker. ![]()
0 Comments
Leave a Reply. |