- Nov 30, 2004
- 59,162
- 9,608
- 126
How crackers ransack passwords like qeadzcwrsfxv1331
- Thread starter lxskllr
- Start date
Sunny129
Diamond Member
- Nov 14, 2000
- 4,823
- 6
- 81
blankslate
Diamond Member
- Jun 16, 2008
- 8,761
- 543
- 126
My question is how will it do against passwords that keypass generates for you when the site allows reasonably long passwords with more than letters and numbers.
If it is a truly random string, the only attack is a brute force attack, trying to test all of the keyspace of letters+numbers, etc.
That's difficult.
However, with MD5, there are precomputed hashes to get all of those up to about 10 characters, that can make things very quick if it's an unsalted hash.
Longer than 10 characters with true random distribution, that's even more difficult and would be challenging to do.
That's difficult.
However, with MD5, there are precomputed hashes to get all of those up to about 10 characters, that can make things very quick if it's an unsalted hash.
Longer than 10 characters with true random distribution, that's even more difficult and would be challenging to do.
blankslate
Diamond Member
- Jun 16, 2008
- 8,761
- 543
- 126
that's good then I use at least 20 characters and have keypass include upper/lower case letters spaces special characters and brackets whenever possible. It seems like the Keypass file itself is more secure as long as you use a truly good main password since it uses SHA-256 for hashing the passwords it generates.
As was pointed out the seemingly "random" password in the title is actually a pattern on the keyboard.
The funny thing about security is the human element, when you force people to do something uncomfortable such as pick a long and complex password they often "cheat" and resort to writing down the password, keyboard walking, password doubling, patterns, iterations and alike.
What makes these passwords "guessable" when they're too long to brute force is that bad security practices on the part of service providers lead to database leaks of plain text passwords, these are passwords real people have picked for real services. Hackers can put together massive dictionaries of these passwords and snag a very large percentage of passwords.
Now with GPGPU and cheap cloud services, we can brute force small keyspaces (upto length 8 or 9, using full US95 charset) in usually just a few hours, on good hardware or with rainbow tables.
If you want a decent secure password you'll want to aim for at least 10 characters, randomly generated from a big character set, preferably upper+lower+numeric+special. In certain extreme circumstances where you suspect your attackers might have extended access to super computers make that 12+ characters.
The funny thing about security is the human element, when you force people to do something uncomfortable such as pick a long and complex password they often "cheat" and resort to writing down the password, keyboard walking, password doubling, patterns, iterations and alike.
What makes these passwords "guessable" when they're too long to brute force is that bad security practices on the part of service providers lead to database leaks of plain text passwords, these are passwords real people have picked for real services. Hackers can put together massive dictionaries of these passwords and snag a very large percentage of passwords.
Now with GPGPU and cheap cloud services, we can brute force small keyspaces (upto length 8 or 9, using full US95 charset) in usually just a few hours, on good hardware or with rainbow tables.
If you want a decent secure password you'll want to aim for at least 10 characters, randomly generated from a big character set, preferably upper+lower+numeric+special. In certain extreme circumstances where you suspect your attackers might have extended access to super computers make that 12+ characters.
Don't forget leasing compute time on a massive botnet. Not your average brute force technique for your DIY hacker, but very viable for the serious ones.
The real moral of the story here is that your password is only as secure as how much effort someone is willing to put in to break it, period. It's time for two-factor authentication to be taken more seriously in the mainstream, a World of Warcraft account should not be more secure than my bank account.
Yep, it's a good point, cloud cracking via something like Amazon Web Services (AWS) is viable for anyone with a credit card, and large botnets can dedicate time to cracking as well.
The main problem with these 2 approaches is that most of the computers involved have no discreet GPU or a weak one, most of the speed from modern day brute force attempts comes from GPGPU, CPUs are pretty slower brute force crackers by comparison even if you have thousands of them.
usually it works out cheaper to build your own cracking rig by buying a bunch of high end AMD GPUs rather than rent time on AWS or a botnet, and then you have that hardware for future use as well.
The main problem with these 2 approaches is that most of the computers involved have no discreet GPU or a weak one, most of the speed from modern day brute force attempts comes from GPGPU, CPUs are pretty slower brute force crackers by comparison even if you have thousands of them.
usually it works out cheaper to build your own cracking rig by buying a bunch of high end AMD GPUs rather than rent time on AWS or a botnet, and then you have that hardware for future use as well.
blankslate
Diamond Member
- Jun 16, 2008
- 8,761
- 543
- 126
https://www.grc.com/haystack.htm
the gist of the above list is that a person can think of a good core of a password then have a pattern like +_+ or wXs that you add the front middle end or all three to "pad" the password.
I suggest reading the entire page, the author seems to touch on all the concerns about passwords that I think most people can think of off the top of their heads.
I have a password management passphrase that looks something like this
e(q$;Rt6Kc=12wz
without being that (mine is longer).
One thing I do; is to use information about acquaintances I knew years ago but have no contact with now to "pad" my password..
It's easy to gather information about someone but when you have to gather information about other people they may have known in the past to help guess that someone's password hopefully the task has become even more difficult.
now if someone obtained the file with the masterkey e(q$;Rt6Kc=12wz and took a run at it with an array of GPUs it should take a while to crack (although this one might get added to a list) according to the search space calculator on the link and actual password strength meters.
I think the Gibson Research page on password "haystacking" can help with securing your passwords as much as possible (or at least more so than most other password users) when used with other tools (like a password manager), as long as you take note of the cautionary advice on the page.
Please let me know of any other resources that I can use to make sure my passwords are more secure.
the gist of the above list is that a person can think of a good core of a password then have a pattern like +_+ or wXs that you add the front middle end or all three to "pad" the password.
I suggest reading the entire page, the author seems to touch on all the concerns about passwords that I think most people can think of off the top of their heads.
I have a password management passphrase that looks something like this
e(q$;Rt6Kc=12wz
without being that (mine is longer).
One thing I do; is to use information about acquaintances I knew years ago but have no contact with now to "pad" my password..
It's easy to gather information about someone but when you have to gather information about other people they may have known in the past to help guess that someone's password hopefully the task has become even more difficult.
now if someone obtained the file with the masterkey e(q$;Rt6Kc=12wz and took a run at it with an array of GPUs it should take a while to crack (although this one might get added to a list) according to the search space calculator on the link and actual password strength meters.
I think the Gibson Research page on password "haystacking" can help with securing your passwords as much as possible (or at least more so than most other password users) when used with other tools (like a password manager), as long as you take note of the cautionary advice on the page.
Please let me know of any other resources that I can use to make sure my passwords are more secure.
The point is that if someones got access to the hashed password, it doesnt matter what crazy symbols you put in it. That rainbow table is going to chop it up in somewhere between seconds and hours depending on length.
sourceninja
Diamond Member
- Mar 8, 2005
- 8,805
- 65
- 91
If someone can brute force your password then the service that password is trying to protect is flawed.
Try more than 4 or 5 passwords, lock that account down for a good long while. If they can do a rainbow attack, again the flaw is on the service for letting those hashes and salt's leak.
Try more than 4 or 5 passwords, lock that account down for a good long while. If they can do a rainbow attack, again the flaw is on the service for letting those hashes and salt's leak.
blankslate
Diamond Member
- Jun 16, 2008
- 8,761
- 543
- 126
Are you sure? From what I have read rainbow tables are very effective against MD5 and SHA-1 hash methods for obfuscating the plain text passwords.
http://www.codinghorror.com/blog/2012/04/speed-hashing.html
However, against newer and more secure hash methods the shift is from away rainbow tables to an array of GPUs to brute force the password... when you do that you are trying every possible password and GPUs let you do that very quickly.
A reply to the article in the OP made this point
As the Gibson website proposed a way people can pad their password in such a way so as to increase the chance their password won't be a typical weak password.
As long as people don't use a truly good password they can remember on as a login but use it as a password to access a Last Pass vault or other password manager then they can be very sure that they aren't using the same login password for different sites.
Obviously that provides protection for a person if one of their accounts is compromised because every account should at least have different passwords when using a password manager.
Of course the above means even though you can't control what the sites were you have accounts do to store your account info you can choose one or two good passwords that aren't as vulnerable to rainbow tables if you take the time and then you can use a good password manager to generate good passwords that you don't even have to memorize for the site you use.
or as was put in clear way.
I'm pretty sure that none of the password managers in the quote above use a hashing scheme that is vulnerable to rainbow tables by themselves.
http://crackstation.net/hashing-security.htm
Remember the OP article described attacks used against a file using an older hash algorism but didn't seem to mention how effective those same attacks would be with a newer hashing system. Hopefully those attacks against the newer hashing methods would be harder.
Even if you cannot come up with a truly random password then even "padding" the password is better than nothing if the cracker is forced to use a brute force method.
Like it or not crazy characters do force the cracker add in another set of characters to their brute for attack (if and when they are forced to engage in one) and that does increase the time it takes to crack the password.
Perhaps enough time that the cracker gives up on your file and moves on to "low hanging fruit"
Last edited:
Nintendesert
Diamond Member
- Mar 28, 2010
- 7,761
- 5
- 0
Password length is much more important than character set. 10 characters is too short for any reasonably important password.
It's more important numerically, sure. Overall it depends on the password scheme used, but even if it's one of the faster ones to break it will still take supercomputers to break a length 10 using full 95 Character set in any reasonable time frame, do the math on it. That's why I said if you think your attackers might have extended access to super computers you might want to go with length 12 or longer, that's safe for short term.
As for rainbow tables, the article saying they're obsolete couldn't be more wrong.
Salted passwords with random salts defeat rainbow table attacks, although bad salt systems may not, some use salts based on the username so building rainbow tables for the account "administrator" or "admin" is still viable.
Let's put it this way, I have a full set of NTLM rainbow tables up to length 8 which are designed for use with GPU cracking, using a single GTX580 I can check the entire character space of standard US95 character set across lengths 1-8, and I can do that a bit under 3 hours, or probably faster now I have SLI 580's.
Using a 580 alone to hash every one of the 6,704,780,954,517,120 combinations would take a long time, too long to be of any use, I think they hash at approx 320 Million/sec so that would be 20,952,440 seconds or about 242 days!
The tables are about 1.5Tb though, so there's the trade off.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 24K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes Discussion Threads
- Started by Tigerick
- Replies: 20K
-
-
-
Facebook
Twitter