Ars Technica's Nate Anderson decided to try cracking passwords (from a leaked file of MD5 hashes), to see how difficult it was. After a very long false start (he forgot to decompress the word-list file) that's covered in a little too much detail, Anderson settles down to cracking hashes in earnest, and provides some good data on the nuts and bolts of password security:
By this point I had puzzled out how Hashcat worked, so I dumped the GUI and switched back to the command-line version running on my much faster MacBook Air. My goal was to figure out how many hashes I could crack in, say, under 30 minutes, as well as which attacks were most efficient. I began again on my 17,000-hash file, this time having Hashcat remove each hash from the file once it was cracked. This way I knew exactly how many hashes each attack solved.
This set of attacks brought the number of uncracked MD5 hashes down from 17,000 to 8,790, but clearly the best "bang for the buck" came from running the RockYou list with the best64.rule iterations. In just 90 seconds, this attack would uncover 45 percent of the hashed passwords; additional attacks did little more, even those that took 16 minutes to run.
Cracking a significant number of the remaining passwords would take some much more serious effort. Applying the complex d3ad0ne.rule file to the massive RockYou dictionary, for instance, would require more than two hours of fan-spinning number-crunching. And brute force attacks using 6-character passwords only picked up a few additional results.
The point, really, is that if you want to understand the relative security of different password-generation techniques, you need to understand what's involved in state-of-the-art password cracking techniques.
How I became a password cracker
In the wake of the Permanent Court of Arbitration ruling that China had been stealing islands in the South China, the Xi Jinping administration’s propaganda machine went into overdrive to whip up patriotic sentiment in China, with a massive wave of anti-American and anti-Japanese sentiment.
Encrypted Media Extensions (EME), part of a DRM system that’s being standardized at the World Wide Web Consortium (W3C), marks the first instance in which a W3C standard will fall under laws like the DMCA, which let companies threaten security researchers with criminal and civil liability just for disclosing the defects in these products.
The day that the Permanent Court of Arbitration ruled that China had been stealing islands in the South China Sea, the Chinese Communist Party Youth League shared this viral video of young Chinese patriots saying “South Sea arbitration, who cares?”
Home audio has taken some big leaps forward in recent years–not just in terms of sound quality, but also in the style department. The FRESHeBAR Leather Soundbar, now 56% off in the Boing Boing Store, is proof.The FRESHeBAR comes packing almost all the options you’d ever need for a home sound system, including Bluetooth streaming capabilities.The unit’s 90 […]
Much of what goes into creating an amazing photo happens in the digital darkroom. Here’s your chance to master all things photo editing: the Ultimate Adobe Photo Editing Bundle, now available in the Boing Boing Store for just $29.99.Across 8 courses and over 41 hours of intensive instruction, you’ll learn the fundamentals of Adobe’s suite of photo […]
3D printers are hot, but they’re also pricey. While the prospect of cranking out everything we can dream up is enticing, cost is often one factor that keeps us from jumping onto the 3D printing train.Now, thanks to M3D, that doesn’t have to be the case. You can now get its flagship 3D printer–plus four reels of filaments–for just […]