Anatomy of a password-crack, part II


23 Responses to “Anatomy of a password-crack, part II”

  1. ldobe says:

    Note to self: put the numbers and capitals in places I’ll never remember.

    Is it just me, or have passwords lost their security value?
    I mean with this method of cracking, most any memorable password can be cracked regardless of whether the hash is cryptographically secure.
    I’d suggest biometrics, but I have no idea whether that can be made secure enough. I did see an interesting demo of infrared hand vein reading. It would be tremendously difficult to duplicate, is highly unique to the individual, and has a lot of measurable data, and is harder to get a copy of surreptitiously than simple fingerprints or iris photos.

    • David Haddad says:

      Here’s the problem I see with biometrics: they’re just a different way to enter your password. At the bottom of it all, your computer is still sending a lump of data to a server, and that server is comparing that data against their records.

      The only thing biometrics has going for it is “randomness”. A fingerprint won’t have any mnemonics. But I imagine that new patterns would emerge, and the possibility space of fingerprints isn’t as big as one would imagine, at least at the resolution of a cheap scanner.

      • dragonfrog says:

        That’s right – biometrics only really work when everything down to the device doing verification is trusted.

        So, for unlocking a door, biometrics might be OK – it’s your building, your door, your fingerprint scanner, etc.  For logging on to a computer, biometrics are probably OK – it’s your computer already, if you can’t trust it then you’ve already lost.

        Another big problem with biometrics is that they can’t be changed.  If you learn your password to a website is compromised, you can change it any other places where you might use it.  But what do you do if you determine your left thumbprint is in the hands of hackers?  Change it?

    • Cowicide says:

      Note to self: put the numbers and capitals in places I’ll never remember.

      Better idea…

      • ldobe says:

        I know of and have used password managers, but they still suffer from requiring a memorable master password. They always have seemed rather chicken and egg, even if you use random pasdwords, and let the manager remember the 40 character strings.

        • bardfinn says:

          Or, on a system you trust that has a printer, print out your passwords onto a business card, and print out several similar business cards with similar passwords. Carry them in your wallet.

          I went a step further and made numbered business card-sized cards with QR Codes encoding my passwords for social media sites. Scan relevant QR code, copy, paste. I’d never do it for my Google account or my GPG encryption pass phrases or etc, but for boingboing (which seems to log me out once a week), it’s better than trying to memorize the 12-character random noise I set the password to.

    • bardfinn says:

      The difficulty here is that you’re seeing one instance of a crack of a /password file/, and it’s undermining your confidence in your /password/.

      Lengthy pass phrases such as “WordUp,Thisisthesecretestofsecrets—FRONTfin72″ is memorable and nigh-on uncrackable in and of itself with today’s technology, even from a poorly-encrypted hashfile — it’s just too long and the M dash is Unicode, not ASCII.

      If a hash of your biometric data had been encrypted in this hashfile, and was recovered by someone cracking the hashfile, someone could then run hash collision testing and find fingerprints and iris scans and voice prints that, to a human, sound nothing like yours but, to a hashing algorithm, look /just like you/. And you can’t change your biometrics to move the target an attacker is going for, but you can always change your password.

    • jandrese says:

      The real message here is “avoid common patterns” and also “make your password long enough”.  There is a chart near the middle that shows the brick wall of brute forcing.  Most of what these guys do is figure out what sort of patterns people are likely to follow and look for those.  Two dictionary words separated by a number?  Easy.  A single word followed by 4 digits?  Also easy. 

      So you should make your password such that you can remember it, but it doesn’t use patterns that other people are likely to use.  For instance, maybe your password is just four random dictionary words with spaces in between, but after the second letter of each word you add a T.  “coTrrect hoTrse baTttery stTaple” is long enough to avoid brute force attacks and uses a rule so strange that crackers won’t look for it unless they have a very good reason. 

  2. Just_Ok says:

    but they didn’t get “correcthorsebatterystaple” ?

    • cservant says:

      “The combinator attack got it! It’s cool,” he said. Then referring to the oft-cited xkcd comic, he added: “This is an answer to the batteryhorsestaple thing.”

      Yes, yes they can.  You did read the article?

      • SamSam says:

        Just_Ok was asking whether any of the passwords were actually “correcthorsebatterystaple.” If they were, the article didn’t mention it. (Although doubtless it’s now a part of every hacker’s dictionary.)

        The hacker did say that looking for chained passwords was “the answer” (i.e. how to hack) the correcthorsebatterystaple “thing,” but in reality the number of bits of information is just too great to really hack a password like that right now. Two chained words maybe, but four is huge. (num_common_words^4 >>> num_common_words^2). However, in the not-too-distant future even “correcthorsebatterystaple” will be easy.

        Length is still key, but the main takeaway from the article is that length is not enough if you’re following a common pattern. “correcthorsebatterystaple” is still worse than “jkh32$23d[as%B{=”, even though the former is much longer, because using the techniques described in the article hackers will find a route to the former password much quicker than the latter.

      • Just_Ok says:

        xkcd is a comic now?

  3. cleek says:

    “qeadzcwrsfxv1331″ came out of a dictionary-based attack ?

    i don’t see any words at all in there. is it slang?

    • Chris Drouin says:

      Try typing it out on your keyboard.  It’s not quite as obvious as QWERTY, but it’s still a pretty easy / regular pattern to type one-handed (1st and 3rd columns, then 2nd and 4th columns, then a number that can be typed by the same hand).

  4. EricSchrepel says:

    Lamest comment ever here, but there’s an unclosed bold or strong tag in this post that’s causing the rest of the page to stay in bold. But maybe we need more boldness.

    • bardfinn says:

      No matter how much the thought makes me giggle, I will not edit one of my comments up-thread to include an un-closed bold tag now that the un-closed bold tag in the main body of the article has been corrected. All things in their proper measure.

  5. miasm says:

    Leeloo Dallas mul-ti-pass.

  6. tarekrached says:

    The passwords were hashed with MD5, not SHA1.  From the article:  “The list contained 16,449 passwords converted into hashes using the MD5 cryptographic hash function.”

  7. allotrope says:

    I can do all this through him who gives me strength.

    Do not be anxious about anything, but in every situation, by prayer and petition, with thanksgiving, present your requests to God

    And the peace of God, which transcends all understanding, will guard your hearts and your minds in Christ Jesus.

    Wonder if the password reset word was biblical too.

  8. Um, I don’t want to be a dick, but “the passwords were encrypted with a hash”? Makes you sound like an idiot. Hashing ≠ encryption.

Leave a Reply