Monday, July 08, 2013

2310 - Passwords

"How I became a password cracker"  (Cracking passwords is officially a "script kiddie" activity now.)

That's the title of the article about a guy that decided to find out how easy it is to crack passwords. It's about a 3 (long) page article that gets not too deep into computerease about cracking passwords. After all it's an article on how simple it is.

He did run into a few basic problems that seemed really simple once he figured them out but don't we all do that? Hindsight is 20/20.

That said you can go back to the link and read the whole thing or look at some snippets I picked out.


It sounded like an interesting challenge. Could I, using only free tools and the resources of the Internet, successfully:

Find a set of passwords to crack
Find a password cracker
Find a set of high-quality wordlists and
Get them all running on commodity laptop hardware in order to
Successfully crack at least one password
In less than a day of work?

I could. And I walked away from the experiment with a visceral sense of password fragility. Watching your own password fall in less than a second is the sort of online security lesson everyone should learn at least once—and it provides a free education in how to build a better password.




.....

I knew from reading Dan's 2012 feature on password cracking that the biggest, baddest wordlist out there had come from a hacked gaming company called RockYou. In 2009, RockYou lost a list of 14.5 million unique passwords to hackers.

.....

A brute-force attack requires numerous options, including the lengths of the attempted passwords and a mask built up from character sets like these:

?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?s = !"#$&'()*+,-./:;<=>?@[\]^_`{|}~
?a = ?l?u?d?s
?h = 8 bit characters from 0xc0 - 0xff
?D = 8 bit characters from german alphabet
?F = 8 bit characters from french alphabet

?R = 8 bit characters from russian alphabet

.....

I re-ran a "straight" attack on my 17,000 hash file using each of my wordlists with no additional rules whatsoever.

The result: I cracked 4,976 hashes in one minute, most of them coming from the RockYou wordlist, which clearly lived up to its hype now that it was uncompressed and working. Even without rules, I had cracked far more complex passwords than before, things like "softball24" and "butterfly5."


So I added best64.rule back into the mix and let Hashcat rip. In only 16 minutes it had applied every rule to every word in every wordlist I had, smashing through 7,553 hashes. After my dumb misstep, I had finally solved the password-cracking puzzle. I stared in awe at the huge list of passwords and short amount of time need to crack them. This was getting fun.

.....

So what's the magic secret? Right now it seems to be passwords that are 16 characters long, Have random capital letters in them along with numbers or special characters ($#&* etc).

If you're like me you have a bazillion passwords. But it may be time to upgrade the important ones like your bank.


9 comments:

Duckbutt said...

It really pays to ix capitals, nubers, and sybols in your iportant passwords.

Elvis Wearing a Bra on His Head said...

Duckbutt, your m is not keying.

eViL pOp TaRt said...

It's a real problem to remember additional passwords. Especially the nonsense ones.

Claudia said...

My at-work password almost makes the required number of characters and other stuff to beat a hacker. Who'd a thunk! Next time it expires, I'll definitely remember what you've shared here.

I'm With Stupid said...

That reminds me. I made my Facebook password so random and complicated that I have no idea what it is anymore.

Jay

Mike said...

Duck - Now that would be a good password phrase.

Elvis - I hope he did that on purpose.

Angel - I know a guy that has access to so many systems he has to keep a password book.

Claudia - A lot of systems are doing good password authentication now.

Mike said...

Jay - One of the hazards of really good passwords. You need a password book.

Bilbo said...

We have six different networks running at work, each of which has different rules for password creation and is on a different change schedule from all the others. And that doesn't count all the other passwords, logins, etc, that I have to remember. I'm getting too old for this.

Mike said...

Bilbo - It's a conspiracy to drive you crazy.