Another Nail in the Password Coffin


Recommended Posts

"Dustin's computer can perform 30 billion guesses per second against standard Windows hashes. The $800 system uses four AMD Sapphire Radeon 7950 cards."

http://arstechnica.com/security/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking/3/

How the Bible and YouTube are fueling the next frontier of password cracking Crackers tap new sources to uncover "givemelibertyorgivemedeath" and other phrases.

by Dan Goodin - Oct 8 2013, 8:00am CDT

A new way

Encouraged with their results, Young, Dustin, Chrysanthou, and other crackers are tapping an ever larger pool of phrases. News websites, multilingual forums, public IRC logs, Wikipedia, Pastebin, e-books, movie scripts, and song lyrics are just some of the wells they're drawing from. And of course, Facebook and other social networking sites are goldmines. For example, in May 2012, while cracking 160,000 MD5 hashes leaked from Militarysingles.com (a dating website for members of the US armed forces), Young and Dustin turned to Twitter to increase their supply of words and phrases used by people in the military.

Link to post
Share on other sites

"Dustin's computer can perform 30 billion guesses per second against standard Windows hashes. The $800 system uses four AMD Sapphire Radeon 7950 cards."

http://arstechnica.com/security/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking/3/

How the Bible and YouTube are fueling the next frontier of password cracking Crackers tap new sources to uncover "givemelibertyorgivemedeath" and other phrases.

by Dan Goodin - Oct 8 2013, 8:00am CDT

A new way

Encouraged with their results, Young, Dustin, Chrysanthou, and other crackers are tapping an ever larger pool of phrases. News websites, multilingual forums, public IRC logs, Wikipedia, Pastebin, e-books, movie scripts, and song lyrics are just some of the wells they're drawing from. And of course, Facebook and other social networking sites are goldmines. For example, in May 2012, while cracking 160,000 MD5 hashes leaked from Militarysingles.com (a dating website for members of the US armed forces), Young and Dustin turned to Twitter to increase their supply of words and phrases used by people in the military.

We will have to start using thumb prints, by the by.

Link to post
Share on other sites

The fact remains that fingerprints have been forged by several methods by police and by criminals. The FBI first found a forgery by a law enforcement officer in 1925.

(Book Reviews - Suspect Identies: A History of Fingerprinting and Criminal Identification by Simon Cole (Cambridge: Harvard University Press, 2001). - http://necessaryfacts.blogspot.com/2011/01/fallibility-of-fingerprinting.html

I saw two presentations by a local guy who developed a two-factor authentication for your cellphone. His theory is that you are never far from your phone, so he uses another code, plus GPS location of your phone when the phone syncs to your computer for the login. See toopher here: https://www.toopher.com/
Link to post
Share on other sites

The fact remains that fingerprints have been forged by several methods by police and by criminals. The FBI first found a forgery by a law enforcement officer in 1925.

(Book Reviews - Suspect Identies: A History of Fingerprinting and Criminal Identification by Simon Cole (Cambridge: Harvard University Press, 2001). - http://necessaryfacts.blogspot.com/2011/01/fallibility-of-fingerprinting.html

I saw two presentations by a local guy who developed a two-factor authentication for your cellphone. His theory is that you are never far from your phone, so he uses another code, plus GPS location of your phone when the phone syncs to your computer for the login. See toopher here: https://www.toopher.com/

How about retinal patterns?

Link to post
Share on other sites

The fact remains that fingerprints have been forged by several methods by police and by criminals. The FBI first found a forgery by a law enforcement officer in 1925.

(Book Reviews - Suspect Identies: A History of Fingerprinting and Criminal Identification by Simon Cole (Cambridge: Harvard University Press, 2001). - http://necessaryfacts.blogspot.com/2011/01/fallibility-of-fingerprinting.html

I saw two presentations by a local guy who developed a two-factor authentication for your cellphone. His theory is that you are never far from your phone, so he uses another code, plus GPS location of your phone when the phone syncs to your computer for the login. See toopher here: https://www.toopher.com/

How about retinal patterns?

Nah. That can be defeated by cutting out someone's eyeball.

Link to post
Share on other sites

"Dustin's computer can perform 30 billion guesses per second against standard Windows hashes. The $800 system uses four AMD Sapphire Radeon 7950 cards."

http://arstechnica.com/security/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking/3/

How the Bible and YouTube are fueling the next frontier of password cracking Crackers tap new sources to uncover "givemelibertyorgivemedeath" and other phrases.

by Dan Goodin - Oct 8 2013, 8:00am CDT

A new way

Encouraged with their results, Young, Dustin, Chrysanthou, and other crackers are tapping an ever larger pool of phrases. News websites, multilingual forums, public IRC logs, Wikipedia, Pastebin, e-books, movie scripts, and song lyrics are just some of the wells they're drawing from. And of course, Facebook and other social networking sites are goldmines. For example, in May 2012, while cracking 160,000 MD5 hashes leaked from Militarysingles.com (a dating website for members of the US armed forces), Young and Dustin turned to Twitter to increase their supply of words and phrases used by people in the military.

We will have to start using thumb prints, by the by.

Or start using complex, lengthy, pseudo-random passwords: k,Fm.n2#$K09ghg(y3g5A2u0#@rjD98j'f

Good luck brute-forcing that, ya bastards.

I'm reminded of a scene in Shoot'Em Up in which Clive Owen cuts off a guy's hand so as to use the thumbprint scanner on the guy's gun, in order to shoot the gun.

Link to post
Share on other sites

In Star Trek they have technology that can instantly read your DNA and identify you by your DNA.

We just watched an Enterprise Season 4 where the Vulcan High Command attempted to frame a religious fundamentalist by placing at the scene of the crime the DNA they took and stored when she was a baby. (All Vulcans are so registered. Fortunately, Doctor Phlox had way to see that it was baby DNA not grown-up DNA.)

Or start using complex, lengthy, pseudo-random passwords: k,Fm.n2#$K09ghg(y3g5A2u0#@rjD98j'f

Good luck brute-forcing that, ya bastards.

But how do you remember that?

If you read the Comments in the ArsTechnica story, you will see that many people had their favorite work-arounds and many others told them why those would not actually work around... It is said that no one can make a good code or cipher who is not good at breaking them.

I worked a project where we were assigned misspelled passwords like "StadueOvLibertee".

You have to ask yourself who you are hiding from. The ArsTechnica article reminds you that this is a private hobbyist's effort. The NSA is even better -- if you believe that they are. I mean, the Atlas Shrugged theory of the muscle-mystic is that they are enamored of brute force but lacking true intelligence. Jacob Bronowski made the same point in The Ascent of Man.

Link to post
Share on other sites

"Dustin's computer can perform 30 billion guesses per second against standard Windows hashes. The $800 system uses four AMD Sapphire Radeon 7950 cards."

http://arstechnica.com/security/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking/3/

How the Bible and YouTube are fueling the next frontier of password cracking Crackers tap new sources to uncover "givemelibertyorgivemedeath" and other phrases.

by Dan Goodin - Oct 8 2013, 8:00am CDT

A new way

Encouraged with their results, Young, Dustin, Chrysanthou, and other crackers are tapping an ever larger pool of phrases. News websites, multilingual forums, public IRC logs, Wikipedia, Pastebin, e-books, movie scripts, and song lyrics are just some of the wells they're drawing from. And of course, Facebook and other social networking sites are goldmines. For example, in May 2012, while cracking 160,000 MD5 hashes leaked from Militarysingles.com (a dating website for members of the US armed forces), Young and Dustin turned to Twitter to increase their supply of words and phrases used by people in the military.

A pseudo random sequence will vanquish this. Unfortunately it is a pain in the arse to type in a password 40 characters long but that will beet the superfast password crackers. there are over 4.5 x 10^57 such passwords. It would require a computer that can do 30 billion a second 10^27 seconds to crack 40 character pass words.

Link to post
Share on other sites

Yes, as Kyle pointed out in Number 6. If you read the article from Ars Technica (and they have a couple more in the archives) just a true random eight characters based on the common 128 (no alt-codes, no control codes like backspace or form feed), just the Upper and Lower Case Letters, the Number 1 to 0 and their Shifted characters, and the common keyboard symbols from ~ and ` down to / and ?, the problem is computationally difficult (not impossible). 8^100 is 2 * 10^90. (2.037... e+90).

The thing is that people use words and phrases and phrase-like strings of word-like sets. To attack those, the cracker compiled a huge database of words and phrases. The database lookup is computationally faster and conceptually more elegant. Consider the Original Post here. How many libertarians do you think have "givemelibertyorgivemedeath" for their supposedly unbreakable password. You just goto your favorite patriotic blog, download the list of usernames and write a script to login with that password once all the way down the list. You might find 50 accounts that way.

But what would you do with them?

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now