gfxgfx
 
Please login or register.

Login with username, password and session length
 
gfx gfx
gfx
75314 Posts in 13188 Topics by 2636 Members - Latest Member: falcogiallo August 21, 2017, 06:41:34 am
*
gfx*gfx
gfx
WinMX World :: Forum  |  Discussion  |  WinMx World News  |  Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”
gfx
gfxgfx
 

Author Topic: Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”  (Read 711 times)

0 Members and 1 Guest are viewing this topic.

http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

Quote
The list of "plains," as many crackers refer to deciphered hashes, contains the usual list of commonly used passcodes that are found in virtually every breach involving consumer websites. "123456," "1234567," and "password" are there, as is "letmein," "Destiny21," and "pizzapizza." Passwords of this ilk are hopelessly weak. Despite the additional tweaking, "p@$$word," "123456789j," "letmein1!," and "LETMEin3" are equally awful. But sprinkled among the overused and easily cracked passcodes in the leaked list are some that many readers might assume are relatively secure. ":LOL1313le" is in there, as are "Coneyisland9/," "momof3g8kids," "1368555av," "n3xtb1gth1ng," "qeadzcwrsfxv1331," "m27bufford," "J21.redskin," "Garrett1993*," and "Oscar+emmy2."

As big as the word lists that all three crackers in this article wielded—close to 1 billion strong in the case of Gosney and Steube—none of them contained "Coneyisland9/," "momof3g8kids," or the more than 10,000 other plains that were revealed with just a few hours of effort. So how did they do it? The short answer boils down to two variables: the website's unfortunate and irresponsible use of MD5 and the use of non-randomized passwords by the account holders.

"These are terrible passwords," radix, who declined to give his real name, told Ars just a few minutes into run one of his hour-long cracking session. "There's probably not a complexity requirement for them. The hashing alone being MD5 tells me that they really don't care about their passwords too much, so it's probably some pre-generated site."

Like SHA1, SHA3, and most other algorithms, MD5 was designed to convert plaintext into hashes, also known as "message digests," quickly and with a minimal amount of computation. That works in the favor of crackers. Armed with a single graphics processor, they can cycle through more than eight billion password combinations each second when attacking "fast" hashes. By contrast, algorithms specifically designed to protect passwords require significantly more time and computation. For instance, the SHA512crypt function included by default in Mac OS X and most Unix-based operating systems passes text through 5,000 hashing iterations. This hurdle would limit the same one-GPU cracking system to slightly less than 2,000 guesses per second. Examples of other similarly "slow" hashing algorithms include bcrypt, scrypt, and PBKDF2.

The other variable was the account holders' decision to use memorable words. The characteristics that made "momof3g8kids" and "Oscar+emmy2" easy to remember are precisely the things that allowed them to be cracked. Their basic components—"mom," "kids," "oscar," "emmy," and numbers—are a core part of even basic password-cracking lists. The increasing power of hardware and specialized software makes it trivial for crackers to combine these ingredients in literally billions of slightly different permutations. Unless the user takes great care, passwords that are easy to remember are sitting ducks in the hands of crackers.

What's more, like the other two crackers profiled in this article, radix didn't know where the password list was taken from, eliminating one of the key techniques crackers use when deciphering leaked hashes. "If I knew the site, I would go there and find out what the requirements are," he said. The information would have allowed radix to craft custom rule sets targeted at the specific hashes he was trying to crack.

Offline GhostShip

  • Ret. WinMX Special Forces
  • WMW Team
  • *****
This seems a rather long winded way of explaining how attackers hit a target site with an exploit of some sort to gather the password database then use the sites application specific method of password generation to generate a set of hashes for every dictionary word (and variants that are popular) then simply compare the dictionary hashes against the hashes obtained from the exploit to pick out the low hanging fruit first.

This method is well known and old so I suppose the only real difference is the speed of doing this as a brute force attack rather than simply sticking to a pre selected set of words to hash.

Most sites will stop a direct blind attack by limiting the amount of guesses against folks accounts so its vital for an attacker to have the password database.

This is also another reason to use diff passwords for different sites.

Offline DaBees-Knees

  • WMW Team
  • *****
If you are Dyslexic and numerically retarded that fools em.  :lol:

WinMX World :: Forum  |  Discussion  |  WinMx World News  |  Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”
 

gfxgfx
gfx
©2005-2017 WinMXWorld.com. All rights reserved.
SMF 2.0.14 | SMF © 2017, Simple Machines
Page created in 0.035 seconds with 21 queries.
Helios Multi © Bloc
gfx
Powered by MySQL Powered by PHP Valid XHTML 1.0! Valid CSS!