Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
lacion

Your 8 char random password now means nothing

Recommended Posts

13 minutes ago, colonel_mortis said:

but your LTT (blowfish) password is much more secure.

No wonder you're the keeper of the private keys... 馃槞

I'm not really that familiar with password encryption protocols other than salting and hashing a password but is the blowfish cipher for passwords the same some VPN providers use?

Edited by captain_to_fire

There is more that meets the eye
I see the soul that is inside

Link to post
Share on other sites

i still dont understand this nonesense of hashes and forcing bullshit

no website email or banks will accept 100GH/s of password attempts it will long block such attempts before you try even 100 passwords

its only valid for offline stuff like archives or maybe encrypted phones but not even that, how do you hack your phone to accept so many passwords attempts, im sure there is something missing here that i dont understand, you cant brute force anything online with a server login

unless they obtain server database of passwords and then use this hash hack?聽 which means none of your passwords was any safe if a hacker used a couple powerfull computers聽 even before 2080ti as long he had a database copy

Link to post
Share on other sites
Posted Original PosterOP
4 minutes ago, colonel_mortis said:

(Moved back to Tech News)

It's worth noting that this is specifically NTLM hashes, which means Windows passwords. Most websites will store your password using an algorithm like Blowfish, Argon2, or at least PBKDF2, which are all designed to resist brute force as much as possible. On my laptop (i7 6500U, integrated graphics) I get 235,000,000 H/s for NTLM, but only 131 H/s on Blowfish.

Your Windows password can be brute forced if someone obtains access to the password store file, but your LTT (blowfish) password is much more secure.

131H/s on blowfish is very slow, compared to for example聽https://www.netmux.com/blog/how-to-build-a-password-cracking-rig

they were getting 43551 H/s on 4 1070 GPU麓s聽 the article has a very long list of what was possible聽with that hardware and a lot of different algo麓s聽

Link to post
Share on other sites
8 minutes ago, colonel_mortis said:

(Moved back to Tech News)

It's worth noting that this is specifically NTLM hashes, which means Windows passwords. Most websites will store your password using an algorithm like Blowfish, Argon2, or at least PBKDF2, which are all designed to resist brute force as much as possible. On my laptop (i7 6500U, integrated graphics) I get 235,000,000 H/s for NTLM, but only 131 H/s on Blowfish.

Your Windows password can be brute forced if someone obtains access to the password store file, but your LTT (blowfish) password is much more secure.

1 minute ago, lacion said:

131H/s on blowfish is very slow, compared to for example聽https://www.netmux.com/blog/how-to-build-a-password-cracking-rig

they were getting 43551 H/s on 4 1070 GPU麓s聽 the article has a very long list of what was possible聽with that hardware and a lot of different algo麓s聽

I persoanlly use聽hootie


muh specs聽

Gaming and HTPC (reparations)- ASUS 1080, MSI X99A SLI Plus, 5820k-聽4.5GHz @ 1.25v, asetek based 360mm AIO, RM 1000x, 16GB memory, 750D with front USB 2.0 replaced with 3.0 聽ports, 2 250GB 850 EVOs in Raid 0 (why not, only has games on it), some hard drives

Screens- Acer preditor聽XB241H (1080p, 144Hz Gsync), LG 1080p ultrawide, (all mounted) directly wired to TV in other room

Stuff- k70 with reds, steel series rival, g13, full desk covering mouse mat

All parts black

Workstation(desk)- 3770k, 970 reference, 16GB of some crucial memory, a motherboard of some kind I don't聽remember, Micomsoft SC-512N1-L/DVI, CM Storm Trooper (It's got a handle, can you handle that?), 240mm Asetek based AIO, Crucial M550 256GB (upgrade soon), some hard drives, disc drives, and hot swap bays

Screens- 3聽聽ASUS VN248H-P IPS 1080p screens mounted on a stand, some old tv on the wall above it.聽

Stuff- Epicgear defiant (solderless swappable switches), g600, moutned mic and other stuff.聽

Laptop docking area- 2 1440p korean monitors mounted, one AHVA matte, one samsung PLS gloss (very annoying, yes). Trashy Razer blackwidow chroma...I mean like the J key doesn't click anymore. I got a model M i use on it to, but its time for a new keyboard. Some edgy Utechsmart mouse similar to g600. Hooked to laptop dock for both of my dell precision laptops. (not only docking area)

Shelf-聽i7-2600 non-k (has vt-d), 380t, some ASUS sandy itx board, intel quad nic. Currently hosts shared files, setting up as pfsense box in VM. Also acts as spare gaming PC with a 580 or whatever someone brings. Hooked into laptop dock area via usb switch

Link to post
Share on other sites
1 minute ago, yian88 said:

i still dont understand this nonesense of hashes and forcing bullshit

no website email or banks will accept 100GH/s of password attempts it will long block such attempts before you try even 100 passwords

its only valid for offline stuff like archives or maybe encrypted phones but not even that, how do you hack your phone to accept so many passwords attempts, im sure there is something missing here that i dont understand, you cant brute force anything online with a server login

unless they obtain server database of passwords and then use this hash hack?聽 which means none of your passwords was any safe if a hacker used a couple powerfull computers聽 even before 2080ti as long he had a database copy

It has been said multiple times in this thread that this has nothing to do with hacking into phones or such or online-services: you have surely heard of all these big breaches of all sorts of big websites? The hackers obtain copies of the password-databases and such, then they work offline on those databases, trying to turn the password-hashes into the actual passwords, so they can then be used.

Also, the claim that those password were never any safe is just wrong: cracking e.g. a 10-character random password hashed with bcrypt would take thousands of years even on extremely powerful hardware. It's all about the cipher that was used to make the hash -- you can have literal supercomputers work at it, but if the cipher is strong and the password is a long, random one, there is no way of obtaining the password in any sort of a reasonable amount of time.


Hand, n. A singular instrument worn at the end of the human arm and commonly thrust into somebody鈥檚 pocket.

Link to post
Share on other sites
7 minutes ago, captain_to_fire said:

No wonder you're the keeper of the private keys... 馃槞

I'm not really that familiar with password encryption protocols other than salting and hashing a password but is the blowfish cipher for passwords the same some VPN providers use?

VPN-providers don't encrypt the on-the-fly data with your password, that'd be idiotic. It's an entirely different mechanism at play there.


Hand, n. A singular instrument worn at the end of the human arm and commonly thrust into somebody鈥檚 pocket.

Link to post
Share on other sites
18 minutes ago, captain_to_fire said:

No wonder you're the keeper of the private keys... 馃槞

I'm not really that familiar with password encryption protocols other than salting and hashing a password but is the blowfish cipher for passwords the same some VPN providers use?

Blowfish is a very popular (and still considered strong) password hashing algorithm, so it's fairly likely that some VPN providers will use it for storing your password. The hash algorithm only protects against someone accessing accounts after compromising the database - the actual data transferred will be encrypted using a symmetric cipher, almost certainly AES.

16 minutes ago, lacion said:

131H/s on blowfish is very slow, compared to for example聽https://www.netmux.com/blog/how-to-build-a-password-cracking-rig

they were getting 43551 H/s on 4 1070 GPU麓s聽 the article has a very long list of what was possible聽with that hardware and a lot of different algo麓s聽

Yeah, I ran that on my low power laptop. The point is how much slower Blowfish is than NTLM. Even at 43551 H/s, it would take >25 days to brute force an 8 character entirely lower case password, and >3 million years 2.5 millenia to brute force an 8 character mixed upper/lower/numeric password.

Edited by colonel_mortis
Got my maths wrong

I don't work for Floatplane Media, so any Floatplane comments that I make are my own and may be incorrect or in conflict with the official view.

For Floatplane support, please use the wizard linked in this topic

Link to post
Share on other sites
Posted Original PosterOP
3 minutes ago, colonel_mortis said:

Blowfish is a very popular (and still considered strong) password hashing algorithm, so it's fairly likely that some VPN providers will use it for storing your password. The hash algorithm only protects against someone accessing accounts after compromising the database - the actual data transferred will be encrypted using a symmetric cipher, almost certainly AES.

Yeah, I ran that on my low power laptop. The point is how much slower Blowfish is than NTLM. Even at 43551 H/s, it would take >25 days聽to brute force an 8 character entirely lower case password, and >3 million years to brute force an 8 character mixed upper/lower/numeric password.

that is correct, but maybe missing a bit on the advancements of the last 2/3 years here.

if you see the official hashcat聽benchmarks, they were doing about 13000 H/s with 8 1080 a few years ago, the link above was on 43000 H/s with 4 1070, i just ran the benchmark locally on my 2080ti and am getting 40000 H/s with a single card. on hashcat聽5.x without the new branch making use of the new tensor cores on the rtx series cards. and 2080ti is a lot cheaper than a tesla聽card or a Quadro meaning having farms of this thing churning hashes just became a lot more cheaper.

Link to post
Share on other sites
1 minute ago, colonel_mortis said:

The point is how much slower Blowfish is than NTLM. Even at 43551 H/s, it would take >25 days to brute force an 8 character entirely lower case password, and >3 million years to brute force an 8 character mixed upper/lower/numeric password.

You keep ninjaing what I was just about to write 馃槣 I was about to say that with just the English alphabet, upper- and lowercase, and a couple of special characters, for 56 different characters per position, a 10-character password would have 303305489096114176 different combinations -- with 43551 H/s speed, that'd be about 6964374850086 seconds, 116072914168 minutes, 1934548569 hours, 80606190 days, 2686873 months, 223906 years, 22390 decades, 2239 centuries or 224 millenniums.

Even a ten-fold speed-increase would be nothing.


Hand, n. A singular instrument worn at the end of the human arm and commonly thrust into somebody鈥檚 pocket.

Link to post
Share on other sites
1 hour ago, lacion said:

the new benchmark for hashcat聽means that now聽the entire keyspace or every possible combination of upper, lower,聽numbers, symbols of an 8 character password can be guessed in 2.5 hours using x8 2080 ti麓s

1

Let's assume that a hacker got access to a database and got all login and passwords (hashed).

I assume the 2,5 are needed for every cracking every single password since the hacker doesn麓t know the hash function? Or does the know enough after a few cracked passwords so he doesn麓t need to crack the rest with brute force?

We recently had a class about security but I forgot to ask this question. I think I gotta visit his office because it interests me.

Link to post
Share on other sites
19 minutes ago, Teddy07 said:

Let's assume that a hacker got access to a database and got all login and passwords (hashed).

I assume the 2,5 are needed for every cracking every single password since the hacker doesn麓t know the hash function? Or does the know enough after a few cracked passwords so he doesn麓t need to crack the rest with brute force?

For any good cipher, every single password-hash is completely separate from the others; cracking one password doesn't speed up the cracking of the other passwords, so each and every single hash has to be cracked separately. There are also less-good ciphers, like NTLM, where this doesn't entirely apply.


Hand, n. A singular instrument worn at the end of the human arm and commonly thrust into somebody鈥檚 pocket.

Link to post
Share on other sites
6 minutes ago, Teddy07 said:

Let's assume that a hacker got access to a database and got all login and passwords (hashed).

I assume the 2,5 are needed for every cracking every single password since the hacker doesn麓t know the hash function? Or does the know enough after a few cracked passwords so he doesn麓t need to crack the rest with brute force?

We recently had a class about security but I forgot to ask this question. I think I gotta visit his office because it interests me.

It is always assumed that the attacker knows the hash function. It wouldn't be hard to find out what hash function it is - if your own password is included in the dump, just hash your password under a bunch of hash functions until you get a match.

For the specific hash function discussed here, NTLM (the Windows password hash algorithm), there is no salt. This means that the attacker doesn't have to target any specific user - they just calculate the hash of each 8 character password, and see whether any users match that.

For a more secure hash function, such as blowfish (used by LTT), each password has a unique salt added, which means the attacker has to brute force the password for each user individually. If two users have the same password, the hashes will be different because the salts were different. If that were the case for NTLM, it would take 2.5 hours per user. For blowfish, the time taken to brute force every 8 upper/lower/numeric character password is measured in millennia, and that is per hash to be cracked.

In theory, and in practice for the hash functions that are used for passwords, the attacker learns nothing about hash(A) by computing hash(B), for any A 鈮 B. This means that they have no choice but to brute force if they want to crack the hash.


I don't work for Floatplane Media, so any Floatplane comments that I make are my own and may be incorrect or in conflict with the official view.

For Floatplane support, please use the wizard linked in this topic

Link to post
Share on other sites

this is pretty interesting news tbh


I spent $2500 on building my PC and all i do with it is聽play聽MTGA &聽watch聽anime at 720p...

Builds:

The Toaster Project!Northern Bee!The Cassette Deck!

The original LAN PC build log!聽(Old, dead and replaced by The Toaster Project & 5.0)

Spoiler

"Here is some advice that might have gotten lost somewhere along the way in your life.聽

#1. Treat others as you would like to be treated.

#2. It's best to keep your mouth shut;聽and appear to be stupid, rather than open it and remove all doubt.

#3. There is nothing "wrong" with being wrong. Learning from a mistake can be more valuable than not making one in the first place.

Follow these simple rules in life, and I promise you, things magically get easier. " -聽MageTank聽31-10-2016

Link to post
Share on other sites
2 minutes ago, colonel_mortis said:

For a more secure hash function, such as blowfish (used by LTT), each password has a unique salt added, which means the attacker has to brute force the password for each user individually. If two users have the same password, the hashes will be different because the salts were different. If that were the case for NTLM, it would take 2.5 hours per user. For blowfish, the time taken to brute force every 8 upper/lower/numeric character password is measured in millennia, and that is per hash to be cracked..

2

Ah right the salt but this also causes the problem where to safely store the salt. If someone has access to the database then the salt is at risk too.聽

3 minutes ago, colonel_mortis said:

if your own password is included in the dump, just hash your password under a bunch of hash functions until you get a match.

ok, but the hacker would only know if the hash function is correct in his case? I mean he would have to test it for a ton of cases to be sure?

Thanks for your informative post 鉂わ笍

Link to post
Share on other sites
1 minute ago, Teddy07 said:

Ah right the salt but this also causes the problem where to safely store the salt. If someone has access to the database then the salt is at risk too.聽

The salt is assumed to be known to the attacker too, and is stored along with the hash in the database. The salt just exists to make Hcolonel_mortis(r00t) 鈮 HTeddy07(r00t), so the attacker has to brute force each user (or technically each salt, but the salt should be sufficiently random that no two users have the same salt) separately.

1 minute ago, Teddy07 said:

ok, but the hacker would only know if the hash function is correct in his case? I mean he would have to test it for a ton of cases to be sure?

Thanks for your informative post 鉂わ笍

In the standard format for storing hashes, the hash algorithm is actually encoded with the hash, so that even if the hash algorithm used for new passwords has been changed, you can easily know which hash function to use to check the password.

The hash function is assumed to be public knowledge - the only thing that protects the password is the fact that actually computing the hash function, to brute force the password, is intentionally very computationally hard. If it takes 10,000 years to try all of the hash combinations for one salt, there's no way to precompute a table of hashes for all salts either (and to make the hashes practical to store, you need to use a datastructure like a Rainbow Table, which requires lots more uses of the hash function, making it even less possible).

However, assuming they don't know the hash function, they can be pretty sure that they have found the correct hash function as soon as they find one that produces a matching output - the probability of any given hash function producing a given output for a given input is 2-128, or 0.000000000000000000000000000000000000003%.


I don't work for Floatplane Media, so any Floatplane comments that I make are my own and may be incorrect or in conflict with the official view.

For Floatplane support, please use the wizard linked in this topic

Link to post
Share on other sites
35 minutes ago, colonel_mortis said:

...

I soon participate in an exam about operating systems where hashing is a small part in the security chapter. You helped me to better understand the topic because I had a few fallacies. So thank you very much 馃榾

Starting to learn tomorrow :)

Link to post
Share on other sites

*looks at my youtube channel*

*realizes the password is easy to guess*

*realizes it鈥檚 my password for everything*

Spoiler

Well shit


I took a walk around the world to Ease my troubled mind I left my body lying somewhere In the sands of time I watched the world float to the dark Side of the moon I feel there is nothing I can do, yeah聽I watched the world float to the Dark side of the moon After all I knew it had to be something To do with you I really don't mind what happens now and then As long as you'll be my friend at the end聽If I go crazy then will you still Call me Superman If I'm alive and well, will you be There holding my hand I'll keep you by my side with My superhuman might Kryptonite聽You called me strong, you called me weak But still your secrets I will keep You took for granted all the times Never let you down You stumbled in and bumped your head, if Not for me then you'd be dead I picked you up and put you back On solid ground聽If I go crazy then will you still Call me Superman If I'm alive and well, will you be There holding my hand I'll keep you by my side with My superhuman might Kryptonite Oh whoa whoa聽If I go crazy then will you still Call me Superman If I'm alive and well, will you be There holding my hand I'll keep you by my side with My superhuman might Kryptonite聽If I go crazy then will you still Call me Superman If I'm alive and well, will you be There holding my hand I'll keep you by my side with My superhuman might Kryptonite

Link to post
Share on other sites

I'm more worried about my wifi honestly, since this kind of attack is common for WPA

Well I changed the password to a 16 long with special characters in it, I should be safe until the RTX 19999 Ti

Link to post
Share on other sites
2 hours ago, colonel_mortis said:

(Moved back to Tech News)

It's worth noting that this is specifically NTLM hashes, which means Windows passwords. Most websites will store your password using an algorithm like Blowfish, Argon2, or at least PBKDF2, which are all designed to resist brute force as much as possible. On my laptop (i7 6500U, integrated graphics) I get 235,000,000 H/s for NTLM, but only 131 H/s on Blowfish.

Your Windows password can be brute forced if someone obtains access to the password store file, but your LTT (blowfish) password is much more secure.

another important note is that Active Directory uses Kerberos rather than NTLM, which is also much more secure.

So the applications of this are actually pretty limited either requiring an attacker to have physical access to your machine, or some very sophisticated malware that'd likely be caught and patched or at least dumped into AV databases sooo quickly...

I don't think anyone has reason to worry, really.

MS should probably deprecate NTLM for local device users though


"There is nothing more difficult than fixing something that isn't all the way broken yet." - Author Unknown

"A redline a day keeps depression at bay" - Author Unknown

Spoiler

Intel Core i7-3960X @ 4.4 GHz聽- Asus P9X79WS/IPMI - 12GB DDR3-1600 quad-channel - EVGA GTX 1080ti SC - Fractal Design Define R5 - 500GB Crucial MX200 and 2 x Seagate ST2000DM006聽(in RAID 0 for games!) - The good old Corsair GS700 - Yamakasi Catleap 2703 27" 1440p and ASUS VS239H-P 1080p聽23" - NH-D15 - Logitech G710+ - Mionix Naos 7000 - Sennheiser PC350 w/Topping VX-1

Avid Miata autocrosser :D

Link to post
Share on other sites
2 hours ago, Cyracus said:

(someone did it to Linus a while back)

The 2 step Linus used then was from my knowledge 2 step codes over SMS that the hacker got. Not 2 step via an app.

The hacker called whoever company owns his SIM card, and got them to send the hacker a new SIM card that had his(Linus) number(was easier than it should have been). Hacker just put it in a phone and voila, the hacker got the codes over SMS that went to that number.

Edit: fixed typo and made it easier to understand


鈥淩emember to look up at the stars and not down at your feet. Try to make sense of what you see and wonder about what makes the universe exist. Be curious. And however difficult life may seem, there is always something you can do and succeed at.聽
It matters that you don't just give up.鈥

-Stephen Hawking

Link to post
Share on other sites
1 minute ago, Mihle said:

The 2 step Linus used then was from my knowledge 2 step codes over SMS that the hacker got. Not 2 step via an app.

The hacker called whoever company owns the sun card, and for them to send the hacker a new SIM card (was easier than it should have been). Hacker just put it in a phone and voila, the hacker got the codes over SMS that went to that number.

ah, gotta love social engineering. So terrifying


"There is nothing more difficult than fixing something that isn't all the way broken yet." - Author Unknown

"A redline a day keeps depression at bay" - Author Unknown

Spoiler

Intel Core i7-3960X @ 4.4 GHz聽- Asus P9X79WS/IPMI - 12GB DDR3-1600 quad-channel - EVGA GTX 1080ti SC - Fractal Design Define R5 - 500GB Crucial MX200 and 2 x Seagate ST2000DM006聽(in RAID 0 for games!) - The good old Corsair GS700 - Yamakasi Catleap 2703 27" 1440p and ASUS VS239H-P 1080p聽23" - NH-D15 - Logitech G710+ - Mionix Naos 7000 - Sennheiser PC350 w/Topping VX-1

Avid Miata autocrosser :D

Link to post
Share on other sites
50 minutes ago, Mihle said:

The 2 step Linus used then was from my knowledge 2 step codes over SMS that the hacker got. Not 2 step via an app.

This is why Linus is now using a U2F key to sign in through his email. I don鈥檛 know why Linus didn鈥檛 filed a litigation against his wireless carrier for reactivating his old SIM card.聽


There is more that meets the eye
I see the soul that is inside

Link to post
Share on other sites
2 hours ago, colonel_mortis said:

(Moved back to Tech News)

It's worth noting that this is specifically NTLM hashes, which means Windows passwords. Most websites will store your password using an algorithm like Blowfish, Argon2, or at least PBKDF2, which are all designed to resist brute force as much as possible. On my laptop (i7 6500U, integrated graphics) I get 235,000,000 H/s for NTLM, but only 131 H/s on Blowfish.

Your Windows password can be brute forced if someone obtains access to the password store file, but your LTT (blowfish) password is much more secure.

I came to say this.聽 Not all passwords are hashed using the same algorithm.聽

Plus, pre-computing rainbow tables for 8 characters is quite feasible, so 8 character long passwords have been pretty insecure for a while.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now