Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
lacion

Your 8 char random password now means nothing

Recommended Posts

3 hours ago, CCWong said:

Any website worth their salt (this is a hashing pun), does not just store your password as a simple hash. Just look at Dropbox post-hack:layers.png?w=650&h=443

 

Your password gets hashed to a uniform length (more than 8 characters, btw), then it is hashed again with a salt, then it is encrypted with a global pepper.

 

This kind of brute forcing is only relevant if the service storing passwords is grossly incompetent, and if that is the case you were already screwed.

This wouldn't really affect hacking time though if the hacker was using a dictionary attack. Simply make your dictionary with all of the above encryption, hashes, etc. Right? Or am I missing something?

Link to post
Share on other sites
7 hours ago, corrado33 said:

This wouldn't really affect hacking time though if the hacker was using a dictionary attack. Simply make your dictionary with all of the above encryption, hashes, etc. Right? Or am I missing something?

To make an accurate dictionary for that particular stack, you'd have to know the pepper value, then you'd have to replicate the random salt that bcrypt uses to hash each password. That doesn't sound like it'd be particularly vulnerable to a dictionary attack to me, especially since the bcrypt salt+hash string is hashed with that unknown pepper value.

Link to post
Share on other sites

Well fudge. All website now should update their minimum password requirements to be at least 10 random characters long, randomized, unique... Some don't even accept special characters. It's really frustrating 

Link to post
Share on other sites
On 2/14/2019 at 4:10 PM, Firewrath9 said:

thats why they have a cooldown after you guess a password. 3 seconds after every mistake = .3H/s

 

this reminds me of something:

https://xkcd.com/936/

the cooldown is implemented when attempting to login. if you have a password hash dump from that site you don't need to ping the site for every login attempt, you just need to guess the right combination of characters that will produce that hash and voilá.


Corsair 600T | Intel Core i7-4770K @ 4.5GHz | Samsung SSD Evo 970 1TB | MS Windows 10 | Samsung CF791 34" | 16GB 1600 MHz Kingston DDR3 HyperX | ASUS Formula VI | Corsair H110  Corsair AX1200i | ASUS Strix Vega 56 8GB Internet http://beta.speedtest.net/result/4365368180

Link to post
Share on other sites
On 2/14/2019 at 7:06 PM, lacion said:

the new benchmark for hashcat means that now the entire keyspace or every possible combination of upper, lower, numbers, symbols of an 8 character password can be guessed in 2.5 hours using x8 2080 ti´s they now can do more than 100GH/s with a single compute unit, for comparison, a 1080ti can't even do half of that.

 

DzUWB8fXQAItycj.png

 

this now means that is within the realm of possibilities that any attacker that get his hands on any of the big site password leaks can churn you hashed password and get it within in days(or less depending on hardware) if your using a perfectly random password, if you use a name or a word within your password means they pretty much can get it instantly.

 

so if you have a complex save password of 8 characters or less is now time to go and change it everywhere as is no longer save especially given the latest password leaks (https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/)

source

the source code for this is now available on github

Jokes on them. I have 7000 alt accounts, and am in the middle of the customer list... change passwords every 2.49 hours... and shares in 2080tis that offer great hash performance! ;)

 

Link to post
Share on other sites
7 hours ago, CookieSmasherGus said:

Well fudge. All website now should update their minimum password requirements to be at least 10 random characters long, randomized, unique... Some don't even accept special characters. It's really frustrating 

Or longer/bigger hashes? Or does this not work? IIRC even quantum computing style hacks can be hardened against. You just have to know what your opponents processing power/scope is, and plan for that.

Link to post
Share on other sites
On 2/15/2019 at 2:37 AM, williamcll said:

You know what's going to be the worst?
Bank PIN numbers

Some banks accept 6 or more as a PIN. IIRC only way to test, is to... try and test/see when changing a PIN.

Link to post
Share on other sites

Can't this get worse over time, seeing that the hashing power (and with that, the decryption capabilities) of "current" hardware tends to increase with each generation? Increasing password length is going ot become a temporary solution in due time. Time to abandon human-entered passwords...

Link to post
Share on other sites
Posted · Original PosterOP
11 hours ago, TopHatProductions115 said:

Can't this get worse over time, seeing that the hashing power (and with that, the decryption capabilities) of "current" hardware tends to increase with each generation? Increasing password length is going ot become a temporary solution in due time. Time to abandon human-entered passwords...

there is no solution that's a 100% secure. that's not possible as of today.

 

the most secure system mostly rely on key rotation, the more frequent key rotation is the more secure the data is, some time key rotation happen partitioned, meaning data is fragmented and encrypted with different keys minimizing exposure in case of a breach. but a breach will always be a scenario in any secure system.

Link to post
Share on other sites
Posted · Original PosterOP
3 hours ago, TopHatProductions115 said:

@lacion That solution seems viable. Is there a way to do this (in an automated fashion) for most common online services?

as far as I know, there is no easy way to do this with websites. if by services you mean SaaS like cloud providers or API providers, there are ways to do this programmatically.

 

a known tool to do this is hashicorp's vault.

Link to post
Share on other sites
17 hours ago, TopHatProductions115 said:

Can't this get worse over time, seeing that the hashing power (and with that, the decryption capabilities) of "current" hardware tends to increase with each generation? Increasing password length is going ot become a temporary solution in due time. Time to abandon human-entered passwords...

Increasing password length isn't the only solution, you can also increase the compute time of the encryption algorythm. While it may seem like delaying the inevitable, complexity can be increased exponentially. For this to be a problem there also needs to be a leak, which means you'll probably be alerted and change your password in time.


<Make me a sandwich.> <No! Make it yourself!> <Sudo make me a sandwich.> <FINE.> What is scaling and how does it work? Asus PB287Q unboxing! Console alternatives :D  CoC F.A.Q Beginner's Guide To LTT (by iamdarkyoshi)

Sauron'stm Product Scores:

Spoiler

Just a list of my personal scores for some products, in no particular order, with brief comments. I just got the idea to do them so they aren't many for now :)

Don't take these as complete reviews or final truths - they are just my personal impressions on products I may or may not have used, summed up in a couple of sentences and a rough score. All scores take into account the unit's price and time of release, heavily so, therefore don't expect absolute performance to be reflected here.

 

-Lenovo Thinkpad X220 - [8/10]

Spoiler

A durable and reliable machine that is relatively lightweight, has all the hardware it needs to never feel sluggish and has a great IPS matte screen. Downsides are mostly due to its age, most notably the screen resolution of 1366x768 and usb 2.0 ports.

 

-Apple Macbook (2015) - [Garbage -/10]

Spoiler

From my perspective, this product has no redeeming factors given its price and the competition. It is underpowered, overpriced, impractical due to its single port and is made redundant even by Apple's own iPad pro line.

 

-OnePlus X - [7/10]

Spoiler

A good phone for the price. It does everything I (and most people) need without being sluggish and has no particularly bad flaws. The lack of recent software updates and relatively barebones feature kit (most notably the lack of 5GHz wifi, biometric sensors and backlight for the capacitive buttons) prevent it from being exceptional.

 

-Microsoft Surface Book 2 - [Garbage - -/10]

Spoiler

Overpriced and rushed, offers nothing notable compared to the competition, doesn't come with an adequate charger despite the premium price. Worse than the Macbook for not even offering the small plus sides of having macOS. Buy a Razer Blade if you want high performance in a (relatively) light package.

 

-Intel Core i7 2600/k - [9/10]

Spoiler

Quite possibly Intel's best product launch ever. It had all the bleeding edge features of the time, it came with a very significant performance improvement over its predecessor and it had a soldered heatspreader, allowing for efficient cooling and great overclocking. Even the "locked" version could be overclocked through the multiplier within (quite reasonable) limits.

 

-Apple iPad Pro - [5/10]

Spoiler

A pretty good product, sunk by its price (plus the extra cost of the physical keyboard and the pencil). Buy it if you don't mind the Apple tax and are looking for a very light office machine with an excellent digitizer. Particularly good for rich students. Bad for cheap tinkerers like myself.

 

 

Link to post
Share on other sites

I use a random password generator I wrote (nothing special, I just wanted my own). I set it to the max length the website allows (often 24) and include all character types the website accepts. Then I just keep a hidden record of them.

 

So if it's not good enough that others don't know my passwords I don't even know what my passwords are.

 

It does bother me though that some websites don't accept special characters. That's all the reason to make them as long and random as possible.

Link to post
Share on other sites
Posted · Original PosterOP
On 2/21/2019 at 5:04 PM, Windows7ge said:

I use a random password generator I wrote (nothing special, I just wanted my own). I set it to the max length the website allows (often 24) and include all character types the website accepts. Then I just keep a hidden record of them.

 

So if it's not good enough that others don't know my passwords I don't even know what my passwords are.

 

It does bother me though that some websites don't accept special characters. That's all the reason to make them as long and random as possible.

AKA a password manager.

Link to post
Share on other sites

I wrote a bit of script to make my passwords, I just say how many characters I want and it spits them out. Simples


I make intelligent lights do cool things

Link to post
Share on other sites

 

On 2/21/2019 at 10:54 AM, Sauron said:

you'll probably be alerted and change your password in time.

That's a bit of a bold statement to make given that breaches aren't always disclosed immediately (legally many US companies have, what, 30 days to disclose a breach?) if at all. 

 

Overlap that with the fact that it's pretty easy to miss notice of a breach if you happen to not check the news for a couple days.


PSU Tier List | CoC

Gaming Build | FreeNAS Server

Spoiler

i5-4690k || Seidon 240m || GTX780 ACX || MSI Z97s SLI Plus || 8GB 2400mhz || 250GB 840 Evo || 1TB WD Blue || H440 (Black/Blue) || Windows 10 Pro || Dell P2414H & BenQ XL2411Z || Ducky Shine Mini || Logitech G502 Proteus Core

Spoiler

FreeNAS 9.3 - Stable || Xeon E3 1230v2 || Supermicro X9SCM-F || 32GB Crucial ECC DDR3 || 3x4TB WD Red (JBOD) || SYBA SI-PEX40064 sata controller || Corsair CX500m || NZXT Source 210.

Link to post
Share on other sites

Luckily for me, all my passwords are a 20 character string. Still though, damn. Dat performance.


I like questing in RuneScape and think that Assassin's Creed 3 was a great game. I've got a Surface Book 2 15" yet I still proudly consider myself a PlayStation peasant. I have a Pixel 2 XL, and the camera on it is absolutely amazing. No regrets.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×