Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
lacion

Your 8 char random password now means nothing

Recommended Posts

Posted · Original PosterOP

the new benchmark for hashcat means that now the entire keyspace or every possible combination of upper, lower, numbers, symbols of an 8 character password can be guessed in 2.5 hours using x8 2080 ti´s they now can do more than 100GH/s with a single compute unit, for comparison, a 1080ti can't even do half of that.

 

DzUWB8fXQAItycj.png

 

this now means that is within the realm of possibilities that any attacker that get his hands on any of the big site password leaks can churn you hashed password and get it within in days(or less depending on hardware) if your using a perfectly random password, if you use a name or a word within your password means they pretty much can get it instantly.

 

so if you have a complex save password of 8 characters or less is now time to go and change it everywhere as is no longer save especially given the latest password leaks (https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/)

source

the source code for this is now available on github

Link to post
Share on other sites
40 minutes ago, lacion said:

the new benchmark for hashcat means that now the entire keyspace or every possible combination of upper, lower, numbers, symbols of an 8 character password can be guessed in 2.5 hours using x8 2080 ti´s they now can do more than 100GH/s with a single compute unit, for comparison, a 1080ti can't even do half of that.

 

 

the source code for this is now available on github

Very cool. It's worth noting that the time to brute force a password goes up exponentially with length (simply because the number of possible combinations also increases exponentially). Complexity only helps a bit. That's why it's smart to have a long, memorable password with just a few non common substitutions (don't use $ for S) and a few punctuation points in there. 

 

For example: For an 8 character password only including upper and lower case letters (52 characters), that's 52 nPr 8 = 3E13 combinations. Add 10 symbols in there and that's 62 nPr 8 1.3E14 possible combinations.

 

Now, make the password 9 characters long and you get 52 nPr 9 1.33E15 possible combinations and 62 nPr 9 = 7.36E15

 

So a 9 character password that has no special characters is better than an 8 character password with special characters.

 

EDIT: It's also worth noting that using words and sentences, as mentioned in the XKCD may not be entirely safe either. Words can be treated as "units" so instead of saying that a 9 character word is 9 pieces of complexity, it can be treated as 1. A 4 word password can be cracked the same way a 4 character password could with a dictionary attack. (Although words are more secure because there are more of them...)

 

Best advice: Use a memorable combination of words that's long but also has random symbols sprinkled throughout. E.G. Ca#_1UMP;Ov@r[Mo0NN

Cat Jump Over MooNN, easy to remember, then you just need to remember "pound for t, 1 for J (or just remember it as "lump" and laugh every time), the ";" then "Ovar" with @ and a 0 for the 2nd 'o' and double Ns.

 

EDIT: I played around with this once. Remember the game "Balloons tower defense?" Well I wanted to calculate the order to buy buildings to make the most money in the end-game. So I brute forced every action the player could take in relation to a certain building (the farms). Basically the player could either buy another farm, upgrade existing farms, or sell farms. I let this play out for 40 moves. 

 

When I let the program run.... it eventually came up with a 20 GB text file. Yes, you read that correctly. A 20..... GB.... text file. I had to find a program to even open the damn thing let alone read it. (Vim works great for large files btw). Eventually, by including more strict conditions, (like not allowing the player to buy a farm then immediately sell it.) I got the file down to something more manageable (like 7 GB or so), then I ran my analysis program on it to determine which combination of moves was the best. That took all night, but eventually I solved it, and it made me so happy. But the scale of the whole project just amazed me. These dictionaries for passwords can be freaking MASSIVE. Turns out the answer was exactly the strategy that most people in the game already used. But I got  a lot of similar strategies so I was still happy.

Link to post
Share on other sites

thats why they have a cooldown after you guess a password. 3 seconds after every mistake = .3H/s

 

this reminds me of something:

https://xkcd.com/936/


PC (Main)

 

CPU: i5-8400 CPU Cooler: Cryorig M9 Plus   Motherboard: Gigabyte B360M DS3H | RAM: Crucial Ballistix Sport 2x8 DDR4-2400

 Boot/OS SSD: Inland 480GB SSD | Video Card: RX 570 4GB Strix OC | Case: Fractal Design Meshify C White TG (11/10) PSU: EVGA SuperNOVA G3 750

Monitor: Sceptre 24" 1080p 75hz

 

NAS:

Synology DS418J w/ 4x WD Red Pro 6TB RAID 10 (used 7.3/12TB)

 

Phone/Tablet:

iPhone 8 64GB iPad Mini 4 128GB

 

Laptops:

Dell XPS 15 9570 i7-8750H + 1050 ti + 20GB ram (16+4) + 1TB EX920 SSD

 

My old computers:

Athlon x64 + R9600 Pro 256MB Core 2 Quad Q8400 @ 3.4ghz + GTX 275 | i5-3570k @ 4.4ghz + GTX 670

Link to post
Share on other sites
Posted · Original PosterOP
2 minutes ago, Firewrath9 said:

thats why they have a cooldown after you guess a password. 3 seconds after every mistake = .3H/s

 

this reminds me of something:

https://xkcd.com/936/

that's an online attack, this is an offline attack if the attackers have the hash of the password they can simply churn it on their local computer.

Link to post
Share on other sites
4 minutes ago, Firewrath9 said:

thats why they have a cooldown after you guess a password. 3 seconds after every mistake = .3H/s

 

this reminds me of something:

https://xkcd.com/936/

cooldowns dont apply, they have the whole database of passwords downloaded and run the crack on it...


MSI GX660 + i7 920XM @ 2.8GHz + GTX 970M + Samsung SSD 830 256GB

Link to post
Share on other sites

This can literally be neutralized simply by websites limiting the number of password tries to like 5 before you have to confirm your identity via e-mail, phone, etc. verification.


Ryzen 1600x @4GHz

Asus GTX 1070 8GB @1900MHz

16 GB HyperX DDR4 @3000MHz

Asus Prime X370 Pro

Samsung 860 EVO 500GB

Noctua NH-U14S

Seasonic M12II 620W

+ four different mechanical drives.

Link to post
Share on other sites
Posted · Original PosterOP
1 minute ago, Giganthrax said:

This can literally be neutralized simply by websites limiting the number of password tries to like 5 before you have to confirm your identity via e-mail, phone, etc. verification.

not really, this is an offline attack, not an online one, you will be out of luck if you happen to use one or more than the several big sites that have been breach recently. 

Link to post
Share on other sites
2 minutes ago, Giganthrax said:

This can literally be neutralized simply by websites limiting the number of password tries to like 5 before you have to confirm your identity via e-mail, phone, etc. verification.

That's not how it works. This assumes that the hackers went in and stole all of the (hopefully) encrypted password hashes. 

 

Once they have the hashes, they simply run their brute force program through the hashing mechanism (which is public) and eventually it finds the one that matches your hash, then they have your password. It's an offline attack. 

Link to post
Share on other sites

Dang it. 

 

I would hope that organizations like PayPal, amazon, etc. that have access to our credit card & PayPal info are protected against this, though?


Ryzen 1600x @4GHz

Asus GTX 1070 8GB @1900MHz

16 GB HyperX DDR4 @3000MHz

Asus Prime X370 Pro

Samsung 860 EVO 500GB

Noctua NH-U14S

Seasonic M12II 620W

+ four different mechanical drives.

Link to post
Share on other sites

I guess big sites could still fix this by automatically logging you off after some time passes (like PayPal does), and then also asking for a phone verification code every time you log in. 

 

This whole thing legit makes me uncomfortable. 


Ryzen 1600x @4GHz

Asus GTX 1070 8GB @1900MHz

16 GB HyperX DDR4 @3000MHz

Asus Prime X370 Pro

Samsung 860 EVO 500GB

Noctua NH-U14S

Seasonic M12II 620W

+ four different mechanical drives.

Link to post
Share on other sites

The thing that pisses me off is that all of my BANKING institutions have limitations on how long and complex my password can be. That pisses me off. I can understand not letting me use control characters or characters that will screw with the programming (as a programmer who has tried to parse song names with all sorts of characters in them, I know how much of a pain this is.), but for the love of christ let me make it as long as I want.

Link to post
Share on other sites
Just now, Giganthrax said:

I guess big sites could still fix this by automatically logging you off after some time passes (like PayPal does), and then also asking for a phone verification code every time you log in. 

 

This whole thing legit makes me uncomfortable. 

That's exactly what 2 factor ID is. If the website sees that you're signing in from a different geographical local or a different device, it asks you to authenticate using your phone or e-mail. 

Link to post
Share on other sites
7 minutes ago, corrado33 said:

The thing that pisses me off is that all of my BANKING institutions have limitations on how long and complex my password can be. That pisses me off. I can understand not letting me use control characters or characters that will screw with the programming (as a programmer who has tried to parse song names with all sorts of characters in them, I know how much of a pain this is.), but for the love of christ let me make it as long as I want.

Do you want to know generically why?? 

 

With most older banks using mainframes as their primary source of transaction processing, there is something, some rule, or some limitation I remember learning about in college, that most passwords on the mainframe are only 8 characters. I think this comes from a time when the values were required to be 8 characters due to size or something. They are slowly improving this though however mostly on the back end for developers less so on the front end. At least that's what I've heard.

 

I could also be completely wrong. :)


Thanks!

 

Chris R.

Link to post
Share on other sites

If you don't use the same password everywhere you should be fine


Link to post
Share on other sites
43 minutes ago, Giganthrax said:

I guess big sites could still fix this by automatically logging you off after some time passes (like PayPal does), and then also asking for a phone verification code every time you log in. 

 

This whole thing legit makes me uncomfortable. 

2 factor would help protect you, but since they'd be attacking a database they'd still be able to get your password. Probably not the biggest concern ever unless you're important enough to bother someone trying to cheat their way through your 2 factor (someone did it to Linus a while back) but you probably don't want 2 factor authorization as your main security

20 minutes ago, duncannah said:

is 12 chars enough?

for the time being, particularly if you use lower case, upper case, numbers, and special characters


r5 2400G | Noctua Nh l9x65 am4 | MSI b450i gaming ac | G.Skill Ripjaws V 2x8GB ddr4-3000 | 256GB Samsung 950 pro nvme | 1TB Adata su800 | 4TB HGST drive | Silverstone SX500-LG | Silverstone ML08

HTPC i3 7300 | Gigabyte GA-B250M-DS3H | 8GB cheap ram | Adata XPG SX8000 128GB M.2 | Many HDDs | Msi rx 560 aero itx | Rosewill FBM-01 | Corsair CXM 450W

Link to post
Share on other sites

password1 is 9 chars. 
Get fucked haxors. 


muh specs 

Gaming and HTPC (reparations)- ASUS 1080, MSI X99A SLI Plus, 5820k- 4.5GHz @ 1.25v, asetek based 360mm AIO, RM 1000x, 16GB memory, 750D with front USB 2.0 replaced with 3.0  ports, 2 250GB 850 EVOs in Raid 0 (why not, only has games on it), some hard drives

Screens- Acer preditor XB241H (1080p, 144Hz Gsync), LG 1080p ultrawide, (all mounted) directly wired to TV in other room

Stuff- k70 with reds, steel series rival, g13, full desk covering mouse mat

All parts black

Workstation(desk)- 3770k, 970 reference, 16GB of some crucial memory, a motherboard of some kind I don't remember, Micomsoft SC-512N1-L/DVI, CM Storm Trooper (It's got a handle, can you handle that?), 240mm Asetek based AIO, Crucial M550 256GB (upgrade soon), some hard drives, disc drives, and hot swap bays

Screens- 3  ASUS VN248H-P IPS 1080p screens mounted on a stand, some old tv on the wall above it. 

Stuff- Epicgear defiant (solderless swappable switches), g600, moutned mic and other stuff. 

Laptop docking area- 2 1440p korean monitors mounted, one AHVA matte, one samsung PLS gloss (very annoying, yes). Trashy Razer blackwidow chroma...I mean like the J key doesn't click anymore. I got a model M i use on it to, but its time for a new keyboard. Some edgy Utechsmart mouse similar to g600. Hooked to laptop dock for both of my dell precision laptops. (not only docking area)

Shelf- i7-2600 non-k (has vt-d), 380t, some ASUS sandy itx board, intel quad nic. Currently hosts shared files, setting up as pfsense box in VM. Also acts as spare gaming PC with a 580 or whatever someone brings. Hooked into laptop dock area via usb switch

Link to post
Share on other sites
1 hour ago, lacion said:

this now means that is within the realm of possibilities that any attacker that get his hands on any of the big site password leaks can churn you hashed password and get it within in days(or less depending on hardware) if your using a perfectly random password, if you use a name or a word within your password means they pretty much can get it instantly.

The thing everyone in this thread seems to be missing is that this only applies to the NTLM-password hashes. There are PLENTY more ciphers than that around and I am not aware of any big website using NTLM-hashes.


Hand, n. A singular instrument worn at the end of the human arm and commonly thrust into somebody’s pocket.

Link to post
Share on other sites
Posted · Original PosterOP
30 minutes ago, duncannah said:

If you don't use the same password everywhere you should be fine

yours assuming they're just a few passwords leaks, the truth is we don't even know the extent of password gathering nowadays.

 

we can't assume anymore, so its just better to not only use different passwords but try to use as many characters as possible.

Link to post
Share on other sites
Posted · Original PosterOP
Just now, WereCatf said:

The thing everyone in this thread seems to be missing is that this only applies to the NTLM-password hashes. There are PLENTY more ciphers than that around and I am not aware of any big website using NTLM-hashes.

 

in the case of hashcat they support over 200 algo´s, the NTLM benchmark is the most recent branch for the next version 6.x they have not optimized or tested more just yet, but so far everything indicates all other algo´s are going to get a pretty significant boost.

 

the thing to note here is that the new 2080 cards are bringing hardware with capabilities now at a much cheaper cost than before, and we're just getting started.

Link to post
Share on other sites

(Moved back to Tech News)

 

It's worth noting that this is specifically NTLM hashes, which means Windows passwords. Most websites will store your password using an algorithm like Blowfish, Argon2, or at least PBKDF2, which are all designed to resist brute force as much as possible. On my laptop (i7 6500U, integrated graphics) I get 235,000,000 H/s for NTLM, but only 131 H/s on Blowfish.

Your Windows password can be brute forced if someone obtains access to the password store file, but your LTT (blowfish) password is much more secure.


I don't work for Floatplane Media, so any Floatplane comments that I make are my own and may be incorrect or in conflict with the official view.

 

For Floatplane support, please use the wizard linked in this topic

Link to post
Share on other sites
1 minute ago, lacion said:

in the case of hashcat they support over 200 algo´s, the NTLM benchmark is the most recent branch for the next version 6.x they have not optimized or tested more just yet, but so far everything indicates all other algo´s are going to get a pretty significant boost.

Yes, it's possible that they can boost some other ciphers as well, but that's just it; this news doesn't say anything about them having been able to boost the performance of any other ciphers -- it's only a possibility, not a certainty, and it certainly won't cover every cipher. Before people jump to conclusions and paint signs of an apocalypse in the skies, everyone needs to take a deep breath and look at what the announcement actually says.


Hand, n. A singular instrument worn at the end of the human arm and commonly thrust into somebody’s pocket.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×