Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
walkerasindave

Hashed Passwords

Recommended Posts

Posted · Original PosterOP

Hey everyone,

 

I've been watching the Linus videos for a year or so now and love them, keep up the great work guys.  Have also been lucking in the forums for months and have finally got around to creating an account after the Password discussion on the WAN Show.

 

I thought I'd write a quick post as they were suggesting on the WAN that passphrases are the best thing to use as passwords.

 

The problem I've had with passwords for a long time, no matter what format (standard passwords, strong random passwords, passphrases), is remembering what password I have used for what website/service.  I am most definitely an advocate of using a completely different password for every single different website.  On the low chance that one gets hacked everything else is still secure.  The problem with this, even with the more secure passphrases, is remember what passphrase you used on what site.  Using the same passphrase on multiple sites is just as bad as using a simple password.

 

I have just started using a clever technique to generate unique, strong, completely random 20+ character passwords that are unique for every site but memorable. 

 

But how can WL0Y'QREj7fJzQ8AgJID be memorable?

 

This is where hashing comes in.  Hashing can take one or more bits of information and repeatedly hash it into the same string of characters.  So the basis of the system I use uses the domain name of the particular website and a secret master key to hash a repeatble password.  (The above is a hash of "test.com" as the domain and "test" as the master key).  The hash will always be the same for the same domain and master key.  This means you don't even have to use any "Remember My Password" services built into browsers these days, instead just use the same master key while the domain changes for each website you need a password.

 

Suposedly these hashes are irreversible so even if one of the generated passwords is found by someone they won't be able to reverse engineer them to your master key. 

 

I wrote a quick hashing app that does it for me but there are lots of browser addons that can do this built into your browser, for example the Firefox Password Hasher.

 

For me this is the most secure solution I've found.  What do people think of using hashed passwords?  How secure are they?  Are they actually irreversible?

Link to post
Share on other sites

http://project-rainbowcrack.com/table.htm

 

 

 

Hashes can be cracked... With this stuff


I am good at computer

Spoiler

Motherboard: Gigabyte G1 sniper 3 | CPU: Intel 3770k @5.1Ghz | RAM: 32Gb G.Skill Ripjaws X @1600Mhz | Graphics card: EVGA 980 Ti SC | HDD: Seagate barracuda 3298534883327.74B + Samsung OEM 5400rpm drive + Seatgate barracude 2TB | PSU: Cougar CMX 1200w | CPU cooler: Custom loop

Link to post
Share on other sites

It's easy to make uncrackable passwords. Here's what your password should have:

9 total characters

1 upper case

1 number

1 obscure character, like ☺ (alt+1)

Then you add a 2-3 letter from the website's name, like the first character + second vowel (or only vowel, if that's the case) + last letter from the extension. So linustechtips.com becomes "lum". So now you have a 12 character password unique to each website. Even if they somehow get your password, if you had used ltt (for linustechtips) then it would be easy to replicate it for other websites, but something like lum will not be distinguishable from the rest of the password.

this means they need to use the full 256 bits for 12 characters to crack your password. This will take years even for a quantum computer. No cracker in the entire world can crack this password, and none will ever try. Crackers don't bruteforce the entire 256 bits, they can just narrow it down to alphanumeric characters and will get the majority of the passwords. Going from 128 bits to 256 bits doubles the possibilities for each character, so even just a 9 character 256 bit password is 512 times harder to crack than a 9 character 128bit one. Since at least 80% of the passwords are 128 bit it'll be a huge waste of time to redo the whole process at least another 512 times just for a small number of passwords, even completely disregarding the fact that a 12 character password would require thousands of years to crack if all you have is a high end pc.

Link to post
Share on other sites

Hey everyone,

 

I've been watching the Linus videos for a year or so now and love them, keep up the great work guys.  Have also been lucking in the forums for months and have finally got around to creating an account after the Password discussion on the WAN Show.

 

I thought I'd write a quick post as they were suggesting on the WAN that passphrases are the best thing to use as passwords.

 

The problem I've had with passwords for a long time, no matter what format (standard passwords, strong random passwords, passphrases), is remembering what password I have used for what website/service.  I am most definitely an advocate of using a completely different password for every single different website.  On the low chance that one gets hacked everything else is still secure.  The problem with this, even with the more secure passphrases, is remember what passphrase you used on what site.  Using the same passphrase on multiple sites is just as bad as using a simple password.

 

I have just started using a clever technique to generate unique, strong, completely random 20+ character passwords that are unique for every site but memorable. 

 

But how can WL0Y'QREj7fJzQ8AgJID be memorable?

 

This is where hashing comes in.  Hashing can take one or more bits of information and repeatedly hash it into the same string of characters.  So the basis of the system I use uses the domain name of the particular website and a secret master key to hash a repeatble password.  (The above is a hash of "test.com" as the domain and "test" as the master key).  The hash will always be the same for the same domain and master key.  This means you don't even have to use any "Remember My Password" services built into browsers these days, instead just use the same master key while the domain changes for each website you need a password.

 

Suposedly these hashes are irreversible so even if one of the generated passwords is found by someone they won't be able to reverse engineer them to your master key. 

 

I wrote a quick hashing app that does it for me but there are lots of browser addons that can do this built into your browser, for example the Firefox Password Hasher.

 

For me this is the most secure solution I've found.  What do people think of using hashed passwords?  How secure are they?  Are they actually irreversible?

 

I have actually heard this be mentioned before and it is good if people do not know that this is the method that you use.  As if people know your method and your master key gets compromised they have access to all of your accounts.  I believe i saw a variation of this to add a little bit more obscurity and use a piece of information from the whois record that will not change for the domain such as registered date. 

 

http://project-rainbowcrack.com/table.htm

 

 

 

Hashes can be cracked... With this stuff

People are moving away from using rainbow tables to crack hashes as they are no longer as efficient as other means.  Rainbow tables also rely on the hash actually being in the table which should not be the case if you use a unique string and salt. 

Link to post
Share on other sites

i just smash out random letters, numbers and symbols and remember it. 


Rig 1 CPU: 3570K Motherboard: V Gene GPU: Power Color r9 280x at 1.35GHZ  RAM: 16 GB 1600mhz PSU: Cougar CMX 700W Storage: 1x Plexor M5S 256GB 1x 1TB HDD 1x 3TB GREEN HDD Case: Coolermaster HAFXB Cooling: Intel Watercooler
"My day so far, I've fixed 4 computers and caught a dog. Australian Tech Industry is weird."

"It's bent so far to the right, It's a hook."

Link to post
Share on other sites

Hashes are really easy to crack. Check out hashcat that is used to crack hashes.


My Build  CPU: AMD Phenom II X4 955@4.1@Ghz Mobo: Asus M5A99x Evo R2.0 GPU: Asus 7870T @1.25GHz Core 5.5GHz Mem Ram: Kingston HyperX@ 1600 9-9-9-24 CPU Cooler: H80 Push/Pull Noctua NF-P12  SSD: Samsung 128GB 840 PRO HDD: Mix of drives which add up to 5.6TB SoundCard: Asus xonar DGX PSU: Corsair HX650 + alchemy cables Case: R3 with the rest of the fans being fractel fans.

Im A Snake.....

 

Link to post
Share on other sites

Or you could use something like lastpass / keepass.

 

Also all hashed passwords are crackable, its just a matter of how long it will take to do so.


Rig: CPU: 1x quad core potato(4.6GHz). Cooling: Iced Tea. GPU: AMD HDToaster. Motherboard: Asus "Stale Bread Extreme Edition". RAM: 2x 4GB sticks of 1600MHz celery. PSU: 650w Roborovski Hamster in wheel.  Storage: Many Floppy Disks. 

Link to post
Share on other sites

grab a book, select a random page, use the page number and first word, lather, rinse, repeat.


15" MBP TB

Serenity: Intel 4960x | ASUS X79-E WS | ASUS DCUII 770 | Corsair 750D || Blade Server: Intel 3570k | GD65 | Corsair C70 | 13TB

What Drive Should You Get?

Have a question? Please, don't hesitate to ask me over PM or on Twitter @Bladeof_Grass

Link to post
Share on other sites

grab a book, select a random page, use the page number and first word, lather, rinse, repeat.

that's incredibly easy to crack.

Link to post
Share on other sites

8BFC5PoPLKK4Q is my wifi password how do you think some people remember that lol...After awhile you just learn it..


|Casual Rig| CPU: i5-6600k |MoBo: ROG Gene  |GPU: Asus 670 Direct CU2 |RAM: RipJaws 2400MHz 2x8GB DDR4 |Heatsink: H100i |Boot Drive: Samsung Evo SSD 240GB|Chassis:BitFenix Prodigy |Peripherals| Keyboard:DasKeyboard, Cherry MX Blue Switches,|Mouse: Corsair M40

|Server Specs| CPU: i7-3770k [OC'd @ 4.1GHz] |MoBo: Sabertooth Z77 |RAM: Corsair Vengeance 1600MHz 2x8GB |Boot Drive: Samsung 840 SSD 128GB|Storage Drive: 4 WD 3TB Red Drives Raid 5 |Chassis:Corsair 600t 

Link to post
Share on other sites

Respect the Code of Conduct!

>> Feel free to join the unofficial LTT teamspeak 3 server TS3.schnitzel.team <<

>>LTT 10TB+ Topic<< | >>FlexRAID Tutorial<<>>LTT Speed wave<< | >>LTT Communies and Servers<<

Link to post
Share on other sites

I read an article about this a while ago. They can literally brute force a password that is only 6 characters long in like 10 min with a good gpu. If someone wants your password they will get it if they try hard enough. And then there are companies that don't even protect you and leave passwords in plain text and all it takes is a hacker. I think there needs to be a universal password standard. Too many times I make a password for something and it tells me that it doesn't fit their format. Like linus said, I think the best solution would be a really long string or a few words put together. It should be an internet wide standard so you don't have to remember a 10 passwords for each site you use.

Link to post
Share on other sites

 

But how can WL0Y'QREj7fJzQ8AgJID be memorable?

 

 

 

Random character passwords can easily be memorable if you force yourself to type it in every time.

Link to post
Share on other sites

I think there needs to be a universal password standard. Too many times I make a password for something and it tells me that it doesn't fit their format.

Would be just as nice for the crackers as they can program these standards into their algorithm making it significantly easier to crack.


Respect the Code of Conduct!

>> Feel free to join the unofficial LTT teamspeak 3 server TS3.schnitzel.team <<

>>LTT 10TB+ Topic<< | >>FlexRAID Tutorial<<>>LTT Speed wave<< | >>LTT Communies and Servers<<

Link to post
Share on other sites

Random character passwords can easily be memorable if you force yourself to type it in every time.

true, but in that case it would be a one key fits all kind of password.


Respect the Code of Conduct!

>> Feel free to join the unofficial LTT teamspeak 3 server TS3.schnitzel.team <<

>>LTT 10TB+ Topic<< | >>FlexRAID Tutorial<<>>LTT Speed wave<< | >>LTT Communies and Servers<<

Link to post
Share on other sites

i once made an uncrackable password ... i mean no one could guess it and if some one began to use brute force on it the aliens would die off before it would be cracked. heck even i could no longer log on to windows. all you have to do is while setting up your password is to go and drink some water and then have your cat come into your room and walk all over/purrrrr on your keyboard then leave and when you return type out your password without looking at the screen and press enter and continue. (honestly don't know i got past the thing to type the password again)   


(1) high frame rate (2) ultra graphics settings (3) cheap...>> choose only two<<...

 

if it's never been done then i'm probably tryna do it. (((((((Bass so low it HERTZ)))))))

Link to post
Share on other sites

One problem is that you could have the single most secure password and use it for everything but it would only take one site to be not following best practices or that has been hijacked to compromise all of your passwords.

Link to post
Share on other sites
Posted · Original PosterOP

I have actually heard this be mentioned before and it is good if people do not know that this is the method that you use.  As if people know your method and your master key gets compromised they have access to all of your accounts.  I believe i saw a variation of this to add a little bit more obscurity and use a piece of information from the whois record that will not change for the domain such as registered date.

 

True, maybe even add a couple of random letters into the master key as in Canoas method, so even the master key is obscured.

 

Or you could use something like lastpass / keepass.

 

Also all hashed passwords are crackable, its just a matter of how long it will take to do so.

 

I'm quite wary of using password storage solutions as the encryption by definition is reversible and the very fact that the password is stored somewhere.  With on demand hashing the generated passwords are never stored.

 

 

Random character passwords can easily be memorable if you force yourself to type it in every time.

 

True but for could you remember 30+ different random character passwords and which site they are for?

 

One problem is that you could have the single most secure password and use it for everything but it would only take one site to be not following best practices or that has been hijacked to compromise all of your passwords.

 

Exactly why I have gone with hashing, so every password is different and still secure.

Link to post
Share on other sites

true, but in that case it would be a one key fits all kind of password.

 

 

True but for could you remember 30+ different random character passwords and which site they are for?

 

You just think of a random character password for every website and then add a 2-3 letter from the website's name, like the first character + second vowel (or only vowel, if that's the case) + last letter from the extension. For example, linustechtips.com becomes "lum", and you just add "lum" to the end of your password. This way you have a unique random charcater password for each website than is very easy to remember.

Link to post
Share on other sites

You just think of a random character password for every website and then add a 2-3 letter from the website's name, like the first character + second vowel (or only vowel, if that's the case) + last letter from the extension. For example, linustechtips.com becomes "lum", and you just add "lum" to the end of your password. This way you have a unique random charcater password for each website than is very easy to remember.

Yes, as long as they only crack one or two passwords you should be fine and its easy to remember.

 

But I still prefer my method simply because the passwords are never in any way related to each other.


Respect the Code of Conduct!

>> Feel free to join the unofficial LTT teamspeak 3 server TS3.schnitzel.team <<

>>LTT 10TB+ Topic<< | >>FlexRAID Tutorial<<>>LTT Speed wave<< | >>LTT Communies and Servers<<

Link to post
Share on other sites

take a word, cut it in half and add letters in the middle+end thats usually what i do lol


Stuff:  i7 7700k @ (dat nibba succ) | ASRock Z170M OC Formula | G.Skill TridentZ 3600 c16 | EKWB 1080 @ 2100 mhz  |  Acer X34 Predator | R4 | EVGA 1000 P2 | 1080mm Radiator Custom Loop | HD800 + Audio-GD NFB-11 | 850 Evo 1TB | 840 Pro 256GB | 3TB WD Blue | 2TB Barracuda

Hwbot: http://hwbot.org/user/lays/ 

FireStrike 980 ti @ 1800 Mhz http://hwbot.org/submission/3183338 http://www.3dmark.com/3dm/11574089

Link to post
Share on other sites

that's incredibly easy to crack.

False.

I have passwords that, from that method, "will take a sentillion years to crack" according to https://howsecureismypassword.net/

I forgot to mention to capitalized letters and add a space, but without that "it would take 127 quadrillion years" to crack


15" MBP TB

Serenity: Intel 4960x | ASUS X79-E WS | ASUS DCUII 770 | Corsair 750D || Blade Server: Intel 3570k | GD65 | Corsair C70 | 13TB

What Drive Should You Get?

Have a question? Please, don't hesitate to ask me over PM or on Twitter @Bladeof_Grass

Link to post
Share on other sites

False.

I have passwords that, from that method, "will take a sentillion years to crack" according to https://howsecureismypassword.net/

I forgot to mention to capitalized letters and add a space, but without that "it would take 127 quadrillion years" to crack

That website is incredibly unreliable. It says "Password123" will take 412 years to crack! 412 years? It must be a really secure password then, I'm going to use it now. Seriously, it'll take less than a second. I'm not even joking, that password will literally take less than a second to be cracked. It's one of the first passwords any cracker will try.

The first method any cracker uses, before bruteforcing, is the dictionary method where they combine every single word in the dictionary plus common "made up" words or strings and numbers. MonkeyDragon1337 will get cracked in less than an hour with an average PC, and in a few minutes by a professional cracker. Cracking those passwords is a complete joke, never use them. Again, never use words in your password.

 

Yes, as long as they only crack one or two passwords you should be fine and its easy to remember.

 

But I still prefer my method simply because the passwords are never in any way related to each other.

Yeah, but they'll never crack any password whatsoever. A decent 10 character password plus those 3 characters for the website at the end is uncrackable. As long as you use an uncommon character like ☺ then they'll need to be using the axtended ascii code to even manage to get it and even if they are using it then they'll still spend at least a few hundred years with the most potent computers available to the public. A 13 character with the extended ascii code means 256^13 = 2*10^31. Why would they even waste time and attempt to crack such a password when over 80% of the passwords don't use the extended ascii code and are under 10 characters? They don't. No one does.

 

 

For those interested, here's a good article explaining how crackers actuall crack passwords and the methods they use. These guys invited 3 professional crackers and gave each a list of 16449 MD5 encrypted passwords. In about an hour they could crack 80% of those passwords with a decent gaming computer. It's a very interesting read.

http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

Link to post
Share on other sites

That website is incredibly unreliable. It says "Password123" will take 412 years to crack! 412 years? It must be a really secure password then, I'm going to use it now. Seriously, it'll take less than a second. I'm not even joking, that password will literally take less than a second to be cracked. It's one of the first passwords any cracker will try.

The first method any cracker uses, before bruteforcing, is the dictionary method where they combine every single word in the dictionary plus common "made up" words or strings and numbers. MonkeyDragon1337 will get cracked in less than an hour with an average PC, and in a few minutes by a professional cracker. Cracking those passwords is a complete joke, never use them. Again, never use words in your password.

You're telling me that "50PrePAring 72PlAnk's" is not a secure password? (of course this is not one I used but I just made it up using my method)


15" MBP TB

Serenity: Intel 4960x | ASUS X79-E WS | ASUS DCUII 770 | Corsair 750D || Blade Server: Intel 3570k | GD65 | Corsair C70 | 13TB

What Drive Should You Get?

Have a question? Please, don't hesitate to ask me over PM or on Twitter @Bladeof_Grass

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×