Your 8 char random password now means nothing

[lacion]

the new benchmark for hashcat means that now the entire keyspace or every possible combination of upper, lower, numbers, symbols of an 8 character password can be guessed in 2.5 hours using x8 2080 ti´s they now can do more than 100GH/s with a single compute unit, for comparison, a 1080ti can't even do half of that.

 

 

this now means that is within the realm of possibilities that any attacker that get his hands on any of the big site password leaks can churn you hashed password and get it within in days(or less depending on hardware) if your using a perfectly random password, if you use a name or a word within your password means they pretty much can get it instantly.

 

so if you have a complex save password of 8 characters or less is now time to go and change it everywhere as is no longer save especially given the latest password leaks (https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/)

source: 

the source code for this is now available on github

[corrado33]

40 minutes ago, lacion said:

the new benchmark for hashcat means that now the entire keyspace or every possible combination of upper, lower, numbers, symbols of an 8 character password can be guessed in 2.5 hours using x8 2080 ti´s they now can do more than 100GH/s with a single compute unit, for comparison, a 1080ti can't even do half of that.

 

 

the source code for this is now available on github

Very cool. It's worth noting that the time to brute force a password goes up exponentially with length (simply because the number of possible combinations also increases exponentially). Complexity only helps a bit. That's why it's smart to have a long, memorable password with just a few non common substitutions (don't use $ for S) and a few punctuation points in there. 

 

For example: For an 8 character password only including upper and lower case letters (52 characters), that's 52 nPr 8 = 3E13 combinations. Add 10 symbols in there and that's 62 nPr 8 1.3E14 possible combinations.

 

Now, make the password 9 characters long and you get 52 nPr 9 1.33E15 possible combinations and 62 nPr 9 = 7.36E15

 

So a 9 character password that has no special characters is better than an 8 character password with special characters.

 

EDIT: It's also worth noting that using words and sentences, as mentioned in the XKCD may not be entirely safe either. Words can be treated as "units" so instead of saying that a 9 character word is 9 pieces of complexity, it can be treated as 1. A 4 word password can be cracked the same way a 4 character password could with a dictionary attack. (Although words are more secure because there are more of them...)

 

Best advice: Use a memorable combination of words that's long but also has random symbols sprinkled throughout. E.G. Ca#_1UMP;Ov@r[Mo0NN

Cat Jump Over MooNN, easy to remember, then you just need to remember "pound for t, 1 for J (or just remember it as "lump" and laugh every time), the ";" then "Ovar" with @ and a 0 for the 2nd 'o' and double Ns.

 

EDIT: I played around with this once. Remember the game "Balloons tower defense?" Well I wanted to calculate the order to buy buildings to make the most money in the end-game. So I brute forced every action the player could take in relation to a certain building (the farms). Basically the player could either buy another farm, upgrade existing farms, or sell farms. I let this play out for 40 moves. 

 

When I let the program run.... it eventually came up with a 20 GB text file. Yes, you read that correctly. A 20..... GB.... text file. I had to find a program to even open the damn thing let alone read it. (Vim works great for large files btw). Eventually, by including more strict conditions, (like not allowing the player to buy a farm then immediately sell it.) I got the file down to something more manageable (like 7 GB or so), then I ran my analysis program on it to determine which combination of moves was the best. That took all night, but eventually I solved it, and it made me so happy. But the scale of the whole project just amazed me. These dictionaries for passwords can be freaking MASSIVE. Turns out the answer was exactly the strategy that most people in the game already used. But I got  a lot of similar strategies so I was still happy.

[Firewrath9]

thats why they have a cooldown after you guess a password. 3 seconds after every mistake = .3H/s

 

this reminds me of something:

https://xkcd.com/936/

[lacion]

2 minutes ago, Firewrath9 said:

thats why they have a cooldown after you guess a password. 3 seconds after every mistake = .3H/s

 

this reminds me of something:

https://xkcd.com/936/

that's an online attack, this is an offline attack if the attackers have the hash of the password they can simply churn it on their local computer.

[Neftex]

4 minutes ago, Firewrath9 said:

thats why they have a cooldown after you guess a password. 3 seconds after every mistake = .3H/s

 

this reminds me of something:

https://xkcd.com/936/

cooldowns dont apply, they have the whole database of passwords downloaded and run the crack on it...

[Giganthrax]

This can literally be neutralized simply by websites limiting the number of password tries to like 5 before you have to confirm your identity via e-mail, phone, etc. verification.

[lacion]

1 minute ago, Giganthrax said:

This can literally be neutralized simply by websites limiting the number of password tries to like 5 before you have to confirm your identity via e-mail, phone, etc. verification.

not really, this is an offline attack, not an online one, you will be out of luck if you happen to use one or more than the several big sites that have been breach recently. 

[corrado33]

2 minutes ago, Giganthrax said:

This can literally be neutralized simply by websites limiting the number of password tries to like 5 before you have to confirm your identity via e-mail, phone, etc. verification.

That's not how it works. This assumes that the hackers went in and stole all of the (hopefully) encrypted password hashes. 

 

Once they have the hashes, they simply run their brute force program through the hashing mechanism (which is public) and eventually it finds the one that matches your hash, then they have your password. It's an offline attack. 

[Giganthrax]

Dang it. 

 

I would hope that organizations like PayPal, amazon, etc. that have access to our credit card & PayPal info are protected against this, though?

[Velcade]

What are performance levels with ray tracing turned on?

[Giganthrax]

I guess big sites could still fix this by automatically logging you off after some time passes (like PayPal does), and then also asking for a phone verification code every time you log in. 

 

This whole thing legit makes me uncomfortable. 

[corrado33]

The thing that pisses me off is that all of my BANKING institutions have limitations on how long and complex my password can be. That pisses me off. I can understand not letting me use control characters or characters that will screw with the programming (as a programmer who has tried to parse song names with all sorts of characters in them, I know how much of a pain this is.), but for the love of christ let me make it as long as I want.

[corrado33]

Just now, Giganthrax said:

I guess big sites could still fix this by automatically logging you off after some time passes (like PayPal does), and then also asking for a phone verification code every time you log in. 

 

This whole thing legit makes me uncomfortable. 

That's exactly what 2 factor ID is. If the website sees that you're signing in from a different geographical local or a different device, it asks you to authenticate using your phone or e-mail. 

[Chris_R.]

7 minutes ago, corrado33 said:

The thing that pisses me off is that all of my BANKING institutions have limitations on how long and complex my password can be. That pisses me off. I can understand not letting me use control characters or characters that will screw with the programming (as a programmer who has tried to parse song names with all sorts of characters in them, I know how much of a pain this is.), but for the love of christ let me make it as long as I want.

Do you want to know generically why?? 

 

With most older banks using mainframes as their primary source of transaction processing, there is something, some rule, or some limitation I remember learning about in college, that most passwords on the mainframe are only 8 characters. I think this comes from a time when the values were required to be 8 characters due to size or something. They are slowly improving this though however mostly on the back end for developers less so on the front end. At least that's what I've heard.

 

I could also be completely wrong.

[descendency]

41 minutes ago, lacion said:

that's an online attack, this is an offline attack if the attackers have the hash of the password they can simply churn it on their local computer.

Offline variation of this attack:

 

https://xkcd.com/538/

[duncannah]

If you don't use the same password everywhere you should be fine

[Cyracus]

43 minutes ago, Giganthrax said:

I guess big sites could still fix this by automatically logging you off after some time passes (like PayPal does), and then also asking for a phone verification code every time you log in. 

 

This whole thing legit makes me uncomfortable. 

2 factor would help protect you, but since they'd be attacking a database they'd still be able to get your password. Probably not the biggest concern ever unless you're important enough to bother someone trying to cheat their way through your 2 factor (someone did it to Linus a while back) but you probably don't want 2 factor authorization as your main security

20 minutes ago, duncannah said:

is 12 chars enough?

for the time being, particularly if you use lower case, upper case, numbers, and special characters

[Syntaxvgm]

password1 is 9 chars. 
Get fucked haxors. 

[WereCatf]

1 hour ago, lacion said:

this now means that is within the realm of possibilities that any attacker that get his hands on any of the big site password leaks can churn you hashed password and get it within in days(or less depending on hardware) if your using a perfectly random password, if you use a name or a word within your password means they pretty much can get it instantly.

The thing everyone in this thread seems to be missing is that this only applies to the NTLM-password hashes. There are PLENTY more ciphers than that around and I am not aware of any big website using NTLM-hashes.

[lacion]

30 minutes ago, duncannah said:

If you don't use the same password everywhere you should be fine

yours assuming they're just a few passwords leaks, the truth is we don't even know the extent of password gathering nowadays.

 

we can't assume anymore, so its just better to not only use different passwords but try to use as many characters as possible.

[lacion]

Just now, WereCatf said:

The thing everyone in this thread seems to be missing is that this only applies to the NTLM-password hashes. There are PLENTY more ciphers than that around and I am not aware of any big website using NTLM-hashes.

 

in the case of hashcat they support over 200 algo´s, the NTLM benchmark is the most recent branch for the next version 6.x they have not optimized or tested more just yet, but so far everything indicates all other algo´s are going to get a pretty significant boost.

 

the thing to note here is that the new 2080 cards are bringing hardware with capabilities now at a much cheaper cost than before, and we're just getting started.

[colonel_mortis]

(Moved back to Tech News)

 

It's worth noting that this is specifically NTLM hashes, which means Windows passwords. Most websites will store your password using an algorithm like Blowfish, Argon2, or at least PBKDF2, which are all designed to resist brute force as much as possible. On my laptop (i7 6500U, integrated graphics) I get 235,000,000 H/s for NTLM, but only 131 H/s on Blowfish.

Your Windows password can be brute forced if someone obtains access to the password store file, but your LTT (blowfish) password is much more secure.

[WereCatf]

1 minute ago, lacion said:

in the case of hashcat they support over 200 algo´s, the NTLM benchmark is the most recent branch for the next version 6.x they have not optimized or tested more just yet, but so far everything indicates all other algo´s are going to get a pretty significant boost.

Yes, it's possible that they can boost some other ciphers as well, but that's just it; this news doesn't say anything about them having been able to boost the performance of any other ciphers -- it's only a possibility, not a certainty, and it certainly won't cover every cipher. Before people jump to conclusions and paint signs of an apocalypse in the skies, everyone needs to take a deep breath and look at what the announcement actually says.

[captain_to_fire]

13 minutes ago, colonel_mortis said:

but your LTT (blowfish) password is much more secure.

No wonder you're the keeper of the private keys...

 

I'm not really that familiar with password encryption protocols other than salting and hashing a password but is the blowfish cipher for passwords the same some VPN providers use?

Edited February 14, 2019 by captain_to_fire

[yian88]

i still dont understand this nonesense of hashes and forcing bullshit

no website email or banks will accept 100GH/s of password attempts it will long block such attempts before you try even 100 passwords

its only valid for offline stuff like archives or maybe encrypted phones but not even that, how do you hack your phone to accept so many passwords attempts, im sure there is something missing here that i dont understand, you cant brute force anything online with a server login

unless they obtain server database of passwords and then use this hash hack?  which means none of your passwords was any safe if a hacker used a couple powerfull computers  even before 2080ti as long he had a database copy