Jump to content

Pass-phrases still not good enough?

Evan Owen
 Share
Posted

 A new password cracking client (ocl-hashcat-plus) has successfully cracked a 55 character long pass-phrase in an astonishingly short period of time and is able to crack up to 64 character pass-phrases.

 

  Short report here: http://arstechnica.com/security/2013/08/thereisnofatebutwhatwemake-turbo-charged-cracking-comes-to-long-passwords/

 

I've personally searched around and couldn't find the greatest information possible on the subject, but this seems to be the best.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

passparagraphs, perhaps.

Interested in Linux, SteamOS and Open-source applications? Go here

Gaming Rig - CPU: i5 3570k @ Stock | GPU: EVGA Geforce 560Ti 448 Core Classified Ultra | RAM: Mushkin Enhanced Blackline 8GB DDR3 1600 | SSD: Crucial M4 128GB | HDD: 3TB Seagate Barracuda, 1TB WD Caviar Black, 1TB Seagate Barracuda | Case: Antec Lanboy Air | KB: Corsair Vengeance K70 Cherry MX Blue | Mouse: Corsair Vengeance M95 | Headset: Steelseries Siberia V2

 

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

why not just use RSA keys? 2048 bit is enough for everything at the moment, but I still use 4096 bit keys.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

I really hope you're joking :P

:lol: Yup. If words and phrases aren't good enough, paragraphs are the next step up.

Interested in Linux, SteamOS and Open-source applications? Go here

Gaming Rig - CPU: i5 3570k @ Stock | GPU: EVGA Geforce 560Ti 448 Core Classified Ultra | RAM: Mushkin Enhanced Blackline 8GB DDR3 1600 | SSD: Crucial M4 128GB | HDD: 3TB Seagate Barracuda, 1TB WD Caviar Black, 1TB Seagate Barracuda | Case: Antec Lanboy Air | KB: Corsair Vengeance K70 Cherry MX Blue | Mouse: Corsair Vengeance M95 | Headset: Steelseries Siberia V2

 

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

Putting chips into everyone so the computer can verify who you actually are.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

its using a dictionary attack

nothing special here

as many people have said before USE symbols and uppercase letters with numbers in a 10+ character and ull be fine

If your grave doesn't say "rest in peace" on it You are automatically drafted into the skeleton war.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

why not just use RSA keys? 2048 bit is enough for everything at the moment, but I still use 4096 bit keys.

Ehhh, what? That has nothing to do with this at all.

 

Anyway like @qwertywarrior said, if you don't use dictionary words, maybe throw in some numbers and/or special characters then you're fine. Actually, I'd say you're most likely safe right now anyway, since this attack requires them to have access to the hashes, which isn't that common.

Also, using salt a salt when making the hashes makes this attack useless as well.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

Ehhh, what? That has nothing to do with this at all.

 

Anyway like @qwertywarrior said, if you don't use dictionary words, maybe throw in some numbers and/or special characters then you're fine. Actually, I'd say you're most likely safe right now anyway, since this attack requires them to have access to the hashes, which isn't that common.

Also, using salt a salt when making the hashes makes this attack useless as well.

sadly recent hacks to websites show most of them dont salt :/

If your grave doesn't say "rest in peace" on it You are automatically drafted into the skeleton war.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

sadly recent hacks to websites show most of them dont salt :/

Hopefully websites will take security more seriously with all the recent attacks.

  • Salted SHA-1 (or higher) passwords.
  • 1024-bit public key for HTTPS (and HTTPS should be forced).
  • RC4 or AES for encryption.

This should be minimum for a big site.

 

On a side note, why doesn't LTT allow HTTPS?

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

Hopefully websites will take security more seriously with all the recent attacks.

  • Salted SHA-1 (or higher) passwords.
  • 1024-bit public key for HTTPS (and HTTPS should be forced).
  • RC4 or AES for encryption.

This should be minimum for a big site.

 

On a side note, why doesn't LTT allow HTTPS?

HTTPS has been compromised though 

http://www.informationweek.com/security/attacks/https-hackable-in-30-seconds-dhs-alert/240159435

If your grave doesn't say "rest in peace" on it You are automatically drafted into the skeleton war.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

I wouldn't say it has been compromised. I mean, there are ways of breaking it but it's still very difficult.

I am not sure about this, but doesn't HTTPS use different keys for each connection? I mean the public and private key are always the same but the symmetrical key used after the handshake will be different for each connection. Wouldn't that mean that in order to use this attack, they have to target individual connections, and send several thousands of requests per connection. Even if they did that, they would still only compromise the data send during that particular session from that particular user. It would also need them to have access to the same local network . Maybe I am wrong somewhere, but this seems like a very hard thing to pull off and even if it is, it's not a huge deal.

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Tech News

×