Jump to content

Password Cracking Useless

Guest
By Guest
in Programs, Apps and Websites
 Share
Posted
8 minutes ago, IAmLamp said:

Is there a way to make password cracking almost useless? I did some thinking of the general process and I'm sure it already exists in form, but I thought of a way to make it almost useless or have it to be pretty high in luck if able to crack them. 

SALTING

it will just take more time though. I mean, your password could be 5-6 characters longer and it would increase drastically the time to crack. unless you can choose the encryption type of the hash, you can't do much other than use more characters and use special ones too.

 

there's no luck in cracking a password. its either a list of common ones, or common options (say if the hacker is tracking you for words you might use)
or it goes through all possibilities. one by one (wich takes a long time !)


I recently tested a password:"Warsaw!" it took 2 minutes 46 seconds on average for a 5700hq cpu, running in a 4 thread kali linux VM

wich is not bad for 6 digits.

 

mind you that was JohnTheRpper unlocking a salted hash from linux's hashing algorythm.

~New~  BoomBerryPi project !  ~New~


new build log : http://linustechtips.com/main/topic/533392-build-log-the-scrap-simulator-x/?p=7078757 (5 screen flight sim for 620$ CAD)LTT Web Challenge is back ! go here  :  http://linustechtips.com/main/topic/448184-ltt-web-challenge-3-v21/#entry601004

Link to post
Share on other sites
Posted
1 minute ago, IAmLamp said:

My idea/method doesn't involve salting. Also, what is salting again? I forgot what that term means. I heard about it a while ago but my memory seems faint. :(

Salting means adding a random string to the end of the password before hashing it. This makes dictionary attacks useless.

I have a blogAnd a list of guides I've posted

Link to post
Share on other sites
Posted
2 minutes ago, IAmLamp said:

My idea/method doesn't involve salting. Also, what is salting again? I forgot what that term means. I heard about it a while ago but my memory seems faint. :(

salting is basically a random string of numbers at the end or begining of the pasword, it makes sure that the hash is not similar if you have the same password somewhere else on the machine, or in the world.

~New~  BoomBerryPi project !  ~New~


new build log : http://linustechtips.com/main/topic/533392-build-log-the-scrap-simulator-x/?p=7078757 (5 screen flight sim for 620$ CAD)LTT Web Challenge is back ! go here  :  http://linustechtips.com/main/topic/448184-ltt-web-challenge-3-v21/#entry601004

Link to post
Share on other sites
Posted

You can't make an absolutely safe password, you can only make the problem so large it's impractical to crack.

 

If nothing else, you should use sufficiently long passwords/passphrases and employ a use of every character type you can. If you have a mix of lower case, upper case, numbers, and punctuation marks, with a 12 character password, assuming you're just using the entirety of the US English QWERTY keyboard, that's 12^94 combinations, or 2.7*10^101.

I have a blogAnd a list of guides I've posted

Link to post
Share on other sites
Posted
8 minutes ago, M.Yurizaki said:

Salting means adding a random string to the end of the password before hashing it. This makes dictionary attacks useless.

Salting prevents use of rainbow tables, not a dictionary attack. 

PSU Tier List | CoC

Gaming Build | FreeNAS Server

Spoiler

i5-4690k || Seidon 240m || GTX780 ACX || MSI Z97s SLI Plus || 8GB 2400mhz || 250GB 840 Evo || 1TB WD Blue || H440 (Black/Blue) || Windows 10 Pro || Dell P2414H & BenQ XL2411Z || Ducky Shine Mini || Logitech G502 Proteus Core

Spoiler

FreeNAS 9.3 - Stable || Xeon E3 1230v2 || Supermicro X9SCM-F || 32GB Crucial ECC DDR3 || 3x4TB WD Red (JBOD) || SYBA SI-PEX40064 sata controller || Corsair CX500m || NZXT Source 210.

Link to post
Share on other sites
Posted
7 minutes ago, djdwosk97 said:

Salting prevents use of rainbow tables, not a dictionary attack. 

It was one of those. Either way :P

 

3 minutes ago, IAmLamp said:

Pseudo random and salting seems like a requirement then these days then. 

 

Seems like random guessing is still possible, but obviously extremely far off/would have to be very lucky. Anyone thought of a solution for that? 

You cannot prevent someone from guessing your password, ever. At the end of the day, they're sending binary data and there's always a combination of binary data that will work.

 

It's like asking if you can make a combination lock that nobody can ever crack without the key.

I have a blogAnd a list of guides I've posted

Link to post
Share on other sites
Posted
1 minute ago, AUniqueName said:

Personally, for users I say that if you have more than 10 passwords and aren't using a password manager of some kind (even a pen and paper) you're doing it wrong 

I have my passwords stored in an encrypted partition, so I'm not sure if that works as an alternative, but it seems like it should. 

Link to post
Share on other sites
Posted

On the note of impractical, it sounds like it would be possible to stall enough time on cracking so that it would take a life time or more, and even then that would just be random chance for guessing with odds not being in favor. 

 

Correct me if I'm wrong. 

Link to post
Share on other sites
Posted
4 minutes ago, IAmLamp said:

On the note of impractical, it sounds like it would be possible to stall enough time  on cracking so that it would take a life time or more, and even then that would just be random chance for guessing with odds not being in favor. 

 

Correct me if I'm wrong. 

The secret to safe password storage and processing is to use industry accepted practices. Trust me in that the worst thing you can do is to try to create your own security algorithms and methods. That is unless you have a PhD in a math related field and specialise in cryptography and security.

 

I realise that this thread is likely just you thinking out loud but if you are actually planning on setting up anything to do with password management please don't. Its irresponsible and unethical if real peoples passwords are actually at risk.

Link to post
Share on other sites
Posted
9 minutes ago, IAmLamp said:

I have my passwords stored in an encrypted partition, so I'm not sure if that works as an alternative, but it seems like it should. 

I should do that too, though I'd need to be able to access from my phone too. 

 

I've gotten to the point where it's getting troublesome to figure out which password I used for what account. 

My eyes see the past…

My camera lens sees the present…

Link to post
Share on other sites
Posted
6 minutes ago, WaxyMaxy said:

The secret to safe password storage and processing is to use industry accepted practices. Trust me in that the worst thing you can do is to try to create your own security algorithms and methods. That is unless you have a PhD in a math related field and specialise in cryptography and security.

 

I realise that this thread is likely just you thinking out loud but if you are actually planning on setting up anything to do with password management please don't. Its irresponsible and unethical if real peoples passwords are actually at risk.

It's just a discussion and "me thinking out loud". Easy there lol

Link to post
Share on other sites
Posted
16 minutes ago, Zodiark1593 said:

I should do that too, though I'd need to be able to access from my phone too. 

 

I've gotten to the point where it's getting troublesome to figure out which password I used for what account. 

I recommend atleast writing down all account information for each account you have sites/things registered to and then store what you have written somewhere safe as a start. It's better to have all information than some/pieces of it. Or something like that. 

 

I don't remember everything so I just have everything stored for reference purposes and it seems to work well. But yes, if you do decide to put that type of information on a computer, make sure it's a secure connection and encrypted and what not. 

 

Once you get all the information organized it looks very nice and easy to find and then making it secure is like the cherry on top. If you need help with ideas or solutions for something like that, feel free to let me/us know. :)

Link to post
Share on other sites
Posted
6 hours ago, IAmLamp said:

On the note of impractical, it sounds like it would be possible to stall enough time on cracking so that it would take a life time or more, and even then that would just be random chance for guessing with odds not being in favor. 

 

Correct me if I'm wrong. 

if a hacker has his tools right it doesn't take long.

 

http://www.infosecisland.com/blogview/9023-Cracking-14-Character-Complex-Passwords-in-5-Seconds.html

 

I know it's windows XP hash but they a complexe 14 long passwords taken out very fast.

 

I read an article that showed how useing words isn't secure even if random and setting up your attack correctly meant even long passwords were done in hours.

                     ¸„»°'´¸„»°'´ Vorticalbox `'°«„¸`'°«„¸
`'°«„¸¸„»°'´¸„»°'´`'°«„¸Scientia Potentia est  ¸„»°'´`'°«„¸`'°«„¸¸„»°'´

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Programs, Apps and Websites

×