Re: [EXTERNAL] Forum hacked
Posted by Parks, Raymond on Nov 18, 2013; 6:28pm
URL: http://friam.383.s1.nabble.com/Forum-hacked-tp7584291p7584298.html
WRT password cracking - Dan Goodin has a good series of articles on password cracking at Ars Technica.
============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
URL: http://friam.383.s1.nabble.com/Forum-hacked-tp7584291p7584298.html
WRT password cracking - Dan Goodin has a good series of articles on password cracking at Ars Technica.
TL;DR - Current GPU-based password cracking using 20-million word dictionaries make truly random passwords below 14 characters and nearl all pass-phrases susceptible to cracking in a relatively short time.
On a related subject, roughly 75% of websites store passwords as nothing more complicated than simple, unsalted MD5 hashes. This is almost as easy to break as as NTLM.
Salt makes the initial crack more difficult, but if the same salt is used for all hashes, then subsequent cracks ignore it.
WRT the use of PII - it's sold on various markets, correlated in a "big data" manner with other exposures, and, if enough information is available and the person's credit score is high enough, is used for credit attacks. In some cases, if banking information is correlated, the collection is used for banking attacks. If there is poor correlation but an email or FQDN is in the information, then the data may be used as a target list.
Ray Parks
Consilient Heuristician/IDART Program Manager
V: 505-844-4024 M: 505-238-9359 P: 505-951-6084
NIPR: [hidden email]
SIPR: [hidden email] (send NIPR reminder)
JWICS: [hidden email] (send NIPR reminder)
On Nov 18, 2013, at 10:12 AM, Owen Densmore wrote:
============================================================A forum I belong to has been hacked, including personal info as well as passwords.How do they use this information?I presume they try the hash function on all combinations of possible passwords. (Naturally optimized for faster convergence). They see a match, i.e. a letter combination resulting in the given hash of the password.If they crack one password, does that make cracking the rest any easier?And does "salt" simply increase the difficulty, and indeed can it be deduced, as above, by cracking a single password?.. or is it all quite different from this!-- Owen
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
smime.p7s (4K) | Free forum by Nabble | Edit this page |