The addition of a salt to a password makes rainbow tables much less effective because it makes the table space larger, even trading off chain length for convergence. However, rainbow tables are no longer the thing - with multi-GPU setups, password crackers just brute force passwords. Basically, the sequence is:1. Using a large (20 million word) multiple language (but standard ASCII) dictionary derived from text sources across the WWW, hash the words in that dictionary with variants (leet-speak, other substitutions, plurals, added numbers, 8 for "ate", et cetera), and compare the outputs to the captured password file. Salt is basically a variant that can be accounted for - extra random characters.2. If some passwords are of the type you dislike, then those can be brute-forced almost as fast as rainbow tables can be calculated. Salt is irrelevant in this process, other than making the effective number of bytes longer.In the Ars articles, Step 1 seems to get as much as 90% of self-chosen passwords in a matter of hours. The practitioners in the Ars articles don't go on to Step 2, but I would expect that to take less than a week. If the hash algorithm is captured along with the passwords, then the cracker has the advantage of knowing whether the web-site uses salt. Operating systems, of course, are studied off-line to determine the algorithm and use of salt.
Ray ParksConsilient Heuristician/IDART Program ManagerV: <a href="tel:505-844-4024" value="+15058444024" target="_blank">505-844-4024 M: <a href="tel:505-238-9359" value="+15052389359" target="_blank">505-238-9359 P: <a href="tel:505-951-6084" value="+15059516084" target="_blank">505-951-6084NIPR: [hidden email]SIPR: [hidden email] (send NIPR reminder)JWICS: [hidden email] (send NIPR reminder)
On Nov 18, 2013, at 11:48 AM, cody dooderson wrote:I find passwords really hard to remember. Especially those sites that require numbers, symbols,uppercase, and lower case characters. I personally would rather use a 20 character all lowercase password than an 8 character mixed symbol password. As a result keep a document, in the cloud, with all of my passwords stored in plain text. Many of these passwords I could care less if someone cracked.Also, I was under the impression that salting prevents the use of rainbow tables.============================================================Cody SmithOn Mon, Nov 18, 2013 at 11:28 AM, Parks, Raymond <[hidden email]> wrote:WRT password cracking - Dan Goodin has a good series of articles on password cracking at Ars Technica.TL;DR - Current GPU-based password cracking using 20-million word dictionaries make truly random passwords below 14 characters and nearl all pass-phrases susceptible to cracking in a relatively short time.On a related subject, roughly 75% of websites store passwords as nothing more complicated than simple, unsalted MD5 hashes. This is almost as easy to break as as NTLM.Salt makes the initial crack more difficult, but if the same salt is used for all hashes, then subsequent cracks ignore it.WRT the use of PII - it's sold on various markets, correlated in a "big data" manner with other exposures, and, if enough information is available and the person's credit score is high enough, is used for credit attacks. In some cases, if banking information is correlated, the collection is used for banking attacks. If there is poor correlation but an email or FQDN is in the information, then the data may be used as a target list.Ray ParksConsilient Heuristician/IDART Program ManagerV: <a href="tel:505-844-4024" value="+15058444024" target="_blank">505-844-4024 M: <a href="tel:505-238-9359" value="+15052389359" target="_blank">505-238-9359 P: <a href="tel:505-951-6084" value="+15059516084" target="_blank">505-951-6084NIPR: [hidden email]SIPR: [hidden email] (send NIPR reminder)JWICS: [hidden email] (send NIPR reminder)
On Nov 18, 2013, at 10:12 AM, Owen Densmore wrote:A forum I belong to has been hacked, including personal info as well as passwords.How do they use this information?I presume they try the hash function on all combinations of possible passwords. (Naturally optimized for faster convergence). They see a match, i.e. a letter combination resulting in the given hash of the password.If they crack one password, does that make cracking the rest any easier?And does "salt" simply increase the difficulty, and indeed can it be deduced, as above, by cracking a single password?.. or is it all quite different from this!-- Owen============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
| Free forum by Nabble | Edit this page |