• Cracking passwords - Computerphile
    42 replies, posted
[video=youtube;7U-RbOKanYs]https://www.youtube.com/watch?v=7U-RbOKanYs[/video] Shit's interesting
basically: you're probably fucked no matter what your password is also had to do a [URL="https://www.youtube.com/user/GaijinGoomba"]double take[/URL] :v: [t]http://i.imgur.com/kMuZxZu.png[/t]
The issue I have today with passwords is that I don't mind remembering one 16 characters long password with an uppercase, a number and a symbol, but it's a chore to have 20 different accounts for various services and having to decide whether to give them an exclusive password or just reuse an old one.
[QUOTE=ProgramFiles;50705053]The issue I have today with passwords is that I don't mind remembering one 16 characters long password with an uppercase, a number and a symbol, but it's a chore to have 20 different accounts for various services and having to decide whether to give them an exclusive password or just reuse an old one.[/QUOTE] That's why you use a password manager.
[QUOTE=Sivics;50705185]That's why you use a password manager.[/QUOTE] which password manager do you recommend?
[QUOTE=frdrckk;50705321]which password manager do you recommend?[/QUOTE] keepass, tie it with a secure password on your dropbox
[QUOTE=frdrckk;50705321]which password manager do you recommend?[/QUOTE] Dashlane is pretty good. [editline]14th July 2016[/editline] [QUOTE=ProgramFiles;50705053]The issue I have today with passwords is that I don't mind remembering one 16 characters long password with an uppercase, a number and a symbol, but it's a chore to have 20 different accounts for various services and having to decide whether to give them an exclusive password or just reuse an old one.[/QUOTE] [QUOTE=Sivics;50705185]That's why you use a password manager.[/QUOTE] Or save your passwords in a text doc and copy paste them. That's a lazy alternative, but whichever floats your boat.
[IMG]https://imgs.xkcd.com/comics/password_strength.png[/IMG]
[QUOTE=ProgramFiles;50705053]The issue I have today with passwords is that I don't mind remembering one 16 characters long password with an uppercase, a number and a symbol, but it's a chore to have 20 different accounts for various services and having to decide whether to give them an exclusive password or just reuse an old one.[/QUOTE] That's why you develop an algorithm that only you know.
[QUOTE=Flameon;50705540][IMG]https://imgs.xkcd.com/comics/password_strength.png[/IMG][/QUOTE] i had a friend who actually used correct horse battery staple as his uni pass and put it on a windows sticky note on his fucking desktop
[QUOTE=RocketSnail;50705491]keepass, tie it with a secure password on your dropbox[/QUOTE] If you use KeeFox, you can also 1-click- or auto-fill them in Firefox based on the domain name, so you don't have to rely on window titles or anything like that. [editline]14th July 2016[/editline] [QUOTE=elitehakor;50705592]i had a friend who actually used correct horse battery staple as his uni pass and put it on a windows sticky note on his fucking desktop[/QUOTE] That's fine (as long as you don't let other people see it). Paper lists aren't hackable. On that note, KeePass has a print function that you should make use of if you use it. [editline]14th July 2016[/editline] [QUOTE=RocketSnail;50705491]keepass, tie it with a secure password on your dropbox[/QUOTE] Regarding the Dropbox bit: KeePass also has a manual sync feature, so it may be a better idea to have your working database as a local-only copy and sync with the one on Dropbox to avoid issues with file conflicts if you edit it while offline or use it on two devices at once. [editline]14th July 2016[/editline] [QUOTE=Rich209;50705549]That's why you develop an algorithm that only you know.[/QUOTE] You can also use long-ish sentences or something like that. Remembering ~50 characters passwords is pretty easy that way, at the very least for as long as you need to type them manually in that odd case where it's necessary. [editline]14th July 2016[/editline] Bonus points for not using English :v:
I wish he would have said something like "if you know nothing, go look up the password cheat sheet on OWASP" and NOT "Use SHA512 because MD5/SHA1 is trash" Short version: if you are directly using a hash function for storing a password then you are [I]probably[/I] doing it wrong. Ref: [url]https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet[/url]
[QUOTE=bord2tears;50708091]I wish he would have said something like "if you know nothing, go look up the password cheat sheet on OWASP" and NOT "Use SHA512 because MD5/SHA1 is trash" Short version: if you are directly using a hash function for storing a password then you are [I]probably[/I] doing it wrong. Ref: [url]https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet[/url][/QUOTE] I was kinda disappointed that he didn't say bcrypt
[QUOTE=Flameon;50705540][IMG]https://imgs.xkcd.com/comics/password_strength.png[/IMG][/QUOTE] That would take 2.9 minutes to crack at 100 billion guesses per second. The guy in the video was able to do 40 Billion a second So RIP that idea
[QUOTE=RocketSnail;50705491]keepass, tie it with a secure password on your dropbox[/QUOTE] For some time now I've been thinking of getting my password security together. This video finally made me take the first step. Hopefully I will keep it up.
[QUOTE=Sam Za Nemesis;50708520]Then you get in a dictionary attack and get fucked[/QUOTE] If you have a dictionary with 50k words, if your password is 4 words, that gives you 50k ^ 4 = 6.25e+18 possible combinations. With 100 billion guesses per second that would take 723 days to crack that password. It's in the picture as well, if he assumed just lowercase letters the entropy would be much higher. He made the assumption there are only 2048 words in the dictionary to get 2^44 entropy with 4 words.
[QUOTE=TheTalon;50708318]That would take 2.9 minutes to crack at 100 billion guesses per second. The guy in the video was able to do 40 Billion a second So RIP that idea[/QUOTE] the "hard" password is also gonna get fucked by dictionary attacks as described in the video probably
I never knew it was this easy. wtf
[QUOTE=TheTalon;50708318]That would take 2.9 minutes to crack at 100 billion guesses per second. The guy in the video was able to do 40 Billion a second So RIP that idea[/QUOTE] Have you read what was written in the smaller text on the upper part of the picture? "Cracking a stolen hash is faster, but its not what the average user should worry about"
[QUOTE=Tamschi;50705694] That's fine (as long as you don't let other people see it). Paper lists aren't hackable. [/QUOTE] I think he means [t]http://www.evinco-software.com/eng/techImage/windows7-two-sticky-notes.jpg[/t] "[B]windows sticky note[/B] on his fucking [B]desktop[/B]"
[QUOTE=J!NX;50708814]I think he means [t]http://www.evinco-software.com/eng/techImage/windows7-two-sticky-notes.jpg[/t] "[B]windows sticky note[/B] on his fucking [B]desktop[/B]"[/QUOTE] My friend did that with some of his passwords. He was streaming the other day, and minimized all his windows without thinking. Good thing his friends aren't assholes, and he deleted the vod straight away.
[QUOTE=TheTalon;50708318]That would take 2.9 minutes to crack at 100 billion guesses per second. The guy in the video was able to do 40 Billion a second So RIP that idea[/QUOTE] 40 Billion a second with MD5, newer hashing methods take much longer to calculate.
There's another reason why MD5 is insecure: [url=https://en.wikipedia.org/wiki/Collision_attack]collision attacks[/url]. Basically people can find a [U]different[/U] password that will generate the [I]same[/I] MD5 hash as your own password, and then use that to log in to some website where you use the same password. Although that only works if the other website doesn't use [url=https://crackstation.net/hashing-security.htm]proper salting[/url]
[QUOTE=Zelle;50705502]Or save your passwords in a text doc and copy paste them. That's a lazy alternative, but whichever floats your boat.[/QUOTE] Sure why not, all the other companies with plain text credential lists were safe. Just kidding, that's a great way of getting yourself fired / security clearance revoked at any company that has an IT team worth it's salt. It's just as terrible for home use as well. Keepass is a extremely secure and wonderful thing.
[QUOTE=TheTalon;50708318]That would take 2.9 minutes to crack at 100 billion guesses per second. The guy in the video was able to do 40 Billion a second So RIP that idea[/QUOTE] They were also testing vs. databases that were hashed with MD5, which is way too short nowadays. In the video the guy mentioned SHA512, which would take many, many times longer per hash.
[QUOTE=Gray Altoid;50710903]They were also testing vs. databases that were hashed with MD5, which is way too short nowadays. In the video the guy mentioned SHA512, which would take many, many times longer per hash.[/QUOTE] I do wondering how his 4 titans would do against a list of SHA512 passwords. And also a list of bcrypted passwords too, just for good measure
Swap that MD5 for some SHA512 with lots of iterations and suddenly your 40 billion is a few million at best.
This reminds of wanting to play with microsoft's crpyto algorithm they put on their research website. [url]https://www.microsoft.com/en-us/download/details.aspx?id=52371[/url] I don't have the time to really dig deep into it and use the code for something.
[QUOTE=Zelle;50705502] Or save your passwords in a text doc and copy paste them. That's a lazy alternative, but whichever floats your boat.[/QUOTE] Storing passwords in plaintext. Brilliant! Next why don't you e-mail them to yourself?
I use SMS authorization whenever I can. That seems pretty safe
Sorry, you need to Log In to post a reply to this thread.