Overclock.net › Forums › Industry News › Technology and Science News › [ARSTECHNICA] How crackers make minced meat out of your passwords
New Posts  All Forums:Forum Nav:

[ARSTECHNICA] How crackers make minced meat out of your passwords

post #1 of 15
Thread Starter 
http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords
Quote:
Using a commodity computer with a single AMD Radeon 7970 graphics card, it took him 20 hours to crack 14,734 of the hashes, a 90-percent success rate.
Ravager
(16 items)
 
  
CPUMotherboardGraphicsRAM
FX 8350 Gigabyte GA-990FXA-UD3 R5 XFX R9 390 DD Black Edition Kingston HyperX Fury  
Hard DriveHard DriveCoolingOS
Crucial BX100  WD Blue Corsair H100i GTX Windows 10 Insider Preview 
MonitorKeyboardPowerCase
AOC G2460PF 24" 144Hz Freesync Steelseries 6Gv2 EVGA Supernova 750 G2 Phanteks Enthoo Pro M 
MouseMouse PadAudioAudio
Logitech G303 Steelseries QcK Heavy Kingston HyperX Cloud ASUS Xonar U5 
  hide details  
Reply
Ravager
(16 items)
 
  
CPUMotherboardGraphicsRAM
FX 8350 Gigabyte GA-990FXA-UD3 R5 XFX R9 390 DD Black Edition Kingston HyperX Fury  
Hard DriveHard DriveCoolingOS
Crucial BX100  WD Blue Corsair H100i GTX Windows 10 Insider Preview 
MonitorKeyboardPowerCase
AOC G2460PF 24" 144Hz Freesync Steelseries 6Gv2 EVGA Supernova 750 G2 Phanteks Enthoo Pro M 
MouseMouse PadAudioAudio
Logitech G303 Steelseries QcK Heavy Kingston HyperX Cloud ASUS Xonar U5 
  hide details  
Reply
post #2 of 15
Well... At least i know my GPU is a good investment thumb.gif
post #3 of 15
Thread Starter 
Haha, got to go change my passwords now, getting paranoid
Ravager
(16 items)
 
  
CPUMotherboardGraphicsRAM
FX 8350 Gigabyte GA-990FXA-UD3 R5 XFX R9 390 DD Black Edition Kingston HyperX Fury  
Hard DriveHard DriveCoolingOS
Crucial BX100  WD Blue Corsair H100i GTX Windows 10 Insider Preview 
MonitorKeyboardPowerCase
AOC G2460PF 24" 144Hz Freesync Steelseries 6Gv2 EVGA Supernova 750 G2 Phanteks Enthoo Pro M 
MouseMouse PadAudioAudio
Logitech G303 Steelseries QcK Heavy Kingston HyperX Cloud ASUS Xonar U5 
  hide details  
Reply
Ravager
(16 items)
 
  
CPUMotherboardGraphicsRAM
FX 8350 Gigabyte GA-990FXA-UD3 R5 XFX R9 390 DD Black Edition Kingston HyperX Fury  
Hard DriveHard DriveCoolingOS
Crucial BX100  WD Blue Corsair H100i GTX Windows 10 Insider Preview 
MonitorKeyboardPowerCase
AOC G2460PF 24" 144Hz Freesync Steelseries 6Gv2 EVGA Supernova 750 G2 Phanteks Enthoo Pro M 
MouseMouse PadAudioAudio
Logitech G303 Steelseries QcK Heavy Kingston HyperX Cloud ASUS Xonar U5 
  hide details  
Reply
post #4 of 15
I'm glad the article mentioned bcrypt, which is becoming the new standard exactly because of these types of attacks.
Webcrawler
(17 items)
 
  
CPUMotherboardGraphicsRAM
i5 3570k ASRock Z75 Pro3 Sapphire 7870 XT Boost Corsair Vengeance, DDR3 1600Mhz 
Hard DriveHard DriveOSMonitor
SpinPoint F1 1TB 64GB M4 SSD Windows 8.1 SyncMaster P2050 
MonitorKeyboardPowerMouse
Dell U2312HM Sidewinder X4 Be Quiet! Pure Power CM L8 430w Zowie FK 
AudioAudio
Xonar DG Sennheiser HD 555 
  hide details  
Reply
Webcrawler
(17 items)
 
  
CPUMotherboardGraphicsRAM
i5 3570k ASRock Z75 Pro3 Sapphire 7870 XT Boost Corsair Vengeance, DDR3 1600Mhz 
Hard DriveHard DriveOSMonitor
SpinPoint F1 1TB 64GB M4 SSD Windows 8.1 SyncMaster P2050 
MonitorKeyboardPowerMouse
Dell U2312HM Sidewinder X4 Be Quiet! Pure Power CM L8 430w Zowie FK 
AudioAudio
Xonar DG Sennheiser HD 555 
  hide details  
Reply
post #5 of 15
Just think of the base of your password, make it long like 15 characters, then at the start, end, or at a specific spot in the middle, put the name of the specific website or game the password is for. Then you have a long password that is unique for every website and game. Main thing is the password needs to be long. They are the best defense.
post #6 of 15
Quote:
Originally Posted by amvnz View Post

Just think of the base of your password, make it long like 15 characters, then at the start, end, or at a specific spot in the middle, put the name of the specific website or game the password is for. Then you have a long password that is unique for every website and game. Main thing is the password needs to be long. They are the best defense.

True that. Add in a Capital letter or two and a number and you're super safe.
Never Finished
(18 items)
 
  
CPUMotherboardGraphicsRAM
Intel i7 6700K ASUS Z170 Pro Gaming Sapphire Tri-X R9 290X 8G Corsair Vengeance LPX DDR4 2666Mhz - (2x8GB) 
Hard DriveCoolingCoolingOS
Samsung 960 EVO M.2 500GB EK Predator 360 EK 250 X3 Reservoir Windows 10 Pro 
MonitorKeyboardPowerCase
Dell U2515H Corsair Raptor K40 Corsair RM650x Fractal Design Define S 
MouseMouse PadAudioAudio
Logitech M500 Gigabyte GP-MP8000 Extreme Accuracy Yamaha HTR-4068 Philips FWB C355 speaker set 
AudioOther
Hyper X Cloud II Samson C01U Pro 
  hide details  
Reply
Never Finished
(18 items)
 
  
CPUMotherboardGraphicsRAM
Intel i7 6700K ASUS Z170 Pro Gaming Sapphire Tri-X R9 290X 8G Corsair Vengeance LPX DDR4 2666Mhz - (2x8GB) 
Hard DriveCoolingCoolingOS
Samsung 960 EVO M.2 500GB EK Predator 360 EK 250 X3 Reservoir Windows 10 Pro 
MonitorKeyboardPowerCase
Dell U2515H Corsair Raptor K40 Corsair RM650x Fractal Design Define S 
MouseMouse PadAudioAudio
Logitech M500 Gigabyte GP-MP8000 Extreme Accuracy Yamaha HTR-4068 Philips FWB C355 speaker set 
AudioOther
Hyper X Cloud II Samson C01U Pro 
  hide details  
Reply
post #7 of 15
Quote:
Originally Posted by amvnz View Post

Just think of the base of your password, make it long like 15 characters, then at the start, end, or at a specific spot in the middle, put the name of the specific website or game the password is for. Then you have a long password that is unique for every website and game. Main thing is the password needs to be long. They are the best defense.

I disagree that a long password is the best defense, if it's long that just means it's harder/takes longer to crack. A better defense would be a long password that you change frequently. This is all beside the point though because the article is talking about the passwords stored on a website that are used to login to the site. It doesn't matter how complex your password is, if they can break the encryption, it's literally spelled out for them.
post #8 of 15
Hmm i feel an experiment coming on, I might download that program and generate up the hash's of my passwords, see how long it takes my 580's to nut them out
Liquid Dreams
(28 items)
 
NAS
(17 items)
 
CPUMotherboardGraphicsRAM
AMD X4 640 Gigabyte GA880GA-UG3H ATI HD4250 Corsair 2x2Gb DDR3 1333Mhz 
Hard DriveHard DriveOptical DriveCooling
Samsung Spinpoint F3 1T Samsung Spinpoint F4 2T Liteon DVD-+RW Zalman CNPS9500 
OSMonitorKeyboardPower
Ubuntu Server 42" LCD Full HD-TV via 1080P HDMI None Silverstone Strider 450w 
CaseMouseMouse PadAudio
TT Armor (w/ Custom 240mm Sidefan/Black Respary) None None 5.1 via HDMI to TV 
Other
Acer Infrared Remote control 
  hide details  
Reply
Liquid Dreams
(28 items)
 
NAS
(17 items)
 
CPUMotherboardGraphicsRAM
AMD X4 640 Gigabyte GA880GA-UG3H ATI HD4250 Corsair 2x2Gb DDR3 1333Mhz 
Hard DriveHard DriveOptical DriveCooling
Samsung Spinpoint F3 1T Samsung Spinpoint F4 2T Liteon DVD-+RW Zalman CNPS9500 
OSMonitorKeyboardPower
Ubuntu Server 42" LCD Full HD-TV via 1080P HDMI None Silverstone Strider 450w 
CaseMouseMouse PadAudio
TT Armor (w/ Custom 240mm Sidefan/Black Respary) None None 5.1 via HDMI to TV 
Other
Acer Infrared Remote control 
  hide details  
Reply
post #9 of 15
Title should be "How crackers make mince meat out of your passwords, once they get access to the hash database, and the passwords are encrypted with plain MD5."
Just another scare article. No reputable site is going to be open access for the testing like this and doing these over the network, or even the internet, exponentially increases the time taken.
Not to mention they are calling MD5 one way when there is a billion and one MD5 lookups to reverse it. Any hash without some form of salt on the server is entirely worthless as well, don't care enough to read through their 3 page long load of crap to see if it says whether the hashes they were using were salted or not but it doesn't appear they were, and if they had been salted their results would be nowhere near 90%.

Just another article begging for hits from people being paranoid. You're more likely to have your secret questions answered from information made public on your Facebook than someone cracking it.
Lawl Mark II
(12 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i5 @ 5ghz (air) Z77 Extreme6 SLI GTX 660 Ti SC 3GB (1228/1734) Patriot Viper 3 16GB 2133mhz 
Hard DriveCoolingOSKeyboard
OCZ Vertex 3 128GB XIGMATEK Dark Knight II Windows 7 Ultimate Razer Blackwidow Ultimate 
PowerMouseMouse PadAudio
CM Silent Pro 1000W Cyborg RAT 7 Razer Goliathus Xonar DG 
  hide details  
Reply
Lawl Mark II
(12 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i5 @ 5ghz (air) Z77 Extreme6 SLI GTX 660 Ti SC 3GB (1228/1734) Patriot Viper 3 16GB 2133mhz 
Hard DriveCoolingOSKeyboard
OCZ Vertex 3 128GB XIGMATEK Dark Knight II Windows 7 Ultimate Razer Blackwidow Ultimate 
PowerMouseMouse PadAudio
CM Silent Pro 1000W Cyborg RAT 7 Razer Goliathus Xonar DG 
  hide details  
Reply
post #10 of 15
Hah, well i'm somewhat happy, hashcat couldn't brute force my standard password (common one i use on things i don't really care about) - and that was after 13 mins and without any salt (i had a salted hash using the same salt from a forum i used to run but pointless if it couldn't crack the unsalted password)

That said that was a pure brute force attack - no word lists or anything that the "pro's" have and it was on a password that contained Upper+Lower case, Numbers and Symbols + some additional namespace padding and no letters within 2 keys of each other on the keyboard - oh and i tried an old password from years ago that was just lowercase letters (no words) and 1 number, it cracked it in 1 minute and 7 seconds

i find drawing a pattern on the keyboard is much easier than trying to remember the password, that way you can make it real long, use a "pattern" of upper and lower case, and pad numbers and symbols and all you need to know is the pattern - like a android pattern lock for passwords smile.gif

I agree, just a scare article really but if i makes people use proper passwords rather than "mycatisagoodcat010101", than thats a good thing tongue.gif
Liquid Dreams
(28 items)
 
NAS
(17 items)
 
CPUMotherboardGraphicsRAM
AMD X4 640 Gigabyte GA880GA-UG3H ATI HD4250 Corsair 2x2Gb DDR3 1333Mhz 
Hard DriveHard DriveOptical DriveCooling
Samsung Spinpoint F3 1T Samsung Spinpoint F4 2T Liteon DVD-+RW Zalman CNPS9500 
OSMonitorKeyboardPower
Ubuntu Server 42" LCD Full HD-TV via 1080P HDMI None Silverstone Strider 450w 
CaseMouseMouse PadAudio
TT Armor (w/ Custom 240mm Sidefan/Black Respary) None None 5.1 via HDMI to TV 
Other
Acer Infrared Remote control 
  hide details  
Reply
Liquid Dreams
(28 items)
 
NAS
(17 items)
 
CPUMotherboardGraphicsRAM
AMD X4 640 Gigabyte GA880GA-UG3H ATI HD4250 Corsair 2x2Gb DDR3 1333Mhz 
Hard DriveHard DriveOptical DriveCooling
Samsung Spinpoint F3 1T Samsung Spinpoint F4 2T Liteon DVD-+RW Zalman CNPS9500 
OSMonitorKeyboardPower
Ubuntu Server 42" LCD Full HD-TV via 1080P HDMI None Silverstone Strider 450w 
CaseMouseMouse PadAudio
TT Armor (w/ Custom 240mm Sidefan/Black Respary) None None 5.1 via HDMI to TV 
Other
Acer Infrared Remote control 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Technology and Science News
Overclock.net › Forums › Industry News › Technology and Science News › [ARSTECHNICA] How crackers make minced meat out of your passwords