by lightup88 on 5/3/13, 1:03 PM with 49 comments
by kyrra on 5/3/13, 2:38 PM
Hashcat is a tool who's goal is to do various hashing functions as fast as possible in both CPU and GPU (depending on what the user has available). Where the tool gets interesting is the attack modes[1] it has. Each of the attack methods has different use cases, but I would say Rule-based and table-lookup are both fairly interesting (allow for smart generating of test passwords so things it's not a full character set brute-force).
Now, you have other groups that are going out and doing analysis on database password leaks[2]. This site tries to crack as many passwords as it can from publically leaked password databases (such as Gawker ane EHarmony), then do an analysis of the passwords they have cracked thus far. People can then use this data to write rules for Hashcat or other tools to possibly crack passwords a lot faster.
As rules for passwords change and people change their password habits, the crackers will adjust their methods. While this article does bring out some interesting points about passwords, it can still be good to know what tools the crackers have at their disposal so you can think about how to craft a password that won't be easily cracked.
[1] http://hashcat.net/wiki/#attack_modes
[2] http://www.adeptus-mechanicus.com/codex/hashpass/hashpass.ph...
by pornel on 5/3/13, 2:33 PM
Please do tell clearly when username was wrong. It won't disclose anything new, because you're already disclosing this information by validating registration form (and reg form will even disclose existence of registered e-mails by forbidding duplicate registration), existence of profile URLs, all kind of "add a friend" APIs, etc.
If you're really concerned about somebody compiling list of usernames by brute force (and you've patched all other places where you disclose it) then put rate limiting on the login form (you should have it anyway to prevent brute forcing of passwords).
by geal on 5/3/13, 2:15 PM
There are about 180000 words in English (but don't assume everybody knows 180000 words). That means that for three words, you have at most 5.810^15 options.
For a password with mixed case and numbers, you have 62 different characters. With, 9 characters, you have 1.310^16 options.
I can understand that people would prefer common words to remember them, but they are not that much stronger.
The best password is the password I don't need to remember: generate long random passwords, and store them in your browser, in Keepass, LastPass or whatever system of your choice.
by pizza on 5/3/13, 4:40 PM
i.e. "jjjjjjjjjjjjjjjjjjjjjjjjjjjj" is 224 bits as a string. Huffman-encoded, you only need 0=j as a code to convert it into 28 bits, a compression of 87.5%. So this is a good way of actually checking the security of a password, if it seems to have high entropy.
by jere on 5/3/13, 2:01 PM
I don't like this meme. Because it's not necessarily "more efficient." Like most things, it depends. If I have a password made of 10 lowercase characters, it's much better to replace with an upper case character rather than add another lower case one.
Option 1) Add a lower case character. Password is 26 times stronger.
Option 2) Replace 1 upper with 1 lower case character. Password is 1024 times stronger.
by danso on 5/3/13, 1:28 PM
Take point #4:
> "4. MYTH: Two-Factor Auth Means Any Password Will Do" > > This is absolutely not a dismissal of multi-factor auth. Use it when it’s available! Two factor is on the Stormpath roadmap, and we use it for many backend systems. Just don’t consider it a substitute for strong passwords.
The example that the OP blithely cites is Cloudflare's incident in 2012, when CloudFlare's CEO explained how his GMail account got compromised despite activating 2-factor authentication. However, if you actually click through the post, you see that CloudFlare's problem had nothing to do with a weak password, but a flaw in AT&T's authentication procedures which allowed a hacker to bypass GMail's password/auth requirement with a little social engineering. It had nothing to do with the CF CEO's password, which he says was strong and 20-characters long. In his case, it wouldn't matter if the password was 8 characters long and a dictionary word, if 2-factor auth worked as it was supposed to.
http://blog.cloudflare.com/post-mortem-todays-attack-apparen...
And that's kind of the whole dilemma of security, isn't it? That certain maxims ("Your password should be x characters long and contain y different kinds of characters") do not universally apply, and that the implementation of security protocols is extremely important into understanding your potential to be hacked. The OP's mythbusting is somewhat counter-productive here.
by venomsnake on 5/3/13, 3:10 PM
The only viable security I can think of is if we have distributed public key infrastructure. Bitcoin style wallets. And securing the "PK wallets" is up to the end user. Persona is close I think - so if the app fad/insanity finally dies we will be on a good track.
by mbesto on 5/3/13, 3:39 PM
Question for the smarter people out there. If everyone started using passwords like "donkey computer watch" would this mean that this format would then be much easier to crack as opposed to xy7*hdkSD
Security is a bit of game theory right?
by josefresco on 5/3/13, 3:58 PM
by eterm on 5/3/13, 2:16 PM
by pandog on 5/3/13, 1:44 PM