About that password ...
September 24, 2015 2:15 PM Subscribe
Utility for testing (and cracking) "Is your password secure? We’ve all heard a lot of advice about what sorts of passwords you should never pick – and there are various tools that claim to assess the security of your password online. However, these can only be dubiously accurate. The only way to really test the security of your passwords is to try to break them.
FUD
and previously
"So today, we’re going to do just that. I’m going to show you how to use a tool that real hackers use to crack passwords, and show you how to use it to check yours. And, if it fails the test, I’ll show you how to pick safer passwords that will hold up."
"So today, we’re going to do just that. I’m going to show you how to use a tool that real hackers use to crack passwords, and show you how to use it to check yours. And, if it fails the test, I’ll show you how to pick safer passwords that will hold up."
Might have to give this a try to see whether my 1password password is actually any good.
posted by DoctorFedora at 3:25 PM on September 24, 2015
posted by DoctorFedora at 3:25 PM on September 24, 2015
Hash functions all deliver the same results, ...
Those little clues that suggest the author might not entirely understand what he's talking about.
posted by Wolfdog at 4:09 PM on September 24, 2015 [6 favorites]
Those little clues that suggest the author might not entirely understand what he's talking about.
posted by Wolfdog at 4:09 PM on September 24, 2015 [6 favorites]
Of course it kinda doesn't matter, if you're using either Chrome or Safari they have their own password protection. If you didn't know, both browsers changes your password to asterisks if you try to type it out, as a security measure.
Check this out ********.
What I see is ******** but you guys see ********.
Give it a try!!!!
posted by jeremias at 4:11 PM on September 24, 2015 [2 favorites]
Check this out ********.
What I see is ******** but you guys see ********.
Give it a try!!!!
posted by jeremias at 4:11 PM on September 24, 2015 [2 favorites]
Oh, come now, if they really did that, all kinds of ordinary sentences like "I *********** a collie in the *******" would be asterisked out all over the internet.
posted by Wolfdog at 4:21 PM on September 24, 2015 [2 favorites]
posted by Wolfdog at 4:21 PM on September 24, 2015 [2 favorites]
Oh, come now, if they really did that, all kinds of ordinary sentences like "I *********** a collie in the *******" would be asterisked out all over the internet.
wait, you mean they're NOT?
posted by quonsar II: smock fishpants and the temple of foon at 4:25 PM on September 24, 2015 [2 favorites]
wait, you mean they're NOT?
posted by quonsar II: smock fishpants and the temple of foon at 4:25 PM on September 24, 2015 [2 favorites]
No, and if you read the article you'd know that neither "encountered" nor "village" would make very good passwords in any case.
posted by Wolfdog at 4:29 PM on September 24, 2015 [10 favorites]
posted by Wolfdog at 4:29 PM on September 24, 2015 [10 favorites]
Nor "threw" and "river".
posted by Greg_Ace at 4:43 PM on September 24, 2015 [1 favorite]
posted by Greg_Ace at 4:43 PM on September 24, 2015 [1 favorite]
Nor "punched" and "dick".
posted by Greg_Ace at 4:43 PM on September 24, 2015 [1 favorite]
posted by Greg_Ace at 4:43 PM on September 24, 2015 [1 favorite]
Those little clues that suggest the author might not entirely understand what he's talking about.
Ehh it sounds like a reasonable simplification. Every implementation of a hash function should give the same results, and you could probably call the function implementing a hash function a hash function.
posted by vogon_poet at 4:53 PM on September 24, 2015
Ehh it sounds like a reasonable simplification. Every implementation of a hash function should give the same results, and you could probably call the function implementing a hash function a hash function.
posted by vogon_poet at 4:53 PM on September 24, 2015
jeremias: "Of course it kinda doesn't matter, if you're using either Chrome or Safari they have their own password protection. If you didn't know, both browsers changes your password to asterisks if you try to type it out, as a security measure.
Check this out ********.
What I see is ******** but you guys see ********.
Give it a try!!!!"
you can go hunter2 my hunter2-ing hunter2
posted by symbioid at 5:10 PM on September 24, 2015 [2 favorites]
Check this out ********.
What I see is ******** but you guys see ********.
Give it a try!!!!"
you can go hunter2 my hunter2-ing hunter2
posted by symbioid at 5:10 PM on September 24, 2015 [2 favorites]
Seriously, though - I didn't see the build of hashcat the author mentions, so I downloaded the nvidia, but when I try to run the command (replacing the filename of the binary with my actual binary from my download) it just gives me a shitton of command line argument explanations. WTF?
posted by symbioid at 5:11 PM on September 24, 2015
posted by symbioid at 5:11 PM on September 24, 2015
Oh double dashes for argument of hashtype and attack mode, but now it's telling me invalid attack mode. GAH!
posted by symbioid at 5:13 PM on September 24, 2015
posted by symbioid at 5:13 PM on September 24, 2015
Password memorization for shared accounts was, until recently, one of the banes of my married existence. My husband liked to come up with complicated passphrases from snippets of things that were meaningful to him, but impossible for me to remember. And implementing a password manager across all phones and devices and computers was a PITA. So after getting locked out of some financial thing for the umpteenth time, I sat down and brainstormed ways to do semi-unique password generation on an account-by-account basis. The winning algorithm (which lives in my head) takes as input the answers to a common set of questions about the site I'm logging into, then converts those answers to an alphanumeric string using a small shared codebook.
Upshot: I no longer have to remember passwords, just reference the codebook and remember the sequence of questions. And I can work out my husband's password for like, our health insurance login through his work without having to try a million things, ask him, guess, or hope we've got a password manager working and up to date on all accounts. And if I ever feel like we really need to up our security, we can just add more questions to create longer passwords, or swap out codebooks.
I am totally in love with this system for its balance of convenience and security, but uneasy about inputting a bunch of my passwords into some random utility to see how strong they actually are.
posted by deludingmyself at 5:20 PM on September 24, 2015 [2 favorites]
Upshot: I no longer have to remember passwords, just reference the codebook and remember the sequence of questions. And I can work out my husband's password for like, our health insurance login through his work without having to try a million things, ask him, guess, or hope we've got a password manager working and up to date on all accounts. And if I ever feel like we really need to up our security, we can just add more questions to create longer passwords, or swap out codebooks.
I am totally in love with this system for its balance of convenience and security, but uneasy about inputting a bunch of my passwords into some random utility to see how strong they actually are.
posted by deludingmyself at 5:20 PM on September 24, 2015 [2 favorites]
OK - got it working. my old school passwords (8 alpha numeric- cracked in seconds).
My newer harder ones, definitely taking more time.
Question: They're using MD5 to make it easier for us on our lowly computer to simulate an attack farm or whatever. What, exactly, would this be similar to? I mean, how many computers cracking what algorithm (AES? SHA?)
posted by symbioid at 5:31 PM on September 24, 2015
My newer harder ones, definitely taking more time.
Question: They're using MD5 to make it easier for us on our lowly computer to simulate an attack farm or whatever. What, exactly, would this be similar to? I mean, how many computers cracking what algorithm (AES? SHA?)
posted by symbioid at 5:31 PM on September 24, 2015
Those little clues that suggest the author might not entirely understand what he's talking about.
I caught that too but looking at the context I'm pretty sure what he meant to say was that a hash function always delivers the same result (given the same input).
Question: They're using MD5 to make it easier for us on our lowly computer to simulate an attack farm or whatever. What, exactly, would this be similar to? I mean, how many computers cracking what algorithm (AES? SHA?)
Even the new SHAs are not appropriate password hashing functions on their own for the same fundamental reason as MD5 - too quick to compute. Modern password-mangling algorithms are based on standard hash functions or ciphers but apply them in a process with many, many iterations. The exact difficulty of something like bcrypt or scrypt varies, because they do 2^N iterations, where N is adjustable. Scrypt also has an intentionally explosive memory requirement. Don't start feeling safe just yet though because his assertion that "in a real password leak" such an algorithm would have been used is... optimistic, shall we say.
posted by atoxyl at 6:43 PM on September 24, 2015 [1 favorite]
I caught that too but looking at the context I'm pretty sure what he meant to say was that a hash function always delivers the same result (given the same input).
Question: They're using MD5 to make it easier for us on our lowly computer to simulate an attack farm or whatever. What, exactly, would this be similar to? I mean, how many computers cracking what algorithm (AES? SHA?)
Even the new SHAs are not appropriate password hashing functions on their own for the same fundamental reason as MD5 - too quick to compute. Modern password-mangling algorithms are based on standard hash functions or ciphers but apply them in a process with many, many iterations. The exact difficulty of something like bcrypt or scrypt varies, because they do 2^N iterations, where N is adjustable. Scrypt also has an intentionally explosive memory requirement. Don't start feeling safe just yet though because his assertion that "in a real password leak" such an algorithm would have been used is... optimistic, shall we say.
posted by atoxyl at 6:43 PM on September 24, 2015 [1 favorite]
I'm pretty sure what he meant to say was that a hash function always delivers the same result (given the same input)
Sure, that's the salient point, but the fact that he said something completely different at that point is what suggests he either didn't understand it or didn't know how to write a sentence conveying it.
posted by Wolfdog at 6:58 PM on September 24, 2015
Sure, that's the salient point, but the fact that he said something completely different at that point is what suggests he either didn't understand it or didn't know how to write a sentence conveying it.
posted by Wolfdog at 6:58 PM on September 24, 2015
Sure, that's the salient point, but the fact that he said something completely different at that point is what suggests he either didn't understand it or didn't know how to write a sentence conveying it.
If you replace the word "all" in his sentence with the word "always" it does convey that point (though still a little awkwardly) and it just seems to me that this brain fart is probably what happened since later he seems to understand that MD5 and scrypt do not have the same output.
posted by atoxyl at 7:12 PM on September 24, 2015
If you replace the word "all" in his sentence with the word "always" it does convey that point (though still a little awkwardly) and it just seems to me that this brain fart is probably what happened since later he seems to understand that MD5 and scrypt do not have the same output.
posted by atoxyl at 7:12 PM on September 24, 2015
Brute-forcing MD5 simulates hackers attacking your Ashley Madison account.
posted by fragmede at 7:18 PM on September 24, 2015 [1 favorite]
posted by fragmede at 7:18 PM on September 24, 2015 [1 favorite]
Don't they seed hashes anymore?
posted by Obscure Reference at 4:18 AM on September 25, 2015 [1 favorite]
posted by Obscure Reference at 4:18 AM on September 25, 2015 [1 favorite]
Don't they seed hashes anymore?
Basic security procedures like random-salted hashes, or even not storing passwords in plaintext are surprisingly rare. But it sounds like the md5 hashes here were used as some sort of convenience function to avoid calculating the bcrypt or forcing the user to enter the password again and so somehow securing them in the same way as the passwords didn't occur to them.
posted by dis_integration at 6:33 AM on September 25, 2015
Basic security procedures like random-salted hashes, or even not storing passwords in plaintext are surprisingly rare. But it sounds like the md5 hashes here were used as some sort of convenience function to avoid calculating the bcrypt or forcing the user to enter the password again and so somehow securing them in the same way as the passwords didn't occur to them.
posted by dis_integration at 6:33 AM on September 25, 2015
They Salt Hashes, Don't They?
an unforgettably cryptic story
posted by Wolfdog at 10:38 AM on September 25, 2015 [4 favorites]
an unforgettably cryptic story
posted by Wolfdog at 10:38 AM on September 25, 2015 [4 favorites]
I've been trying to use the hashcat tool. I got it running (using the double-hyphen someone else mentioned); I left it running overnight, and even now when I press [s]tatus it returns "caching segment, please wait..." and that's all I ever get out of it. Oh, and it's using about 60-75% CPU and making the fan run like mad. Does that mean it's broken, or that it can't recover my passwords?
I guess I should also add I've blocked the .exe from accessing the Internet, since I don't fully trust it not to leak my nifty (maybe un-breakable?) passwords.
posted by Greg_Ace at 10:24 AM on September 27, 2015
I guess I should also add I've blocked the .exe from accessing the Internet, since I don't fully trust it not to leak my nifty (maybe un-breakable?) passwords.
posted by Greg_Ace at 10:24 AM on September 27, 2015
« Older C= C= COMMODORE FOREVAR C= C= | Teacher required ... may need their own boat Newer »
This thread has been archived and is closed to new comments
posted by Shepherd at 3:11 PM on September 24, 2015 [1 favorite]