"How to Crack (almost) Any Password in Two Minutes"

Discussion in 'other security issues & news' started by Dazed_and_Confused, Oct 5, 2006.

Thread Status:
Not open for further replies.
  1. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    "How to crack (almost) any password in less than two minutes". That was the title of an article that appeared in Wednesday's (10/4) printed edition of the Financial Times. Really caught my attention.

    Here are some excerpts.

    "The encryption process produces a 'hash'. Rather than comparing the log-on to a database of words, an attacker can speed things up by using pre-computed hash tables. These tables contain 'hash values' for virtually every possible password, making the cracking of the password a simple process."

    Regarding Microsoft LAN Manager (LM) hashes, "The result is that virtually any hash can be cracked in a couple of minutes. There are failures but only very few."

    So my question is, does the above apply to Crypotsuite? Can my Cryptosuite archives be cracked in a couple of minutes with the right equipment? I generally use a 35 character passphrase, utilizing both (uppercase and lowercase) letters and numbers. Can these pre-computed hash tables really do this?? Wow. :eek:
  2. Escalader

    Escalader Registered Member

    Dear Dazed:

    IMHO Hackers can crack passwords. This is not new. So having strong passwords and changing them frequently has always been the best method no matter what hackers do or try to do.

    I don't want to seem simple minded here but it seems to me that if there are 100 passwords hackers want and they are stored via hash values you will have 100 hashes. Right? So it follows then that all this is about is faster scanning by hacker software of the places in you PC where the psw's are stored. They know the standard passwords, their 1st attempt is to try every word in the dictonary or the matching hash. Conclusion? Don't use dictonary words.

    Hide behind a H/W firewall and a S/W firewall of your choice. Keep your passwords OFF your PC on a USB stick or other media.

    You could even hide them in an password excel file that is encrypted. My excel file has a password to open it!

    Use the maximum length random password you can here are a couple I generated for you from RoboForm2Go:

    10 positions, 61 bit strength = @d8zgJa%tx
    15 positions, 91 bit strength = !n3kaz#HHhq^^Io
    25 positions, 153 bit strong = qMbrC3*%3z#4MZ$chtQzVy3QF
    50 positions, 306 bit strong = 3n!cUd9z^nAM6XvOrark!O7TY!yDgNVAcLFVpkrw5Y21oyI%S6

    My bank allows 32 positions so I get 196 bits =n#RZNsr0bh%!zBtFSm!gmgKg7wZPjJEk. Hacker hash or not isn't going to crack that this centry!

    Now you see why you save them since no living person could ever remember them!

    Use Firefox ad in if you don't have robo FF can generate psws as well!

    Put some of these into use and sleep easy.:D
  3. TNT

    TNT Registered Member

    No. Of course they can't. A good hash algorithm and a non-dictionary and hard to guess password won't be cracked, not even if 'hackers' try for ages with superfast computers. Now, the author talks about LM hashes, which are notoriously weak and flawed.

    But I challenge ANYBODY to guess what password produced a sha256 hash like the following.


    (and I even used only letters and numbers).
    Last edited: Oct 5, 2006
  4. Alphalutra1

    Alphalutra1 Registered Member

    Duh, "this is a very challenging password you non-l33t people" :D

    Put to the original poster, any password with a good hash algorithm like sha-256, sha-512, whirlpool, etc. cannot be broken ATM (and probably not for many years).


  5. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Escalader - Hi. :) I've used RoboForm for all of my password needs for quite a while. However, I do keep that data on my PC. Your suggestion of using a USB stick is a good idea. I'll take it under advisement.

    I'm not as worried about someone trying to crack into my web bank account, which by the way only allows 10-digit passwords. I say that because if you type in an incorrect password more than a few times, you are locked out. So brute strength is not an option here.

    My main concern is my Cryptosuite archives, if they fall into the wrong hands. I used RoboForm to create the password I use for for all my cryptosuite archives. If I understand what TNT and Alphalutra1 are saying, I should be good to go with my 35 digit cryptosuite passphrase.
  6. iceni60

    iceni60 ( ^o^)

    when your password gets over a certain length, 8 charactors i think, then it gets difficult to generate and store those tables for LM hashes. the LM hash can be cracked because it's split in two - instead of a hash made from 14 charactors, which is what it's suppose to be, it can be turned into two hashes from 7 letter charactors. if the algorithm worked properly the tables won't work with lan man.

    i can't remember why, but even those lan man tables only work with something like 98% of hashes (or maybe that's just what can be stored on a dvd, not sure), so i suppose that shows with that algorithm anything over 7 alphanumeric charactors is safe, you don't even need special charactors. it's really clever stuff
  7. TheQuest

    TheQuest Registered Member

  8. VisiThink

    VisiThink Registered Member

    There are also certain security defects that make it easy to gain access to encrypted data in a few commercial and freeware products.

    I'd be interested to hear if the same issues affect CryptoSuite that seem to affect PGP and TrueCrypt.

    See reference: http://www.safehack.com/Advisory/pgp/PGPcrack.html
  9. Carver

    Carver Registered Member

  10. TNT

    TNT Registered Member

    Riiiiight... "Ultra Secure" allright, except now if you used Internet Explorer your password are in clear text on your hard disk in the cache folder. :eek:
  11. Devinco

    Devinco Registered Member

  12. Devil's Advocate

    Devil's Advocate Registered Member

    Er no. 8 is way too low,it's more like 15 or more. Anyway 8 makes no sense given what you correctly state below. Because the weakness of LM hash occurs only after 7 characters, saying 8 (which is after 7 and the weakness appears) is safe is contradictory.

    Correct except for the last part about tables won't work.

    As you know the concept of 'rainbow tables' is independent of the hash algorthrim used. LMhash's problem makes it easier and cheaper to create such lookup tables, but the idea itself is independent of the weakness. There can be rainbow tables for MD5, SHA1 as well.

    "Anything over 7 alphanumeric characters is safe"? Utterly wrong. Rainbow tables for LMhash have being made up to 14 characters. If I didn't know better, I would have thought you are trying to mislead people on purpose.

    For what's it worth you can disable LMhash on NT class machines.


    But note

    "It is best to prevent storage of the LM hash if you do not need it for backward compatibility. If your network contains Windows 95, Windows 98, or Macintosh clients, you may experience the following problems if you prevent the storage of LM hashes for your domain". But that won't apply to most home users.

    Additional note, NThash is more secure than LMhash because it doesn't have the splitting problem, but rainbow tables basically lookup tables for it can still be created....
  13. TNT

    TNT Registered Member

    Well, yeah right... except they're useless for cracking decent passwords anyway. An alphanumeric password (lowercase, uppercase and numbers) of just 10 characters has 839.299.366.000.000.000 possible combinations. To think it is feasible to store and use such table is just preposterous.
  14. iceni60

    iceni60 ( ^o^)

    i was switching between passwords in general and lm hashes. i'm lazy and can't be bothered talking to you.
  15. Escalader

    Escalader Registered Member

    Hi Folks it's me again, a lot of good info in all your posts.

    For your information using my text MS Windows xp Networking and Security" by Ed Bott and Carl Siechert (it cost me $32.99 US on amazon) produces the following "rule" on passwords pages 112, 113 (for those who know these things already I appologize and you can skip this post).

    In XP and 2000 psw's can be up to 127 characters long. In NT it was 14! LM hash uses a ... insecure storing method. It is stored incorrectly in windows xp/2000 if the password is at least 15 characters. An identical LM hash is used for any password longer than 14 characters! Thus the simple rule:

    " Use at least 15 characters for best security"

  16. TheQuest

    TheQuest Registered Member

    Hi, TNR

    What is this thing you call Internet Exploer?, I can not seem to find it on my Linux OS. :D

    Take Care,
    TheQuest :cool:
  17. TNT

    TNT Registered Member

    Well, that's good. ;) Anyway, this should be noted, as IE caches https pages too, by default. So, no matter how good that generation is, it should absolutely NOT be used with IE in default settings (they can be changed, or the cache can be securely overwritten...)
  18. herbalist

    herbalist Guest

    There is another way you can make some pretty strong passwords,and store them as a text file without having to worry about someone harvesting them.
    Start with a good sized text file. A book page would work nicely. Encrpyt it with PGP, any key will do or make a one time key for the purpose. The result is a text file something like this, but larger. Mine is over 300 lines long.
    When you need a long password, select a line, line segment, or parts of several lines, copy and paste. All you have to remember is where you started and where you finished copying. Something simple like 3rd line, 3rd character thru 4th line 5th character. You can have huge passwords with upper and lower case, numbers, and other characters, and not have to remember them. A text editor that shows line numbers like Notepad Plus is ideal for this. Without knowing where you began, ended, the length of the password, and whether you skipped any areas, how many possible combinations would need to be checked? That's also assuming that whoever is looking for stored passwords doesn't go right past this file, thinking it's just another encrypted message and not the source material for passwords, especially if you had several such text files to add to the deception. The best place to hide something is in plain sight.
  19. Escalader

    Escalader Registered Member

    Hey Herb, it's late here I've got cold and have to reschedule turkey day!

    Re hiding something in plain sight not a bad idea! My father in law (RIP) used to smuggle florida oranges into Canada back in the 60's. He hid them in the trunk under the tarp, but put some booze right in front for the customs guys to find!

    Worked every time. We didn't care if they found the booze since we declared it anyway. They were so busy with that they overlooked the oranges!

    Must be a moral here somewhere but I'm too tired to figure it out.

    Bye the bye I don't have to remember the long passwords they are rememberd for me by RoboForm2Go usb stick. Which is off line most of the time.

    I like the idea of offering the bad guys something to find that challenges them big time but when they crack it(if) they can do zip with it! Sort of a reverse hack! There, program that up.

    Good night
  20. Seishin

    Seishin Registered Member

    What about this one?:


    Is this one easily crackable?

    This is my previous password for my previous password account manager. I need to use some words (mixing the Buddhist word Amitabbha with numbers and other characters) I can remember because it's master password and the only place where I store it is in my mind. And nothing can crack my mind so far! :)

    Obvioulsy I cannot memorise complex stuff like this:

    u203qI )O-qskL,SA}{p[q';w%c~|[;'.;,a9im.Z

    It would be insane.

    So what do you think?
  21. ErikAlbert

    ErikAlbert Registered Member

    You can use a complicated password and store it on a diskette with Notepad. Copy/paste it in the password area and remove the diskette when you don't need it anymore.

    Any password that is based on mnemonic tricks is more vulnerable.
    For instance, you start with a sentence and use rules to change it.

    Sentence = the quick brown fox jumps over the lazy dog.
    Removal of vowels : th qck brwn fx jmps vr th lz dg
    Reverse the words : ht kcq nwrb xf spmj rv ht zl gd
    Final result : htkcqnwrbxfspmjrvhtzlgd
    You can use special signs (in keyboard order) to separate the words or something more cunning.
    The more you improvize in the rules, the better, but random passwords are always better.
  22. Seishin

    Seishin Registered Member

    I see. What I'm going to do is use an automated password generator, generate a complex one and write it down in my notebook. I am more concerned about my Administrator account more than anything else. And to save this one the safest way is using an non-computer related external device.

    Thx for pointing in the right direction.

  23. ErikAlbert

    ErikAlbert Registered Member

    You certainly have to write it down on paper.
    But TYPING a password each time is quite annoying, that's why I copy/paste my password from a removable device to the password area. This way you don't have any type errors and it's much easier than typing.
  24. Seishin

    Seishin Registered Member

    I see and understand your point but at this stage, and after dealing with goblins in the past, I only rely in handwriting for this kind of tasks.

    Note: goblins (hidden creatures that love to corrupt external computing devices, ie floppies, USB sticks...) ;)
  25. Escalader

    Escalader Registered Member

    I too believe in gremlins, been around to long not to.

    Just to do the Canadian thing, you are both right, use the external device to save typing long random complex psw's, I use RoboForm2Go but that is just me.

    Since the techinical gremilins really do exist I also print these out on real paper and then pin the sheet to my PC while I'm on vaction.... no no only kidding.

    use the USb stick, floppy what ever but back it up on paper just in case.

    That is IMHO of course:thumb:
Thread Status:
Not open for further replies.