"How to Crack (almost) Any Password in Two Minutes"

Discussion in 'other security issues & news' started by Dazed_and_Confused, Oct 5, 2006.

Thread Status:
Not open for further replies.
  1. Dazed_and_Confused
    Offline

    Dazed_and_Confused Registered Member

    "How to crack (almost) any password in less than two minutes". That was the title of an article that appeared in Wednesday's (10/4) printed edition of the Financial Times. Really caught my attention.

    Here are some excerpts.

    "The encryption process produces a 'hash'. Rather than comparing the log-on to a database of words, an attacker can speed things up by using pre-computed hash tables. These tables contain 'hash values' for virtually every possible password, making the cracking of the password a simple process."

    Regarding Microsoft LAN Manager (LM) hashes, "The result is that virtually any hash can be cracked in a couple of minutes. There are failures but only very few."

    So my question is, does the above apply to Crypotsuite? Can my Cryptosuite archives be cracked in a couple of minutes with the right equipment? I generally use a 35 character passphrase, utilizing both (uppercase and lowercase) letters and numbers. Can these pre-computed hash tables really do this?? Wow. :eek:
  2. Escalader
    Offline

    Escalader Registered Member

    Dear Dazed:

    IMHO Hackers can crack passwords. This is not new. So having strong passwords and changing them frequently has always been the best method no matter what hackers do or try to do.

    I don't want to seem simple minded here but it seems to me that if there are 100 passwords hackers want and they are stored via hash values you will have 100 hashes. Right? So it follows then that all this is about is faster scanning by hacker software of the places in you PC where the psw's are stored. They know the standard passwords, their 1st attempt is to try every word in the dictonary or the matching hash. Conclusion? Don't use dictonary words.

    Hide behind a H/W firewall and a S/W firewall of your choice. Keep your passwords OFF your PC on a USB stick or other media.

    You could even hide them in an password excel file that is encrypted. My excel file has a password to open it!

    Use the maximum length random password you can here are a couple I generated for you from RoboForm2Go:

    10 positions, 61 bit strength = @d8zgJa%tx
    15 positions, 91 bit strength = !n3kaz#HHhq^^Io
    25 positions, 153 bit strong = qMbrC3*%3z#4MZ$chtQzVy3QF
    50 positions, 306 bit strong = 3n!cUd9z^nAM6XvOrark!O7TY!yDgNVAcLFVpkrw5Y21oyI%S6

    My bank allows 32 positions so I get 196 bits =n#RZNsr0bh%!zBtFSm!gmgKg7wZPjJEk. Hacker hash or not isn't going to crack that this centry!

    Now you see why you save them since no living person could ever remember them!

    Use Firefox ad in if you don't have robo FF can generate psws as well!

    Put some of these into use and sleep easy.:D
  3. TNT
    Offline

    TNT Registered Member

    No. Of course they can't. A good hash algorithm and a non-dictionary and hard to guess password won't be cracked, not even if 'hackers' try for ages with superfast computers. Now, the author talks about LM hashes, which are notoriously weak and flawed.

    But I challenge ANYBODY to guess what password produced a sha256 hash like the following.

    7ef8796903e822c343836634c92bf7eecc5827cb24b8720745f93e6013ed6ba7

    (and I even used only letters and numbers).
    Last edited: Oct 5, 2006
  4. Alphalutra1
    Offline

    Alphalutra1 Registered Member

    Duh, "this is a very challenging password you non-l33t people" :D

    Put to the original poster, any password with a good hash algorithm like sha-256, sha-512, whirlpool, etc. cannot be broken ATM (and probably not for many years).

    Cheers,

    Alphalutra1
  5. Dazed_and_Confused
    Offline

    Dazed_and_Confused Registered Member

    Escalader - Hi. :) I've used RoboForm for all of my password needs for quite a while. However, I do keep that data on my PC. Your suggestion of using a USB stick is a good idea. I'll take it under advisement.

    I'm not as worried about someone trying to crack into my web bank account, which by the way only allows 10-digit passwords. I say that because if you type in an incorrect password more than a few times, you are locked out. So brute strength is not an option here.

    My main concern is my Cryptosuite archives, if they fall into the wrong hands. I used RoboForm to create the password I use for for all my cryptosuite archives. If I understand what TNT and Alphalutra1 are saying, I should be good to go with my 35 digit cryptosuite passphrase.
  6. iceni60
    Offline

    iceni60 ( ^o^)

    when your password gets over a certain length, 8 charactors i think, then it gets difficult to generate and store those tables for LM hashes. the LM hash can be cracked because it's split in two - instead of a hash made from 14 charactors, which is what it's suppose to be, it can be turned into two hashes from 7 letter charactors. if the algorithm worked properly the tables won't work with lan man.

    i can't remember why, but even those lan man tables only work with something like 98% of hashes (or maybe that's just what can be stored on a dvd, not sure), so i suppose that shows with that algorithm anything over 7 alphanumeric charactors is safe, you don't even need special charactors. it's really clever stuff
  7. TheQuest
    Offline

    TheQuest Registered Member

  8. VisiThink
    Offline

    VisiThink Registered Member

    There are also certain security defects that make it easy to gain access to encrypted data in a few commercial and freeware products.

    I'd be interested to hear if the same issues affect CryptoSuite that seem to affect PGP and TrueCrypt.

    See reference: http://www.safehack.com/Advisory/pgp/PGPcrack.html
  9. Carver
    Offline

    Carver Registered Member

  10. TNT
    Offline

    TNT Registered Member

    Riiiiight... "Ultra Secure" allright, except now if you used Internet Explorer your password are in clear text on your hard disk in the cache folder. :eek:
  11. Devinco
    Offline

    Devinco Registered Member

  12. Devil's Advocate
    Offline

    Devil's Advocate Registered Member

    Er no. 8 is way too low,it's more like 15 or more. Anyway 8 makes no sense given what you correctly state below. Because the weakness of LM hash occurs only after 7 characters, saying 8 (which is after 7 and the weakness appears) is safe is contradictory.

    Correct except for the last part about tables won't work.

    As you know the concept of 'rainbow tables' is independent of the hash algorthrim used. LMhash's problem makes it easier and cheaper to create such lookup tables, but the idea itself is independent of the weakness. There can be rainbow tables for MD5, SHA1 as well.

    "Anything over 7 alphanumeric characters is safe"? Utterly wrong. Rainbow tables for LMhash have being made up to 14 characters. If I didn't know better, I would have thought you are trying to mislead people on purpose.

    For what's it worth you can disable LMhash on NT class machines.

    http://support.microsoft.com/?kbid=299656

    But note

    "It is best to prevent storage of the LM hash if you do not need it for backward compatibility. If your network contains Windows 95, Windows 98, or Macintosh clients, you may experience the following problems if you prevent the storage of LM hashes for your domain". But that won't apply to most home users.

    Additional note, NThash is more secure than LMhash because it doesn't have the splitting problem, but rainbow tables basically lookup tables for it can still be created....
  13. TNT
    Offline

    TNT Registered Member

    Well, yeah right... except they're useless for cracking decent passwords anyway. An alphanumeric password (lowercase, uppercase and numbers) of just 10 characters has 839.299.366.000.000.000 possible combinations. To think it is feasible to store and use such table is just preposterous.
  14. iceni60
    Offline

    iceni60 ( ^o^)

    i was switching between passwords in general and lm hashes. i'm lazy and can't be bothered talking to you.
  15. Escalader
    Offline

    Escalader Registered Member

    Hi Folks it's me again, a lot of good info in all your posts.

    For your information using my text MS Windows xp Networking and Security" by Ed Bott and Carl Siechert (it cost me $32.99 US on amazon) produces the following "rule" on passwords pages 112, 113 (for those who know these things already I appologize and you can skip this post).

    In XP and 2000 psw's can be up to 127 characters long. In NT it was 14! LM hash uses a ... insecure storing method. It is stored incorrectly in windows xp/2000 if the password is at least 15 characters. An identical LM hash is used for any password longer than 14 characters! Thus the simple rule:

    " Use at least 15 characters for best security"

    QED
  16. TheQuest
    Offline

    TheQuest Registered Member

    Hi, TNR

    What is this thing you call Internet Exploer?, I can not seem to find it on my Linux OS. :D

    Take Care,
    TheQuest :cool:
  17. TNT
    Offline

    TNT Registered Member

    Well, that's good. ;) Anyway, this should be noted, as IE caches https pages too, by default. So, no matter how good that generation is, it should absolutely NOT be used with IE in default settings (they can be changed, or the cache can be securely overwritten...)
  18. herbalist
    Offline

    herbalist Guest

    There is another way you can make some pretty strong passwords,and store them as a text file without having to worry about someone harvesting them.
    Start with a good sized text file. A book page would work nicely. Encrpyt it with PGP, any key will do or make a one time key for the purpose. The result is a text file something like this, but larger. Mine is over 300 lines long.
    Code:
    qANQR1DBwU4DtYA9uTfuIakQB/9uvGzkQzMIXrO3+jOAYSdW48jX/pMZJ1Bgm2Uo
    fpQsNOboJuagAoyPrZ8BhaIPpL9tsD7Aht5jjH3NIO0TObGC5hwKuNy1eYPKBdJE
    e2DpUu+woCbWuG2YWyirFJHhgMHScIgewSZj4nSgYeyEaiN2ozuNoWTMi2eRgVb7
    c936UOl5aE2DIE5hw/LmHNRFelSsbpTsQpeQG9O5iRtnawHIlqmjuYkQeS1jbDdX
    Bqf04HlPPfPJjLM1r6PEI4kwP1d5twDMOqL3W2qx2HX3JEMvkzqVnUjtv/cOxz30
    L0ghdabKnqqiZ9Q4n/VL5lI0LtDg/NjDsbD2DTK9ImtfoLwZB/9QycSVwhcumAMz
    J0Xfof1XotErFG1MlwVWq5FfTyNvF359NwWYpj3tg4FcNnRhBJlB1BoAKDX723bE
    TLf37H6oRswdivdf7N2b1BzbmzfAjfu74dlvRtrKjopA5nS7cVA8SEJB9EnVnAn5
    2yYnl8uwVWmTzdSH5ivkHCIag1IJEPQa36FpxJzHxk+kyXyx/tw3qtTZJl6jBfCE
    wrO1+O7oDwJpqPo+ku+NBrPMbzDENRcMIxWhHPp0ewK8YAtLdrrDzmjLo+hnwRX5
    EtOxSroMHwMIRDhfKo078hWpkjstIBzQJ1G5dNoctyGRTdNYPE/WDstosJNdVCUY
    fdduSkDgyeyvzJLs7jVQ/7XvJ+USL4glegeEHXqVBO2XrQ2iPlgbhHHBbm03Pwgi
    Xu6Z6esx1xptAZiQX8/opAvu9oi+rd5pP3A8XMnCHMQeBzhsx/m1IcXq0RfwkoGJ
    c2uQVX6OiswkAr9w5qtYP/LxcZNOJ/KvkaVRX90BUTBbsUXoE+vmFL9/hmadIr+m
    x/hwtf8XKjjBlQwP97cYmq/0MjAhZOYWpB1j8m7n1Pl5d3P78rfx3rs+VRPYqNrK
    /u8LkXbcIMddSWOkLUWvvwLqexWkjwkOYw+4GJCj/4hBDbG3ARq3TtKwwWdFrgNZ
    wa5+zDBXkLZ3rU5H7IYPWwURgSdrr0OZCri8K8nNCEvOcz+WM6Qg3mWxG1LXrjgp
    hX2W2XOBQ0KBlxyC7rytRfwzh+5dNjDu7cHvkvyRIx/1B1GlX6Qa5JAZfSR+ZlJ7
    8Nhk44rUoMY6xCbZ6ngmdHz7yq9GQNqj9Zvro3W2tjdJ6t8nuhJlhwDVtun0WsNp
    cKNykKnEs7+oWtc/3xAsjXpdSQ6Zx/f+LrEDtviYRS8ELFGN3/7jafY1AI7su2W2
    ZyTUH+z6If5E0MQFjF5+uFH1dSCiBu4E94k/edd/W1LJ6B1+n5Ez5OgwXXIhx4Ih
    hNSm/JxqsvU2I0B4eo7IbcHQm7+pc7X4SdiFzBg2trpVUffOvA8sjuBYQonHrXW/
    bx3iVHm9A8hjqcBznUho/CEvIaSveVAnifTJm//cKBEVXUVvP3CktQVrL43yCMiq
    VhOqDte6EfGfywturg6HSvkJyUsK6nHqcWdQjSsnfvu3b+a/e2E1A/PFOVQegtXt
    kJK3/9xTayQ2xotnoi4wfkL5DK1ygh6ASXA/AC1LqW2UNFYHKSA/vYy6kIgNBoYG
    ETcf6EehMsz6KlM1kJ6kEYxzINqN+eGOfUS9z+ExjETWQbVlFbS73AVToRaszN6x
    GmP4+KeEY9T/jy0k7+F7NONf8Ixcsx95bzsBUVzCGVibKDERA/lQl2fQlygr6DZc
    rwAqb0AAvpZ+PfsVn25jhzB5Gcuc0MnERX131SJnVMrk9NPzqzsSU8EE7Jpdws/V
    53ZwXqAPz+7vnyJT1KIhZT4JytNMD/JO7g95z+E/tSHXwUhtPRTm6B/GU1I+1VhB
    AmFw9ybzgEGcXrUEjxg02Tgdr4MHyYrx0w+LN/zuySIKRjuIppn2GbHpO4xhqOP6
    8Kk0E701JHi9pbAgeGgzaCsRdhKzRThBTmePqqN2a/L3o60NhDVG5ckX4p+VK2np
    7C3nsSb8xCAK2eZITLYF6vbjEO1FS65In/HywE44kYNO/y17EZvgcgO8zwc9Xla1
    bLgluQAOnWLOJowiTavoXuL8ClpjmcYa2+E0nSF/WJmOUNLa/cde8SiEZ/Egh8kB
    kmCNcrmiOG3Z9CnvXGFAPeX7UlSzwe0kg4a9H60yMM/zW4tBL6oyXdsuG3BFqvAE
    5NMi+R8xTss7yqj+3iHDBAqj/h4B90mWZvXnxFgCP35sW24tsyY/FIO2/lovYe5b
    9TWcPYJbE16bpnP+UUjpP9KoV2mUgRedDeTdAd1Ry3AY54q04sr7Z0q4kF04UIEA
    m1sGldHMESf3EOfXI62m+918gZh4qGZFI6R61HagYke+DF6GK83fQx//b7B7yI5w
    GmLv9qk+8y0I4q+SbOna1UPTwEob+TM6DR3jGObcxBYYTUEDeKTu/xmgnopvRoxZ
    nUo1zvjyBStSsdh3iu6QKmgWhfJxZ2zOgjjRWKrsZZMZla4R8JLamQxJbTcGf2zq
    y1R3G1OgorxuzBYNl/4/Dbq4c/3ogiwuTqvh5IzrLI7t8vPV43+30iMFhsxzHHFK
    arAYJz4V8ejjwpPkIH4nKzbTIzcz7Kcz74Urs/IFa0QXuosDDcNFKCcX7d/TYNJA
    BzkRffvZA8kMHTv495ukCIEAvXI5WXqgneYJ5XWfmv0wTD0y8m/pycRsDk3F6xHS
    yLtSbNF9U8asamEY7XiMBlhri1a/RiTJeVPIRQGAUb/as2/2oAiYhqrfMtzE1cvD
    u57WvEHg1a92iJ6tYReXHmC2uPC2Lc00COnH49In5+tJXSzUeBU0HuaJV7dmfnpy
    qMwEQckXGNTAfjkXBY8IwbF2Fhf1/To8f6fQPYmfolJI5PG4dgiGWv8BFzbCUS/O
    S+MxVV1ZY5oqU0rZBdmZXl7B20kFmxUw3fSQH+VKQoQv/eXBlOpkE0RvekH5obEI
    rPUTOYfjcN7n9G4kTexGFlRNwxdQfHcDd44j4AaDCXU0uocmGBvWa35uIURP1c1/
    YpFX7jVGAuJr+79yY9h2qqYYpw5COauqp42YX7kk1+4s/o2Zv1+usf9ZpragscjK
    Tt1R8vCG3P1xzA9vb82mei9kpRKfJkNO52lIXa2kWic3yCODeBNhJWJD7T1kA8wS
    When you need a long password, select a line, line segment, or parts of several lines, copy and paste. All you have to remember is where you started and where you finished copying. Something simple like 3rd line, 3rd character thru 4th line 5th character. You can have huge passwords with upper and lower case, numbers, and other characters, and not have to remember them. A text editor that shows line numbers like Notepad Plus is ideal for this. Without knowing where you began, ended, the length of the password, and whether you skipped any areas, how many possible combinations would need to be checked? That's also assuming that whoever is looking for stored passwords doesn't go right past this file, thinking it's just another encrypted message and not the source material for passwords, especially if you had several such text files to add to the deception. The best place to hide something is in plain sight.
    Rick
  19. Escalader
    Offline

    Escalader Registered Member

    Hey Herb, it's late here I've got cold and have to reschedule turkey day!

    Re hiding something in plain sight not a bad idea! My father in law (RIP) used to smuggle florida oranges into Canada back in the 60's. He hid them in the trunk under the tarp, but put some booze right in front for the customs guys to find!

    Worked every time. We didn't care if they found the booze since we declared it anyway. They were so busy with that they overlooked the oranges!

    Must be a moral here somewhere but I'm too tired to figure it out.

    Bye the bye I don't have to remember the long passwords they are rememberd for me by RoboForm2Go usb stick. Which is off line most of the time.

    I like the idea of offering the bad guys something to find that challenges them big time but when they crack it(if) they can do zip with it! Sort of a reverse hack! There, program that up.

    Good night
    :shifty:
  20. Seishin
    Offline

    Seishin Registered Member

    What about this one?:

    a10mitaBBha2-?'

    Is this one easily crackable?

    This is my previous password for my previous password account manager. I need to use some words (mixing the Buddhist word Amitabbha with numbers and other characters) I can remember because it's master password and the only place where I store it is in my mind. And nothing can crack my mind so far! :)

    Obvioulsy I cannot memorise complex stuff like this:

    u203qI )O-qskL,SA}{p[q';w%c~|[;'.;,a9im.Z

    It would be insane.

    So what do you think?
  21. ErikAlbert
    Offline

    ErikAlbert Registered Member

    You can use a complicated password and store it on a diskette with Notepad. Copy/paste it in the password area and remove the diskette when you don't need it anymore.

    Any password that is based on mnemonic tricks is more vulnerable.
    For instance, you start with a sentence and use rules to change it.

    Sentence = the quick brown fox jumps over the lazy dog.
    Removal of vowels : th qck brwn fx jmps vr th lz dg
    Reverse the words : ht kcq nwrb xf spmj rv ht zl gd
    Final result : htkcqnwrbxfspmjrvhtzlgd
    You can use special signs (in keyboard order) to separate the words or something more cunning.
    The more you improvize in the rules, the better, but random passwords are always better.
  22. Seishin
    Offline

    Seishin Registered Member

    I see. What I'm going to do is use an automated password generator, generate a complex one and write it down in my notebook. I am more concerned about my Administrator account more than anything else. And to save this one the safest way is using an non-computer related external device.

    Thx for pointing in the right direction.

    Regards.
  23. ErikAlbert
    Offline

    ErikAlbert Registered Member

    You certainly have to write it down on paper.
    But TYPING a password each time is quite annoying, that's why I copy/paste my password from a removable device to the password area. This way you don't have any type errors and it's much easier than typing.
  24. Seishin
    Offline

    Seishin Registered Member

    I see and understand your point but at this stage, and after dealing with goblins in the past, I only rely in handwriting for this kind of tasks.

    Note: goblins (hidden creatures that love to corrupt external computing devices, ie floppies, USB sticks...) ;)
  25. Escalader
    Offline

    Escalader Registered Member

    I too believe in gremlins, been around to long not to.

    Just to do the Canadian thing, you are both right, use the external device to save typing long random complex psw's, I use RoboForm2Go but that is just me.

    Since the techinical gremilins really do exist I also print these out on real paper and then pin the sheet to my PC while I'm on vaction.... no no only kidding.

    use the USb stick, floppy what ever but back it up on paper just in case.

    That is IMHO of course:thumb:
Thread Status:
Not open for further replies.