"How to Crack (almost) Any Password in Two Minutes"

"How to crack (almost) any password in less than two minutes". That was the title of an article that appeared in Wednesday's (10/4) printed edition of the Financial Times. Really caught my attention.

Here are some excerpts.

"The encryption process produces a 'hash'. Rather than comparing the log-on to a database of words, an attacker can speed things up by using pre-computed hash tables. These tables contain 'hash values' for virtually every possible password, making the cracking of the password a simple process."

Regarding Microsoft LAN Manager (LM) hashes, "The result is that virtually any hash can be cracked in a couple of minutes. There are failures but only very few."

So my question is, does the above apply to Crypotsuite? Can my Cryptosuite archives be cracked in a couple of minutes with the right equipment? I generally use a 35 character passphrase, utilizing both (uppercase and lowercase) letters and numbers. Can these pre-computed hash tables really do this?? Wow.

 

Dear Dazed:

IMHO Hackers can crack passwords. This is not new. So having strong passwords and changing them frequently has always been the best method no matter what hackers do or try to do.

I don't want to seem simple minded here but it seems to me that if there are 100 passwords hackers want and they are stored via hash values you will have 100 hashes. Right? So it follows then that all this is about is faster scanning by hacker software of the places in you PC where the psw's are stored. They know the standard passwords, their 1st attempt is to try every word in the dictonary or the matching hash. Conclusion? Don't use dictonary words.

Hide behind a H/W firewall and a S/W firewall of your choice. Keep your passwords OFF your PC on a USB stick or other media.

You could even hide them in an password excel file that is encrypted. My excel file has a password to open it!

Use the maximum length random password you can here are a couple I generated for you from RoboForm2Go:

10 positions, 61 bit strength = @d8zgJa%tx
15 positions, 91 bit strength = !n3kaz#HHhq^^Io
25 positions, 153 bit strong = qMbrC3*%3z#4MZ$chtQzVy3QF
50 positions, 306 bit strong = 3n!cUd9z^nAM6XvOrark!O7TY!yDgNVAcLFVpkrw5Y21oyI%S6

My bank allows 32 positions so I get 196 bits =n#RZNsr0bh%!zBtFSm!gmgKg7wZPjJEk. Hacker hash or not isn't going to crack that this centry!

Now you see why you save them since no living person could ever remember them!

Use Firefox ad in if you don't have robo FF can generate psws as well!

Put some of these into use and sleep easy.

 

No. Of course they can't. A good hash algorithm and a non-dictionary and hard to guess password won't be cracked, not even if 'hackers' try for ages with superfast computers. Now, the author talks about LM hashes, which are notoriously weak and flawed.

But I challenge ANYBODY to guess what password produced a sha256 hash like the following.

7ef8796903e822c343836634c92bf7eecc5827cb24b8720745f93e6013ed6ba7

(and I even used only letters and numbers).

 

Duh, "this is a very challenging password you non-l33t people"

Put to the original poster, any password with a good hash algorithm like sha-256, sha-512, whirlpool, etc. cannot be broken ATM (and probably not for many years).

Cheers,

Alphalutra1

 

Escalader - Hi. I've used RoboForm for all of my password needs for quite a while. However, I do keep that data on my PC. Your suggestion of using a USB stick is a good idea. I'll take it under advisement.

I'm not as worried about someone trying to crack into my web bank account, which by the way only allows 10-digit passwords. I say that because if you type in an incorrect password more than a few times, you are locked out. So brute strength is not an option here.

My main concern is my Cryptosuite archives, if they fall into the wrong hands. I used RoboForm to create the password I use for for all my cryptosuite archives. If I understand what TNT and Alphalutra1 are saying, I should be good to go with my 35 digit cryptosuite passphrase.

 

when your password gets over a certain length, 8 charactors i think, then it gets difficult to generate and store those tables for LM hashes. the LM hash can be cracked because it's split in two - instead of a hash made from 14 charactors, which is what it's suppose to be, it can be turned into two hashes from 7 letter charactors. if the algorithm worked properly the tables won't work with lan man.

i can't remember why, but even those lan man tables only work with something like 98% of hashes (or maybe that's just what can be stored on a dvd, not sure), so i suppose that shows with that algorithm anything over 7 alphanumeric charactors is safe, you don't even need special charactors. it's really clever stuff

 

Hi, Dazed_and_Confused

Free Generator: GRC's Ultra High Security
Password Generator.

Take Care,
TheQuest

 

There are also certain security defects that make it easy to gain access to encrypted data in a few commercial and freeware products.

I'd be interested to hear if the same issues affect CryptoSuite that seem to affect PGP and TrueCrypt.

See reference: http://www.safehack.com/Advisory/pgp/PGPcrack.html

 

Is a Password Safe a good idea, or is it over kill. http://keepass.sourceforge.net/index.php

 

Riiiiight... "Ultra Secure" allright, except now if you used Internet Explorer your password are in clear text on your hard disk in the cache folder.

 

It's not a defect, that site is hogwash.
http://forums.truecrypt.org/viewtopic.php?t=4083

 

Er no. 8 is way too low,it's more like 15 or more. Anyway 8 makes no sense given what you correctly state below. Because the weakness of LM hash occurs only after 7 characters, saying 8 (which is after 7 and the weakness appears) is safe is contradictory.

Correct except for the last part about tables won't work.

As you know the concept of 'rainbow tables' is independent of the hash algorthrim used. LMhash's problem makes it easier and cheaper to create such lookup tables, but the idea itself is independent of the weakness. There can be rainbow tables for MD5, SHA1 as well.

"Anything over 7 alphanumeric characters is safe"? Utterly wrong. Rainbow tables for LMhash have being made up to 14 characters. If I didn't know better, I would have thought you are trying to mislead people on purpose.

For what's it worth you can disable LMhash on NT class machines.

http://support.microsoft.com/?kbid=299656

But note

"It is best to prevent storage of the LM hash if you do not need it for backward compatibility. If your network contains Windows 95, Windows 98, or Macintosh clients, you may experience the following problems if you prevent the storage of LM hashes for your domain". But that won't apply to most home users.

Additional note, NThash is more secure than LMhash because it doesn't have the splitting problem, but rainbow tables basically lookup tables for it can still be created....

 

Well, yeah right... except they're useless for cracking decent passwords anyway. An alphanumeric password (lowercase, uppercase and numbers) of just 10 characters has 839.299.366.000.000.000 possible combinations. To think it is feasible to store and use such table is just preposterous.

 

i was switching between passwords in general and lm hashes. i'm lazy and can't be bothered talking to you.

 

Hi Folks it's me again, a lot of good info in all your posts.

For your information using my text MS Windows xp Networking and Security" by Ed Bott and Carl Siechert (it cost me $32.99 US on amazon) produces the following "rule" on passwords pages 112, 113 (for those who know these things already I appologize and you can skip this post).

In XP and 2000 psw's can be up to 127 characters long. In NT it was 14! LM hash uses a ... insecure storing method. It is stored incorrectly in windows xp/2000 if the password is at least 15 characters. An identical LM hash is used for any password longer than 14 characters! Thus the simple rule:

" Use at least 15 characters for best security"

QED

 

Hi, TNR

What is this thing you call Internet Exploer?, I can not seem to find it on my Linux OS.

Take Care,
TheQuest

 

Well, that's good. Anyway, this should be noted, as IE caches https pages too, by default. So, no matter how good that generation is, it should absolutely NOT be used with IE in default settings (they can be changed, or the cache can be securely overwritten...)

 

There is another way you can make some pretty strong passwords,and store them as a text file without having to worry about someone harvesting them.
Start with a good sized text file. A book page would work nicely. Encrpyt it with PGP, any key will do or make a one time key for the purpose. The result is a text file something like this, but larger. Mine is over 300 lines long.

Code:

qANQR1DBwU4DtYA9uTfuIakQB/9uvGzkQzMIXrO3+jOAYSdW48jX/pMZJ1Bgm2Uo
fpQsNOboJuagAoyPrZ8BhaIPpL9tsD7Aht5jjH3NIO0TObGC5hwKuNy1eYPKBdJE
e2DpUu+woCbWuG2YWyirFJHhgMHScIgewSZj4nSgYeyEaiN2ozuNoWTMi2eRgVb7
c936UOl5aE2DIE5hw/LmHNRFelSsbpTsQpeQG9O5iRtnawHIlqmjuYkQeS1jbDdX
Bqf04HlPPfPJjLM1r6PEI4kwP1d5twDMOqL3W2qx2HX3JEMvkzqVnUjtv/cOxz30
L0ghdabKnqqiZ9Q4n/VL5lI0LtDg/NjDsbD2DTK9ImtfoLwZB/9QycSVwhcumAMz
J0Xfof1XotErFG1MlwVWq5FfTyNvF359NwWYpj3tg4FcNnRhBJlB1BoAKDX723bE
TLf37H6oRswdivdf7N2b1BzbmzfAjfu74dlvRtrKjopA5nS7cVA8SEJB9EnVnAn5
2yYnl8uwVWmTzdSH5ivkHCIag1IJEPQa36FpxJzHxk+kyXyx/tw3qtTZJl6jBfCE
wrO1+O7oDwJpqPo+ku+NBrPMbzDENRcMIxWhHPp0ewK8YAtLdrrDzmjLo+hnwRX5
EtOxSroMHwMIRDhfKo078hWpkjstIBzQJ1G5dNoctyGRTdNYPE/WDstosJNdVCUY
fdduSkDgyeyvzJLs7jVQ/7XvJ+USL4glegeEHXqVBO2XrQ2iPlgbhHHBbm03Pwgi
Xu6Z6esx1xptAZiQX8/opAvu9oi+rd5pP3A8XMnCHMQeBzhsx/m1IcXq0RfwkoGJ
c2uQVX6OiswkAr9w5qtYP/LxcZNOJ/KvkaVRX90BUTBbsUXoE+vmFL9/hmadIr+m
x/hwtf8XKjjBlQwP97cYmq/0MjAhZOYWpB1j8m7n1Pl5d3P78rfx3rs+VRPYqNrK
/u8LkXbcIMddSWOkLUWvvwLqexWkjwkOYw+4GJCj/4hBDbG3ARq3TtKwwWdFrgNZ
wa5+zDBXkLZ3rU5H7IYPWwURgSdrr0OZCri8K8nNCEvOcz+WM6Qg3mWxG1LXrjgp
hX2W2XOBQ0KBlxyC7rytRfwzh+5dNjDu7cHvkvyRIx/1B1GlX6Qa5JAZfSR+ZlJ7
8Nhk44rUoMY6xCbZ6ngmdHz7yq9GQNqj9Zvro3W2tjdJ6t8nuhJlhwDVtun0WsNp
cKNykKnEs7+oWtc/3xAsjXpdSQ6Zx/f+LrEDtviYRS8ELFGN3/7jafY1AI7su2W2
ZyTUH+z6If5E0MQFjF5+uFH1dSCiBu4E94k/edd/W1LJ6B1+n5Ez5OgwXXIhx4Ih
hNSm/JxqsvU2I0B4eo7IbcHQm7+pc7X4SdiFzBg2trpVUffOvA8sjuBYQonHrXW/
bx3iVHm9A8hjqcBznUho/CEvIaSveVAnifTJm//cKBEVXUVvP3CktQVrL43yCMiq
VhOqDte6EfGfywturg6HSvkJyUsK6nHqcWdQjSsnfvu3b+a/e2E1A/PFOVQegtXt
kJK3/9xTayQ2xotnoi4wfkL5DK1ygh6ASXA/AC1LqW2UNFYHKSA/vYy6kIgNBoYG
ETcf6EehMsz6KlM1kJ6kEYxzINqN+eGOfUS9z+ExjETWQbVlFbS73AVToRaszN6x
GmP4+KeEY9T/jy0k7+F7NONf8Ixcsx95bzsBUVzCGVibKDERA/lQl2fQlygr6DZc
rwAqb0AAvpZ+PfsVn25jhzB5Gcuc0MnERX131SJnVMrk9NPzqzsSU8EE7Jpdws/V
53ZwXqAPz+7vnyJT1KIhZT4JytNMD/JO7g95z+E/tSHXwUhtPRTm6B/GU1I+1VhB
AmFw9ybzgEGcXrUEjxg02Tgdr4MHyYrx0w+LN/zuySIKRjuIppn2GbHpO4xhqOP6
8Kk0E701JHi9pbAgeGgzaCsRdhKzRThBTmePqqN2a/L3o60NhDVG5ckX4p+VK2np
7C3nsSb8xCAK2eZITLYF6vbjEO1FS65In/HywE44kYNO/y17EZvgcgO8zwc9Xla1
bLgluQAOnWLOJowiTavoXuL8ClpjmcYa2+E0nSF/WJmOUNLa/cde8SiEZ/Egh8kB
kmCNcrmiOG3Z9CnvXGFAPeX7UlSzwe0kg4a9H60yMM/zW4tBL6oyXdsuG3BFqvAE
5NMi+R8xTss7yqj+3iHDBAqj/h4B90mWZvXnxFgCP35sW24tsyY/FIO2/lovYe5b
9TWcPYJbE16bpnP+UUjpP9KoV2mUgRedDeTdAd1Ry3AY54q04sr7Z0q4kF04UIEA
m1sGldHMESf3EOfXI62m+918gZh4qGZFI6R61HagYke+DF6GK83fQx//b7B7yI5w
GmLv9qk+8y0I4q+SbOna1UPTwEob+TM6DR3jGObcxBYYTUEDeKTu/xmgnopvRoxZ
nUo1zvjyBStSsdh3iu6QKmgWhfJxZ2zOgjjRWKrsZZMZla4R8JLamQxJbTcGf2zq
y1R3G1OgorxuzBYNl/4/Dbq4c/3ogiwuTqvh5IzrLI7t8vPV43+30iMFhsxzHHFK
arAYJz4V8ejjwpPkIH4nKzbTIzcz7Kcz74Urs/IFa0QXuosDDcNFKCcX7d/TYNJA
BzkRffvZA8kMHTv495ukCIEAvXI5WXqgneYJ5XWfmv0wTD0y8m/pycRsDk3F6xHS
yLtSbNF9U8asamEY7XiMBlhri1a/RiTJeVPIRQGAUb/as2/2oAiYhqrfMtzE1cvD
u57WvEHg1a92iJ6tYReXHmC2uPC2Lc00COnH49In5+tJXSzUeBU0HuaJV7dmfnpy
qMwEQckXGNTAfjkXBY8IwbF2Fhf1/To8f6fQPYmfolJI5PG4dgiGWv8BFzbCUS/O
S+MxVV1ZY5oqU0rZBdmZXl7B20kFmxUw3fSQH+VKQoQv/eXBlOpkE0RvekH5obEI
rPUTOYfjcN7n9G4kTexGFlRNwxdQfHcDd44j4AaDCXU0uocmGBvWa35uIURP1c1/
YpFX7jVGAuJr+79yY9h2qqYYpw5COauqp42YX7kk1+4s/o2Zv1+usf9ZpragscjK
Tt1R8vCG3P1xzA9vb82mei9kpRKfJkNO52lIXa2kWic3yCODeBNhJWJD7T1kA8wS

When you need a long password, select a line, line segment, or parts of several lines, copy and paste. All you have to remember is where you started and where you finished copying. Something simple like 3rd line, 3rd character thru 4th line 5th character. You can have huge passwords with upper and lower case, numbers, and other characters, and not have to remember them. A text editor that shows line numbers like Notepad Plus is ideal for this. Without knowing where you began, ended, the length of the password, and whether you skipped any areas, how many possible combinations would need to be checked? That's also assuming that whoever is looking for stored passwords doesn't go right past this file, thinking it's just another encrypted message and not the source material for passwords, especially if you had several such text files to add to the deception. The best place to hide something is in plain sight.
Rick

 

Hey Herb, it's late here I've got cold and have to reschedule turkey day!

Re hiding something in plain sight not a bad idea! My father in law (RIP) used to smuggle florida oranges into Canada back in the 60's. He hid them in the trunk under the tarp, but put some booze right in front for the customs guys to find!

Worked every time. We didn't care if they found the booze since we declared it anyway. They were so busy with that they overlooked the oranges!

Must be a moral here somewhere but I'm too tired to figure it out.

Bye the bye I don't have to remember the long passwords they are rememberd for me by RoboForm2Go usb stick. Which is off line most of the time.

I like the idea of offering the bad guys something to find that challenges them big time but when they crack it(if) they can do zip with it! Sort of a reverse hack! There, program that up.

Good night

 

What about this one?:

a10mitaBBha2-?'

Is this one easily crackable?

This is my previous password for my previous password account manager. I need to use some words (mixing the Buddhist word Amitabbha with numbers and other characters) I can remember because it's master password and the only place where I store it is in my mind. And nothing can crack my mind so far!

Obvioulsy I cannot memorise complex stuff like this:

u203qI )O-qskL,SA}{p[q';w%c~|[;'.;,a9im.Z

It would be insane.

So what do you think?

 

You can use a complicated password and store it on a diskette with Notepad. Copy/paste it in the password area and remove the diskette when you don't need it anymore.

Any password that is based on mnemonic tricks is more vulnerable.
For instance, you start with a sentence and use rules to change it.

Sentence = the quick brown fox jumps over the lazy dog.
Removal of vowels : th qck brwn fx jmps vr th lz dg
Reverse the words : ht kcq nwrb xf spmj rv ht zl gd
Final result : htkcqnwrbxfspmjrvhtzlgd
You can use special signs (in keyboard order) to separate the words or something more cunning.
The more you improvize in the rules, the better, but random passwords are always better.

 

I see. What I'm going to do is use an automated password generator, generate a complex one and write it down in my notebook. I am more concerned about my Administrator account more than anything else. And to save this one the safest way is using an non-computer related external device.

Thx for pointing in the right direction.

Regards.

 

You certainly have to write it down on paper.
But TYPING a password each time is quite annoying, that's why I copy/paste my password from a removable device to the password area. This way you don't have any type errors and it's much easier than typing.

 

I see and understand your point but at this stage, and after dealing with goblins in the past, I only rely in handwriting for this kind of tasks.

Note: goblins (hidden creatures that love to corrupt external computing devices, ie floppies, USB sticks...)

 

I too believe in gremlins, been around to long not to.

Just to do the Canadian thing, you are both right, use the external device to save typing long random complex psw's, I use RoboForm2Go but that is just me.

Since the techinical gremilins really do exist I also print these out on real paper and then pin the sheet to my PC while I'm on vaction.... no no only kidding.

use the USb stick, floppy what ever but back it up on paper just in case.

That is IMHO of course