background preloader

Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”

Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”
In March, readers followed along as Nate Anderson, Ars deputy editor and a self-admitted newbie to password cracking, downloaded a list of more than 16,000 cryptographically hashed passcodes. Within a few hours, he deciphered almost half of them. The moral of the story: if a reporter with zero training in the ancient art of password cracking can achieve such results, imagine what more seasoned attackers can do. Imagine no more. The list contained 16,449 passwords converted into hashes using the MD5 cryptographic hash function. While Anderson's 47-percent success rate is impressive, it's miniscule when compared to what real crackers can do, as Anderson himself made clear. The Ars password team included a developer of cracking software, a security consultant, and an anonymous cracker. "These are terrible passwords," radix, who declined to give his real name, told Ars just a few minutes into run one of his hour-long cracking session. Related:  Password SecurityIT Security

Why passwords have never been weaker—and crackers have never been stronger In late 2010, Sean Brooks received three e-mails over a span of 30 hours warning that his accounts on LinkedIn, Battle.net, and other popular websites were at risk. He was tempted to dismiss them as hoaxes—until he noticed they included specifics that weren't typical of mass-produced phishing scams. The e-mails said that his login credentials for various Gawker websites had been exposed by hackers who rooted the sites' servers, then bragged about it online; if Brooks used the same e-mail and password for other accounts, they would be compromised too. The warnings Brooks and millions of other people received that December weren't fabrications. "The danger of weak password habits is becoming increasingly well-recognized," said Brooks, who at the time blogged about the warnings as the Program Associate for the Center for Democracy and Technology. The ancient art of password cracking has advanced further in the past five years than it did in the previous several decades combined.

The Usability of Passwords Security companies and IT people constantly tells us that we should use complex and difficult passwords. This is bad advice, because you can actually make usable, easy to remember and highly secure passwords. In fact, usable passwords are often far better than complex ones. So let's dive into the world of passwords, and look at what makes a password secure in practical terms. Update: Read the FAQ (updated January 2011) Update - April 21, 2011: This article was "featured" on Security Now, here is my reply! How to hack a password The work involved in hacking passwords is very simple. Asking: Amazingly the most common way to gain access to someone's password is simply to ask for it (often in relation with something else). When is a password secure? You cannot protect against "asking" and "guessing", but you can protect yourself from the other forms of attacks. The measure of security must then be "how many password requests can the automated program make - e.g. per second". Like these: It takes:

How easy is it to hack JavaScript in a browser? This Q&A is part of a weekly series of posts highlighting common questions encountered by technophiles and answered by users at Stack Exchange, a free, community-powered network of 100+ Q&A sites. Jesus Rodriguez asks: My question has to do with JavaScript security. Imagine an auth system where you're using a JavaScript framework like Backbone or AngularJS, and you need secure endpoints. That's not a problem, as the server always has the last word and will check if you're authorized to do what you want. But what if you need a little security without involving the server? For example, say you've got a client-side routing system and you want a concrete route to be protected for logged-in users. How easy is for a user to modify that variable and get access? My security (and JavaScript) knowledge isn't great. See the original question here. Sending secret data Joachim Sauer answers (66 votes): As you see, this answer doesn't really mention any JavaScript/Browser specifics. Another route Notes:

password analysis and cracking kit | projects | sprawl PACK (Password Analysis and Cracking Toolkit) is a collection of utilities developed to aid in analysis of password lists in order to enhance password cracking through pattern detection of masks, rules, character-sets and other password characteristics. The toolkit generates valid input files for Hashcat family of password crackers. NOTE: The toolkit itself is not able to crack passwords, but instead designed to make operation of password crackers more efficient. Before we can begin using the toolkit we must establish a selection criteria of password lists. The most basic analysis that you can perform is simply obtaining most common length, character-set and other characteristics of passwords in the provided list. $ python statsgen.py rockyou.txt Below is the output from the above command: NOTE: You can reduce the number of outliers displayed by including the --hiderare flag which will not show any items with occurrence of less than 1%. ? For example, the very first mask, "? Using filters

Authentication News: Passwords Found in the Wild for January 2013 Studying the passwords dumped on the Internet by hackers back in December provided a good opportunity for me to measure the scope of the problem. Following that experience I decided to collect and correlate some new information when analyzing password dumps from January. Overview of Password Dumps Last month I found 110 password dumps which met my criteria* for analysis, down from 154 in December. A few of the dumps contained data from multiple sites. There were 90 specific organizations or domains named as the source of the passwords. From this collection, 40 dumps consisted primarily of plaintext passwords, exposing roughly 61,000 passwords (36% of the monthly total). Compared to 450,000 passwords dumped in December, this month's total of 170,000 passwords was significantly lower. I wasn't really surprised to see this result. There were 40 different hackers or hacker groups claiming credit for January's password dumps, and more hackers that chose to dump their data anonymously.

Shamir's Secret Sharing Shamir's Secret Sharing is an algorithm in cryptography created by Adi Shamir. It is a form of secret sharing, where a secret is divided into parts, giving each participant its own unique part, where some of the parts or all of them are needed in order to reconstruct the secret. Counting on all participants to combine together the secret might be impractical, and therefore sometimes the threshold scheme is used where any of the parts are sufficient to reconstruct the original secret. Mathematical definition[edit] The goal is to divide secret (e.g., a safe combination) into pieces of data in such a way that: Knowledge of any or more pieces makes easily computable.Knowledge of any or fewer pieces leaves completely undetermined (in the sense that all its possible values are equally likely). This scheme is called threshold scheme. then all participants are required to reconstruct the secret. Shamir's secret-sharing scheme[edit] points to define a polynomial of degree Suppose we want to use a where

combinator_attack [hashcat wiki] Description Each word of a dictionary is appended to each word in a dictionary. Input If our dictionary contains the words: pass 12345 omg Test Output Hashcat creates the following password candidates: passpass pass12345 passomg passTest 12345pass 1234512345 12345omg 12345Test omgpass omg12345 omgomg omgTest Testpass Test12345 Testomg TestTest Combinator Attack Within oclhashcat-plus Using the Combinator Attack within oclhashcat-plus (not standalone version of Combinator Attack). The command for the Combinator Attack in oclhashcat-plus is -a 1 If you wish to add rules to either the left or right dictionary or both at once then you can use the -j or -k commands. -j, --rule-left=RULE Single rule applied to each word on the left dictionary -k, --rule-right=RULE Single rule applied to each word on the right dictionary Example. Dictionary 1 yellow green black blue Dictionary 2 car bike Commands -j $- -k $! The output would be… yellow-car! Supported by This attack is currently supported by:

Le piratage du fichier STIC rappelle l'efficacité des attaques par ingénierie sociale Ce Système de Traitement des Infractions Constatées rassemble des informations sur un peu plus de 36 millions de citoyens, soit parce qu'ils sont victimes, soit parce qu'ils sont mis en cause (mais pas nécessairement condamnés) dans une affaire de police. Il s'agit donc, bien entendu, d'informations dont l'accès est contrôlé. Pour déjouer ces contrôles, les pirates se sont fait passer, par téléphone, pour des policiers afin de se faire transmettre les données STIC relatives à plusieurs chanteurs de rap français. Comment ? Là encore, ils n'ont rien inventé : Kevin Mitnick disait déjà exploiter "le mensonge, la manipulation, l’influence et la politesse naturelle des gens". L'affaire vient d'être révélée par le site PC INpact, mais il ne s'agit pas d'un cas isolé. Et ce n'est pas une légende. Les conséquences d'une telle attaque peuvent être sévères. Comment se protéger face à de telles attaques ?

Why does the government disallow dynamic languages? This Q&A is part of a weekly series of posts highlighting common questions encountered by technophiles and answered by users at Stack Exchange, a free, community-powered network of 100+ Q&A sites. Patrick asks: I know some people who are currently working on a project for the US military (low security level, non-combat, human resources type data). An initial state of the project code was submitted to the military for review, and they ran the program through some sort of security analyzer tool. One of the items that needed to be resolved was removal of part of the project that was written in Ruby as it is a dynamic language. What is the background/reason for not allowing a dynamic language to be used in a secure setting? See the full, original question here. It's the interpreter Thomas Owens♦ answers (22 votes): Dynamic languages can be used in defense and military applications. The fact that these languages are dynamic most likely isn't the problem. Dangerous tricks The trouble's in the tools

Related: