Top Mud Sites Forum - View Single Post

silvarilon · 06-07-2010, 08:44 PM

Happens quite regularly (relatively speaking). Fortunately, stronger hashes are constantly being created, and most of the reversing is done by serious cryptography researchers. So when a hash is found to be insecure it drops out of circulation pretty quickly. Without the users having to really be aware of what's going on. Next time they upgrade their software (which often automatically prompts them) they get the more secure version.

And often these weaknesses are extremely subtle, so if there are a few hanging around with the older hashes, it's not a huge problem.

Besides, you still need to get your hands on their hashed passwords before you can do anything with them.

Very much depends on how you use it. And depends how the information the MiM is receiving is encrypted.
True, you typically wouldn't end up with their password (in the nature of the word "Horse!") but you would potentially end up with a key that lets you read the transferred data after they've logged in. And if you can figure out that key which would be needed to listen in during the authentication, you'd then be able to get their actual password. Although if you wouldn't need it by that point.
(Caveat: Explanation has obviously been very simplified)

I'm not surprised. A number of people write their passwords into text files or word documents to avoid forgetting. Especially with systems that force regular password changes. I'd expect a very reasonable rate of success.

When I said I had a low success, I was assuming a pre-prepared dictionary guessing blind against the hashes.

How so?
a 6 letter password chosen from the first letters of a phrase, using only lowercase, has a search space of 26^6, or approximately 3*10^8
a 6 letter password chosen from lowercase and capital letters has a search space of 52^6, or approximately 2*10^10
A 6 letter password chosen from lowercase and capitals, and only the special characters ()&!@$ has a search space of 58^6, or approximately 3*10^10
If we include numbers and only the special characters above the numbers, we have a search space of 72^6 or 1*10^11 - this is the category "Horse!" would fall into, since they would probably try with numbers before trying with special characters.

So I'm confused how the first letters of a phrase has the larger search space. It seems that if you include caps, numbers, and special characters, then the "Horse!" password is larger by 3 orders of magnitude, not the other way around...

Remember, you don't have to actually use all the characters. You just have to force the cracker to need to consider that you *might* be using them. Using just one special character means they can't test using only letters, which means they will probably have to add all 10 special characters, since they won't know which one you used.

But at least use both caps and lower case. As you can see, that alone increases the search space by two orders of magnitude.

L33t is less significant in a dictionary attack. In a brute force, the potential characters are 1, 3, 4, 7, 0. So it'll take it from 52^6 to 57^6, or 3*10^10.
So it's adding about a 50% extra burden.

Only if that extra character is not a letter. Tack $ on the end and it's significant. Tack "j" on the end and you don't increase the search space.

Unless you mean that you'll tack it to the end of the 6 letter password, making a 7 letter password. That will increase the search space, of course. But then we're comparing apples to oranges. Tacking $ to the end to make a 7 letter password will then increase the search space by a WAY huger amount.

I'm assuming blind guessing.
You are entirely correct that there are techniques to help prioritize the more likely guesses. A frequency table will help you find the bad passwords sooner, while probably meaning you find the well-made passwords slower. (But since most people make bad passwords, you still win. And you probably only need one password, so you should get it as fast as you can, which means you're aiming for the worst, easiest, shortest password.)

At least, when bruting. When using other attacks, such as reversing the hash, the length of the password and combination doesn't much matter (since the system changes them all to the same length and sets the used characters already. So they're all equally strong once encrypted.)

This is an interesting topic. It reminds me how much cryptography I've forgotten

It's just not something I use or think about in daily life... when writing code you just plug in a pre-written cypher and forget about it.

06-07-2010, 08:44 PM	#7
silvarilon Member Join Date: Dec 2009 Posts: 144	Re: Passwords Happens quite regularly (relatively speaking). Fortunately, stronger hashes are constantly being created, and most of the reversing is done by serious cryptography researchers. So when a hash is found to be insecure it drops out of circulation pretty quickly. Without the users having to really be aware of what's going on. Next time they upgrade their software (which often automatically prompts them) they get the more secure version. And often these weaknesses are extremely subtle, so if there are a few hanging around with the older hashes, it's not a huge problem. Besides, you still need to get your hands on their hashed passwords before you can do anything with them. Very much depends on how you use it. And depends how the information the MiM is receiving is encrypted. True, you typically wouldn't end up with their password (in the nature of the word "Horse!") but you would potentially end up with a key that lets you read the transferred data after they've logged in. And if you can figure out that key which would be needed to listen in during the authentication, you'd then be able to get their actual password. Although if you wouldn't need it by that point. (Caveat: Explanation has obviously been very simplified) I'm not surprised. A number of people write their passwords into text files or word documents to avoid forgetting. Especially with systems that force regular password changes. I'd expect a very reasonable rate of success. When I said I had a low success, I was assuming a pre-prepared dictionary guessing blind against the hashes. How so? a 6 letter password chosen from the first letters of a phrase, using only lowercase, has a search space of 26^6, or approximately 310^8 a 6 letter password chosen from lowercase and capital letters has a search space of 52^6, or approximately 210^10 A 6 letter password chosen from lowercase and capitals, and only the special characters ()&!@$ has a search space of 58^6, or approximately 310^10 If we include numbers and only the special characters above the numbers, we have a search space of 72^6 or 110^11 - this is the category "Horse!" would fall into, since they would probably try with numbers before trying with special characters. So I'm confused how the first letters of a phrase has the larger search space. It seems that if you include caps, numbers, and special characters, then the "Horse!" password is larger by 3 orders of magnitude, not the other way around... Remember, you don't have to actually use all the characters. You just have to force the cracker to need to consider that you might be using them. Using just one special character means they can't test using only letters, which means they will probably have to add all 10 special characters, since they won't know which one you used. But at least use both caps and lower case. As you can see, that alone increases the search space by two orders of magnitude. L33t is less significant in a dictionary attack. In a brute force, the potential characters are 1, 3, 4, 7, 0. So it'll take it from 52^6 to 57^6, or 3*10^10. So it's adding about a 50% extra burden. Only if that extra character is not a letter. Tack $ on the end and it's significant. Tack "j" on the end and you don't increase the search space. Unless you mean that you'll tack it to the end of the 6 letter password, making a 7 letter password. That will increase the search space, of course. But then we're comparing apples to oranges. Tacking $ to the end to make a 7 letter password will then increase the search space by a WAY huger amount. I'm assuming blind guessing. You are entirely correct that there are techniques to help prioritize the more likely guesses. A frequency table will help you find the bad passwords sooner, while probably meaning you find the well-made passwords slower. (But since most people make bad passwords, you still win. And you probably only need one password, so you should get it as fast as you can, which means you're aiming for the worst, easiest, shortest password.) At least, when bruting. When using other attacks, such as reversing the hash, the length of the password and combination doesn't much matter (since the system changes them all to the same length and sets the used characters already. So they're all equally strong once encrypted.) This is an interesting topic. It reminds me how much cryptography I've forgotten It's just not something I use or think about in daily life... when writing code you just plug in a pre-written cypher and forget about it.