Password Cracking

the O Reilly connection

I had a look at an article which says a high end graphics card has the ability to break an 8 character password almost instantly. Is this true? I tested aircrack-ng with my own laptop and it took 85 minutes to run through all possibilities for an 8 digit numerical password.

https://www.hivesystems.com/blog/are-your-passwords-in-the-green

Quango Unchained

Password01 ?

Explosive_Cornflake

Depends on the hashing algorithm, but yeah, I wouldn't expect 8 numerals to take long at all.

the_amazing_raisin

DISCLAIMER: I am not a cybersecurity expert

It's important to note that the "instantaneously" category was either numbers only or a very short password of lowercase letters

This is where math gets fun. If you have 8 characters and numbers only then you've 10 possibilities per character which gives

10^8=100,000,000=100 million

At 37 seconds to crack that implies 2.7 million combinations per second which certainly seems feasible for a modern graphics card. Hell, a regular CPU should be able to get through the list quite quickly

Adding characters balloons the number of combinations quite dramatically. If you allow nunbers and lowercase letters then your combinations increases to 36 per character giving

36^8 = 2,821,109,907,456 = 2.8 trillion

Assuming 2.7 million combinations oer second was our limit then it'll take approximately 12 days to crack the password

Adding in uppercase letters and 10 special characters and also increasing the length to 12 characters would take 61 million years to crack even if you increased the combinations per second to 10 million

The chart actually says 164 million years so they probably added a few extra potential characters.

It's important to note that brute force attacks are only feasible if you manage to steal the password hash for a user. Trying to brute force a user login on a website would likely result in you being locked out or rate limited.

Even if the website has no safeguards and the latency per request was 50ms if would still slow you down to 57 days with the crap password

So it's important to monitor your online accounts for data breaches. Use sites like https://haveibeenpwned.com/ to monitor your email and password and see if it's been compromised

Use strong passwords or password managers to regularly rotate passwords

Final thing to say is that a phishing attack is far more common and effective, so never give any password or login details to anyone, whether over the phone or via text or email

irishgeo

https://www.boards.ie/discussion/comment/122943805#Comment_122943805

Turn on MFA and never mind rotating passwords

Passkeys are even better turn them on where supported.

the O Reilly connection

https://www.boards.ie/discussion/comment/122943805#Comment_122943805

So the chances of a hacker bypassing your wifi password aren't that high then?

the_amazing_raisin

https://www.boards.ie/discussion/comment/122944310#Comment_122944310

Assuming it's a strong password you should be fine

Always change the password and SSID from the default. In the past I heard Eir routers used a password based on the default SSID, so once you know how to figure out the password you could break any network running defaults

I'm not sure if packet sniffing compromised networks is very popular these days. Most web traffic is over HTTPS and so is encrypted across the network. It also has the disadvantage that you need to be nearby the network

I'd still try to use a VPN when on public WiFi if possible

the_amazing_raisin

https://www.boards.ie/discussion/comment/122943964#Comment_122943964

True, passkeys seem to be the way forward, unfortunately not all sites are using them yet

MFA is still vulnerable to phishing, or just good old device theft. I'm always amazed by stories in the news where someone got scammed into giving away an MFA code to someone

I'm sympathetic, but when there's multiple warnings everywhere telling you exactly what not to do and people still fall for it you have to wonder about the baseline intelligence of the species

LambshankRedemption

I'd still try to use a VPN when on public WiFi if possible

No, don't bother. I don't mean the VPN, I mean don't bother with the public WiFi. In your pocket you have a device you can hotspot or tether to which with 5G is going to be way faster than most public wifi anyway.

So the chances of a hacker bypassing your wifi password aren't that high then?

This graphic might amuse you:

Fun anecdote: A few years ago I was at my parents friends house around this time of year actually and asked for their WiFi code. They didn't know it. One of them went looking for the letter they had gotten went it first got installed. I took out my laptop and it turns out they were using WEP. It took me less time to crack their key then it took them to find the letter. Thats why WEP is no longer used.

With WPA3 it is a lot harder than it used to be for a single hacker to crack your wifi, but at the same time it has also become easier. There are online rainbow tables which means you don't have to generate the hashes yourself you can just look them up. You don't have to go out and buy a GPU to do it, you could just rent AWS space and have it done on that - probably for a lot cheaper than a GPU would cost.

The thirst for getting access to the internet is no longer there. A 10 euro SIM card will get you near unlimited data at 4G or 5G speeds. So people wont be hacking into your wifi for that. If you are worried about specific data on your computer, you are probably at greater risk of being spear phished.

Does that answer your question?

28064212

https://www.boards.ie/discussion/comment/122944310#Comment_122944310

Well first of all, bypassing and cracking aren't the same thing. Cracking means they actually obtain your password. Bypassing suggests they've found a way around your security.

Secondly, even assuming you mean cracking, that's not what the article says. They lay out their methods clearly, and in great detail. If the only thing a hacker has is access to is your hashed password, and the bcrypt hash function was used, and the hacker only uses a brute force method, then yes, the average times specified in their table are pretty accurate. Is that the scenario you're concerned about?

kippy

Bearing in mind this video is 8 years old now - this is how easy it is to "crack" a password in specificied circumstances.

https://www.youtube.com/watch?v=7U-RbOKanYs

That said, that is specific set of circumstances.

You can imagine with AI and more advanced hardware how much more straightforward this is nowadays, and indeed how many more data breeches there are since to discluse enypted passwords which aren't really that encypted at all.

As others have said there are ways to give youself some comfort - firstly I suppose is to use unique passwords across the net and to change them all regularily - be careful of the sites you trust with your data (that said some major sites have been breeched).

Use MFA if at all possible. But appreciate that MFA ain't fool proof either (give a person with the right resources and bad intentions).

https://www.youtube.com/watch?v=wVyu7NB7W6Y

I've also seen app based MFA breeched via token hijacking and a phising link become more common:

https://www.youtube.com/watch?v=GT-HOZseLY0

All of the above assumes you have something stealing and someone focused in on you.

Cracking/Hacking is a pain in the hole - it's much more straightforward to just ask someone for their credendials - even nowadays………….

circadian

https://www.boards.ie/discussion/comment/122944422#Comment_122944422

The old Jimi Hendrix Eircom hack.

https://www.theregister.com/2007/10/02/eircom_wireless_security_flaw/

ItHurtsWhenIP

If you properly use a password manager, the "Change your password regularly" thing is wrong!

If your password manager has generated a 99 character password, that is complete gibberish, you only need to change it if you suspect it has been breached.

If you are (re)using an 8 character password, then you should be changing it every 60-90 days and not by adding 1 to the number that you have in it. 😏

This has been the guidance since 2017.

https://pages.nist.gov/800-63-4/sp800-63b.html

LambshankRedemption

https://www.boards.ie/discussion/comment/122944756#Comment_122944756

My employer recently changed the policy on passwords. You dont need to change it every month anymore, just once a year. However you do have to have a master password of 22 characters. Thankfully I only have to type that bad boy in about once a month.

There have been a lot of myths spread about passwords over the years. "Dont use dictionary words" was one I always chuckled at. Obviously don't use one single word from the dictionary, like dog, but if you tie 3 or 4 words together, to a computer they just look like random letters. And it will take a lot longer to crack.

circadian

https://www.boards.ie/discussion/comment/122944756#Comment_122944756

Part of the reasoning behind changing the password often is in the event of a breach, it could be weeks or months before it's detected. If you rotate passwords and use different ones for every service then it reduces the impact of one getting picked up in a breach.

AbusesToilets

https://www.boards.ie/discussion/comment/122944796#Comment_122944796

I've read that has a negative effect, as people tend to just use variations of the same passwords or keyboard racetracks, as they're likely to forget their passwords with them forced to change them regularly

kippy

https://www.boards.ie/discussion/comment/122944756#Comment_122944756

I'm no expert, just passing on some interesting videos.

the_amazing_raisin

https://www.boards.ie/discussion/comment/122944787#Comment_122944787

It's worth remembering that the words based password only works if the words are randomly chosen and not part of a phrase, otherwise they're vulnerable to a dictionary attack

Of course that presumes that whoever is cracking the password knows that the password is made up of words, which is unlikely. Without that knowledge then a 4 word password with 5 letters per word is the same as 20 random letters, but probably easier to remember for the user

Unfortunately a lot of sites still require numbers and special characters but it's relatively easy to work those into a password (or passphrase at this point I guess)

nachouser

EarthHouseChairMouse99!

19 septillion years to crack, apparently.

...Ghost...

https://www.boards.ie/discussion/comment/122945674#Comment_122945674

what's your email address? I want to send you a free 12 month netflix sub.

ItHurtsWhenIP

https://www.boards.ie/discussion/comment/122944787#Comment_122944787

That's a good setup there. Yes, a long passphrase for the master password is a good shout too, but as others have said, as long as it's random words. 😏

https://www.boards.ie/discussion/comment/122944796#Comment_122944796

If the password that is breached is a 99 character pile of randomness, then it's hash isn't going to be cracked anytime before the heat death of the universe. Of course, if it's not the hash that is breached, but the plaintext, then you gots problems, which is where MFA comes into protect your account. It's all about the layers …

Mmmmm … Parfait … 😋

circadian

I agree on layers, but in the event of plaintext dumps you'll want to still limit your exposure to some sort of MFA hijack.

On that note, phone call verification and SMS verification is not a good way to do MFA for anyone that does this.

the_amazing_raisin

It's also worth considering how you can minimise your digital footprint as part of security

I'm not advocating weak passwords, but it's always worth taking a moment to think about what information you're putting out there and how it's being stored before putting anything online

Can't steal what isn't there in the first place after all 😁

Obviously there's some online services that it's very difficult to function without, but it's also worth looking through your old logins and thinking about whether you're really going to use that service again and whether you should delete the account to close off a potential vulnerability

LambshankRedemption

It's worth remembering that the words based password only works if the words are randomly chosen and not part of a phrase, otherwise they're vulnerable to a dictionary attack

That is one myth right there!

All passwords are vulnerable to a dictionary attack. What is extremely difficult is taking words from a dictionary to build into common phrases. Even more difficult to automate.

realdanbreen

https://www.boards.ie/discussion/comment/122944310#Comment_122944310

So what have you been up to?

AbusesToilets

https://www.boards.ie/discussion/comment/122945851#Comment_122945851

Bazzell M. Extreme Privacy. What It Takes to Disappear 2022 (1).pdf

A really solid guide to digital privacy

the_amazing_raisin

https://www.boards.ie/discussion/comment/122946368#Comment_122946368

Some very good information in there, thanks for that 👍

the O Reilly connection

https://www.boards.ie/discussion/comment/122944574#Comment_122944574

Well, I don't usually say this but that's mind blowing!

If a hacker is sharing the same network as you whips out Wireshark and captures the traffic between you and the router can they extract these hashes and have a go at breaking them?

LambshankRedemption

If a hacker is sharing the same network as you whips out Wireshark and captures the traffic between you and the router can they extract these hashes and have a go at breaking them?

Well, if they are sharing the same network as you, surely they know the key already?

This blog post might be of interest to you though: https://www.cyberark.com/resources/threat-research-blog/cracking-wifi-at-scale-with-one-simple-trick

jmreire

I used microsoft encript on USB drive, and have forgotten the password, any way of cracking or by passing it? I'm not a computer expert by any means, quite the opposite in fact. Or is it a lost cause? Even if I got a few of the letters or Nrs, I would remember the rest. ( if thats any help?

the_amazing_raisin

https://www.boards.ie/discussion/comment/122958958#Comment_122958958

Assuming you used a strong password then it's unlikely you can crack it. You can't crack individual characters, you either get the whole password via brute force or you don't know what is matching

That animation in the movies where they match 1 character of the password at a time is unfortunately BS

There might be some hope if you still have the computer used to encrypt the drive, some encryption programs will save a backup key to enable you to get past the security

I'm not familiar with MS Encrypt so not sure if this has similar capabilities