The addition of a salt to a password makes rainbow tables much less effective because it makes the table space larger, even trading off chain length for convergence. However, rainbow tables are no longer the thing - with multi-GPU setups, password crackers just brute force passwords. Basically, the sequence is:
1. Using a large (20 million word) multiple language (but standard ASCII) dictionary derived from text sources across the WWW, hash the words in that dictionary with variants (leet-speak, other substitutions, plurals, added numbers, 8 for "ate", et cetera), and compare the outputs to the captured password file. Salt is basically a variant that can be accounted for - extra random characters. 2. If some passwords are of the type you dislike, then those can be brute-forced almost as fast as rainbow tables can be calculated. Salt is irrelevant in this process, other than making the effective number of bytes longer. In the Ars articles, Step 1 seems to get as much as 90% of self-chosen passwords in a matter of hours. The practitioners in the Ars articles don't go on to Step 2, but I would expect that to take less than a week. If the hash algorithm is captured along with the passwords, then the cracker has the advantage of knowing whether the web-site uses salt. Operating systems, of course, are studied off-line to determine the algorithm and use of salt. Ray Parks Consilient Heuristician/IDART Program Manager V: 505-844-4024 M: 505-238-9359 P: 505-951-6084 NIPR: [email protected] SIPR: [email protected] (send NIPR reminder) JWICS: [email protected] (send NIPR reminder) On Nov 18, 2013, at 11:48 AM, cody dooderson wrote: > I find passwords really hard to remember. Especially those sites that require > numbers, symbols,uppercase, and lower case characters. I personally would > rather use a 20 character all lowercase password than an 8 character mixed > symbol password. As a result keep a document, in the cloud, with all of my > passwords stored in plain text. Many of these passwords I could care less if > someone cracked. > Also, I was under the impression that salting prevents the use of rainbow > tables. > > Cody Smith > > > On Mon, Nov 18, 2013 at 11:28 AM, Parks, Raymond <[email protected]> wrote: > WRT password cracking - Dan Goodin has a good series of articles on password > cracking at Ars Technica. > > http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/ > http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ > http://arstechnica.com/security/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking/ > > TL;DR - Current GPU-based password cracking using 20-million word > dictionaries make truly random passwords below 14 characters and nearl all > pass-phrases susceptible to cracking in a relatively short time. > > On a related subject, roughly 75% of websites store passwords as nothing more > complicated than simple, unsalted MD5 hashes. This is almost as easy to > break as as NTLM. > > Salt makes the initial crack more difficult, but if the same salt is used for > all hashes, then subsequent cracks ignore it. > > WRT the use of PII - it's sold on various markets, correlated in a "big data" > manner with other exposures, and, if enough information is available and the > person's credit score is high enough, is used for credit attacks. In some > cases, if banking information is correlated, the collection is used for > banking attacks. If there is poor correlation but an email or FQDN is in the > information, then the data may be used as a target list. > > Ray Parks > Consilient Heuristician/IDART Program Manager > V: 505-844-4024 M: 505-238-9359 P: 505-951-6084 > NIPR: [email protected] > SIPR: [email protected] (send NIPR reminder) > JWICS: [email protected] (send NIPR reminder) > > > > On Nov 18, 2013, at 10:12 AM, Owen Densmore wrote: > >> A forum I belong to has been hacked, including personal info as well as >> passwords. >> >> How do they use this information? >> >> I presume they try the hash function on all combinations of possible >> passwords. (Naturally optimized for faster convergence). They see a match, >> i.e. a letter combination resulting in the given hash of the password. >> >> If they crack one password, does that make cracking the rest any easier? >> >> And does "salt" simply increase the difficulty, and indeed can it be >> deduced, as above, by cracking a single password? >> >> .. or is it all quite different from this! >> >> -- Owen >> ============================================================ >> FRIAM Applied Complexity Group listserv >> Meets Fridays 9a-11:30 at cafe at St. John's College >> to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com > > > ============================================================ > FRIAM Applied Complexity Group listserv > Meets Fridays 9a-11:30 at cafe at St. John's College > to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com > > ============================================================ > FRIAM Applied Complexity Group listserv > Meets Fridays 9a-11:30 at cafe at St. John's College > to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
smime.p7s
Description: S/MIME cryptographic signature
============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
