My wife read my article on passwords and “got it”. Which is nice. I was attempting to explain how password crackers use rule sets to modify input dictionaries to create more guesses from a single word list.
I decided to see how much things have advanced. To say I was shocked would be an understatement.
In 2013, the game “Battlefield” was hacked and the entire password database was captured.
This is not the major security threat you might instantly leap to, but it is bad.
Stealing Passwords
I worked in the Systems Group at my University. We were tasked with all software maintenance, installations, upgrades, and in house improvements to the operating system.
The systems group had taken the original manufacturer’s operating system and extended it to the point where it was no longer the same operating system. Having done this, we gave back all the code we had written to the manufacturer, who incorporated what they liked into their next release.
We had developed a long term backup plan. This plan was three tiered. We took daily backups of the entire file system. This was a rolling tape backup. There were 30 days of daily backups performed before the first tape was overwritten.
We also performed weekly backups. There were 52 weeks of weekly backups. So a total of 82 backup sets.
In addition to this, we did end of term backups. These were done just after the term ended. These tapes were kept.
What this meant was that if your file were to live for at least 24 hours, you would be able to recover to any particular day in the past 5 weeks of your file.
If your file were to exist over a weekend, you could recover that file to how it was on the weekend it was dumped for the past year. And if your file were to exist over the term break, it would exist for the lifetime of the storage. 9 track tapes now being dead, I’m not sure what the University did to preserve those old tapes.
In addition to these backups, we took a separate backup of the “password” file once a day. There were 30+ days of password file backups.
That is the setup. The actual story:
We used to give tours of the machine room. The operators enjoyed bragging about the quality of our backup system.
One of these tours, a little monster took one of the password backup tapes and put it in his backpack. He walked out of the machine room with that tape. Nobody noticed the missing tape for the next 30 days.
Said monster took that tape over to the engineering department, where they had their own 9 track tape drives. He read in the file.
He was presented with 10s of thousands of clear text passwords.
This had financial implications because we sold computer time.
We changed our policy to always encrypt the password file before it was written to tape. I have no idea if that encryption standard was any better than Sunday comic page ciphers.
No more Plain Text Passwords
The number of times somebody in a movie has gotten the idiot to give them somebody else’s password is astronomical. The truth is that most passwords are stored in an “encrypted” format. We don’t have access to your password.
We can reset your password, but we can’t tell you what it is because that isn’t recorded.
At the university, they were still storing passwords in plain text. They only encrypted the password when it was written to tape.
Modern systems store that password in an encrypted format. The old method was what is called “descrypt”.
The first two characters of the encrypted password is the “salt” and the rest is the DES hash of the password. This is NOT the same as encrypting your password with a secret and then being able to decrypt it with that same secret. Instead, we use your password to encrypt a given, known, piece of text. The encrypted result is what is stored.
When you provide your password, we encrypt the same text string with your password. If the resulting text matches what we have stored, you have proven you know the password.
Here are a couple of hashed passwords: SD2PFyBHY1oUY, q5M9nJsU/JSwI, sTd5NrAIMrisU, 8MbLuguRAeo92, $1$OcbNKu2y$l9faj.aCWodfonXiSlgnV0, $1$hh765lOJ$lrZ4jkCtUkG3qPBuFJQ/2., $5$2W0fdlfY.a/iXErF$xbzHcX8CfPc89vJkxsiC/BjDmqxI20Yk.Vj9OLL/6e2, and $5$HxfQ9B30d8GdmyPo$J6FWaeGKSez2cLbw3cktvaYgPvsTFaXdMzYp4yDcQjD.
These are all hashes of the same password, “hello world!”
Slow Them Down
Storing passwords in plain text is stupid. But computers are faster than you think. Thus, we want to slow down the speed at which computers can make guesses.
We do this by using a salt.
Consider the situation where you had 74,577,451,608 guesses you wanted to try. If you were to create the hash for each of those guesses, it might take you a bit of time. In the end, you would have them all. Now it is only seconds to look up the hash in a database/file and get the plaintext password used to generate that hash.
To fight this, we use the salt. The salt modifies the hashing process such that for any given password, there are many possible hashes to represent that password.
As shown above, even when using the same “hashing algorithm” we got many results.
This is to slow the guessing of passwords down.
And the results
In 2013, the game “battlefield” was cracked. They escaped with around a 1/4 million password hashes. These are not clear text, you can’t just type them into an account and get in, they are still “protected”.
I used a starting source of 184,000 known passwords. To this, I added an American and a British word list. I didn’t bother to get name lists for a total of 282,000 unique test words.
In the simplest case, with no salt applied, that is 184,000 * 282,000 different combinations to test.
In 2 minutes and 50 seconds, on my medium GPU and medium CPU, we tested 74,577,451,608 different passwords against 282,546 password hashes.
We were able to guess 7.30% of the passwords, or, 30943 passwords.
That is more than enough to make money.
| pilote50 | c0c4c074 | ninjustu | shana596 | ilovemom1122 |
| b02723 | wayfaerer | 170215556 | crouch69 | deafread |
| Hobbit0727 | 1steward | mckenzie12321 | tki915 | draguuns |
| bangbus | aliga2006 | flikker88 | dm1249 | bata501 |
| wysiwyg_2008 | blowover | caros1996 | poopscoop | Sugarcoat231 |
| silo93 | kotwica | har2602 | plasth13 | ambrochio |
| resistance2 | sluiter9 | overfiend | plexico0 | hitman1337 |
| jryans13 | 123sithi1 | kever1303 | negfaen | kaunas1986 |
| Miltons1 | wildcat0712 | 8621409 | Vj211290 | hondadragon2 |
| arginine | limpdown | itu202 | popo2214 | jasdie69 |
And you can see how bad they can be.
Leave a Reply