5 Oct
2019
5 Oct
'19
5:49 p.m.
I cracked a root password for a certain system, back in the ARPANET days.
If memory serves, it was 5 characters.
I was able to get my hands on the crypt() source, and figure out that
the first part of it was intentionally "lengthy" and it just
pre-computed a bunch of stuff on purpose. At least, that's my memory of
it at the time.
I was able to separate that precompute part, and then loop through all
combinations further down the crypt() function. Made it a lot faster.
Was able to crack a 5-character password in less than a week (or maybe
it was a few days) on a VAX-11/750. Of course, it was a simple password
consisting of lower-case alpha and no numerics.
I think the first letter of the password was "b" which helped a lot ;)
Nowadays, run hashcat on an HPC cluster and you can break a lot of stuff...
art k.
On 10/5/2019 1:29 PM, Michael Kjörling wrote:
On 3 Oct 2019 18:51 +0000, from
finnoleary(a)inventati.org (Finn O'Leary):
password was something interesting like
'./,..,/' (it was entirely
punctuation characters, was around three different characters in total, and
was pretty damn short).
I'm a bit late to the party here (it's been a
crazy week for me and
I'm only just now starting to catch up), but don't forget that hashed
Unix passwords back then were limited to eight bytes (actually I
believe the hard limit was 64 bits' worth of password, so if your
system used less than 8 bits per character, you could theoretically
cram more _characters_ into the password, but not more _entropy_,
which topped out at 2^64 no matter what you did, and in practice a
fair bit less because you wanted to be able to type it in).
Of course, this wasn't a problem in practice when even just hashing a
single candidate password took noticable fractions of a second. At 100
ms per hash, while you could exhaustively search the lower
alphanumerics four characters space within about two days (my
calculator says 1.944 * 86400 seconds for that) if you could hog the
computer for everyone, by the time you got to six characters the same
search would take almost 7 years, and eight characters the better part
of 9000 years (assuming you kept running it on the same hardware for
the duration).
Adding uppercase A-Z alongside lowercase a-z and 0-9 increases the
exhaustive search time even for the four characters password space to
about 17 days at 100 ms per hash. So with no additional information
for an attacker, even a [a-zA-Z0-9]{4} password was tolerably secure,
and a [a-zA-Z0-9]{5} one was more than good enough if you changed it
once a year (would take about three years to crack at 100 ms/hash).
William Cheswick mentioned 8e9 hashes per second. While that sounds
low for good ol' Unix crypt() to me, at that rate, an exhaustive
search of [a-z0-9]{8} would take about 353 days, again according to my
calculator. [a-z0-9]{4} would finish in about 18 seconds. My _guess_,
without having looked up current numbers, is that these figures are at
least some two orders of magnitude too high given modern hardware.
Just look at EFF's good ol' Deep Crack.
I wasn't really around much at the time, but if _The Cuckoo's Egg_ is
to be believed, the bigger problem was that people in general weren't
any better at choosing good passwords (or keeping them secret) back
then than they are today. That honestly wouldn't particularly surprise
me. Technology advances, but people remain largely the same?