Hackers crack 16-character passwords in less than an HOUR - GoFuckYourself.com

Nasty · 05-28-2013, 01:50 PM

This is pretty disturbing

During an experiment for Ars Technica hackers managed to crack 90% of 16,449 hashed passwords. Six passwords were cracked each minute including 16-character versions such as 'qeadzcwrsfxv1331'

A 25-computer cluster that can cracks passwords by making 350 billion guesses per second. It was unveiled in December by Jeremi Gosney, the founder and CEO of Stricture Consulting Group. It can try every possible Windows passcode in the typical enterprise in less than six hours to get plain-text passwords from lists of hashed passwords.

The article
http://www.dailymail.co.uk/sciencete...ords-hour.html

nexcom28 · 05-28-2013, 01:52 PM

350 billion guesses per second...

Intrinsic · 05-28-2013, 01:54 PM

I heard the safest passwords were four word combos with dashes (??) and would take forever to crack

example: take-fish-dirt-reed
example: sdfk-fjsd-weij-akji

shake · 05-28-2013, 01:56 PM

Wow that's a lot of GPU power.

_Richard_ · 05-28-2013, 01:57 PM

damn they're coming along nicely

ajrocks · 05-28-2013, 01:57 PM

most systems have brute force prevention in place to prevent this sort of stuff. But if they came in using a bot net you would be in trouble until you caught it.

shake · 05-28-2013, 01:57 PM

Quote:

Originally Posted by Intrinsic

I heard the safest passwords were four word combos with dashes (??) and would take forever to crack

example: take-fish-dirt-reed
example: sdfk-fjsd-weij-akji

Pass phrases were all the rage for a bit, but I think even those would be crackable, unless they are very long. Pretty soon we'll have to use a USB drive with a megabyte size password or something.

seeandsee · 05-28-2013, 01:59 PM

but this will work to unpack and unprotect files, to access your NET accounts, he can't do it via bruteforce, server and program will just take it down...

nexcom28 · 05-28-2013, 01:59 PM

Quote:

Originally Posted by Intrinsic

I heard the safest passwords were four word combos with dashes (??) and would take forever to crack

example: take-fish-dirt-reed
example: sdfk-fjsd-weij-akji

I doubt that would take much working out.

1. You have x4 dictionary words
2. Just putting 4 dashes in aint gonna fool no-one.

I think site owners really need to make their sites secure against multiple login attempts rather than getting us to remember 5%6Yy*5$fdd1$8>KKhJo)o or some such shit.

Klen · 05-28-2013, 02:30 PM

Quote:

Originally Posted by nexcom28

I doubt that would take much working out.

1. You have x4 dictionary words
2. Just putting 4 dashes in aint gonna fool no-one.

I think site owners really need to make their sites secure against multiple login attempts rather than getting us to remember 5%6Yy*5$fdd1$8>KKhJo)o or some such shit.

Actualy it's better to have password like "iliketurtlesandsausegeswithcream12345"which is long enough yet still easy to remember.

Beside as longest you have some sort of bruteforce protection things like this dont mean much.

edgeprod · 05-28-2013, 02:45 PM

Lichen · 05-28-2013, 03:15 PM

Quote:

Originally Posted by Intrinsic

I heard the safest passwords were four word combos with dashes (??) and would take forever to crack

example: take-fish-dirt-reed
example: sdfk-fjsd-weij-akji

Include numbers, special characters and uppercase/lowercase. Like this:

71#Testpassword

spiederman · 05-28-2013, 03:22 PM

surrentlysober is pretty safe with Icunta4rdapassw0rd

grumpy · 05-28-2013, 03:30 PM

great server if it allows you 3.5 billion tries a second.

nexcom28 · 05-28-2013, 03:35 PM

Quote:

Originally Posted by grumpy

great server if it allows you 3.5 billion tries a second.

I could do with it for my sites

_Richard_ · 05-28-2013, 03:39 PM

Quote:

Originally Posted by edgeprod

pornmasta · 05-28-2013, 03:44 PM

Quote:

The example, Ars Technica use is: hashing the password 'arstechnica' produced the hash c915e95033e8c69ada58eb784a98b2ed

Read more: http://www.dailymail.co.uk/sciencete...#ixzz2Ud94lCOi

md5 hashing... this problem is not new

edgeprod · 05-28-2013, 04:01 PM

Quote:

Originally Posted by grumpy

great server if it allows you 3.5 billion tries a second.

Likely, the crackers had the hashes available, and were cracking against the hashes, versus against a live server.

Grapesoda · 05-28-2013, 05:05 PM

Quote:

Originally Posted by nexcom28

I doubt that would take much working out.

1. You have x4 dictionary words
2. Just putting 4 dashes in aint gonna fool no-one.

I think site owners really need to make their sites secure against multiple login attempts rather than getting us to remember 5%6Yy*5$fdd1$8>KKhJo)o or some such shit.

I use passwords like this: `#LG\`yf8tyLkx5([Rd9RA ....the only issue is some sites won't allow special characters...

The Heron · 05-28-2013, 08:14 PM

I don't use a password, just leave it blank they can guess all they want they'll never solve it!!

rowan · 05-28-2013, 08:49 PM

Did any of you guys actually read the article? correcthorsebatterystaple is a little harder to crack, but not impossible. They use custom dictionaries that brute force multiple WORDS as well as multiple characters.

Basileus · 05-28-2013, 10:43 PM

Because only retards use md5. If it was SHA512 we'd never see this article ;)

Chosen · 05-28-2013, 11:34 PM

Quote:

Originally Posted by spiederman

surrentlysober is pretty safe with Icunta4rdapassw0rd

pimpmaster9000 · 05-29-2013, 01:21 AM

if your system is open to brute force then you pretty much deserve what happens...

Markul · 05-29-2013, 01:34 AM

Quote:

Originally Posted by edgeprod

That is awesome

just a punk · 05-29-2013, 02:58 AM

Quote:

Originally Posted by ajrocks

most systems have brute force prevention in place to prevent this sort of stuff. But if they came in using a bot net you would be in trouble until you caught it.

Please read carefully. Whey did that on password hashes.

Barry-xlovecam · 05-29-2013, 07:32 AM

Quote:

Originally Posted by Basileus

Because only retards use md5. If it was SHA512 we'd never see this article ;)

QFT

edgeprod · 05-29-2013, 10:51 AM

Quote:

Originally Posted by rowan

Did any of you guys actually read the article? correcthorsebatterystaple is a little harder to crack, but not impossible. They use custom dictionaries that brute force multiple WORDS as well as multiple characters.

Against a hash .. which is an unlikely scenario in most cases. Against a weak remote web service, at 1,000/hr, I'm comfortable with 550 years of security versus 3 days.

KillerK · 05-29-2013, 11:35 AM

I've started using password as my password, I figure it's so common nobody would code a cracker to waste testing it.

brassmonkey · 05-29-2013, 11:42 AM

ok thanx 4 the stress

x-rate · 05-29-2013, 12:45 PM

I use 'wrong' as password so when I don't type it properly site tell me: your password is wrong

biskoppen · 05-29-2013, 02:45 PM

Quote:

Originally Posted by x-rate

I use 'wrong' as password so when I don't type it properly site tell me: your password is wrong

You should change it to incorrect, I hear it's the new thing

RyuLion · 05-29-2013, 03:07 PM

Quote:

Originally Posted by x-rate

I use 'wrong' as password so when I don't type it properly site tell me: your password is wrong

Quote:

Originally Posted by Grapesoda

I use passwords like this: `#LG\`yf8tyLkx5([Rd9RA ....the only issue is some sites won't allow special characters...

ladida · 05-29-2013, 04:00 PM

Quote:

Originally Posted by ajrocks

most systems have brute force prevention in place to prevent this sort of stuff. But if they came in using a bot net you would be in trouble until you caught it.

You did not really say this...

Anyway, md5 is so 1990, not even sure who hashes with md5 anymore.

blackmonsters · 05-29-2013, 05:25 PM

Just buy a cheap server. A billion request will crash the motherfucker.

05-28-2013, 01:50 PM	#1
Nasty Confirmed User Industry Role: Join Date: Aug 2002 Location: Sunny Fucking California Posts: 1,575	Hackers crack 16-character passwords in less than an HOUR This is pretty disturbing During an experiment for Ars Technica hackers managed to crack 90% of 16,449 hashed passwords. Six passwords were cracked each minute including 16-character versions such as 'qeadzcwrsfxv1331' A 25-computer cluster that can cracks passwords by making 350 billion guesses per second. It was unveiled in December by Jeremi Gosney, the founder and CEO of Stricture Consulting Group. It can try every possible Windows passcode in the typical enterprise in less than six hours to get plain-text passwords from lists of hashed passwords. The article http://www.dailymail.co.uk/sciencete...ords-hour.html __________________ “Ours is a world of nuclear giants and ethical infants. We know more about war than we know about peace, more about killing than we know about living. If we continue to develop our technology without wisdom or prudence, our servant may prove to be our executioner.” ― Omar Bradley (1948)

05-28-2013, 01:56 PM	#4
shake frc Industry Role: Join Date: Jul 2003 Location: Bitcoin wallet Posts: 4,663	Wow that's a lot of GPU power. __________________ Crazy fast VPS for $10 a month. Try with $20 free credit

05-28-2013, 01:57 PM	#6
ajrocks Confirmed User Join Date: Nov 2004 Location: On Uranus Posts: 4,526	most systems have brute force prevention in place to prevent this sort of stuff. But if they came in using a bot net you would be in trouble until you caught it. __________________ SEO Strategy - Digital Strategy - Cannabis Lead Generation Skype aj.durden1

05-28-2013, 01:59 PM	#8
seeandsee Check SIG! Industry Role: Join Date: Mar 2006 Location: Europe (Skype: gojkoas) Posts: 50,945	but this will work to unpack and unprotect files, to access your NET accounts, he can't do it via bruteforce, server and program will just take it down... __________________ BUY MY SIG - 50$/Year Contact here

05-28-2013, 03:22 PM	#13
spiederman Confirmed User Industry Role: Join Date: Nov 2012 Posts: 1,216	surrentlysober is pretty safe with Icunta4rdapassw0rd __________________ xcams-partners: up to €200 PPS\|crakrevenue: Promote MyFreecams @ crakrevenue\|Plugrush: Buy and sell your traffic icq# 610-522-509 <---- dont add me for crap i DON'T ask for isliveHD\| Latex tube\|Androidcams\|ipadcams

05-28-2013, 01:52 PM	#2
nexcom28 So Fucking Banned Join Date: Jan 2005 Posts: 3,716	350 billion guesses per second...

05-28-2013, 01:54 PM	#3
Intrinsic Confirmed User Industry Role: Join Date: Jun 2008 Posts: 1,589	I heard the safest passwords were four word combos with dashes (??) and would take forever to crack example: take-fish-dirt-reed example: sdfk-fjsd-weij-akji

05-28-2013, 01:57 PM	#5
_Richard_ Too lazy to set a custom title Industry Role: Join Date: Oct 2006 Location: Vancouver Posts: 30,985	damn they're coming along nicely

05-28-2013, 02:45 PM	#11
edgeprod Permanently Gone Industry Role: Join Date: Mar 2004 Posts: 10,019

05-28-2013, 03:30 PM	#14
grumpy Too lazy to set a custom title Join Date: Jan 2002 Location: Holland Posts: 9,870	great server if it allows you 3.5 billion tries a second. __________________ Don't let greediness blur your vision \| You gotta let some shit slide icq - 441-456-888

05-28-2013, 08:14 PM	#20
The Heron Confirmed User Industry Role: Join Date: Apr 2001 Location: Michigan Posts: 4,487	I don't use a password, just leave it blank they can guess all they want they'll never solve it!!

05-28-2013, 08:49 PM	#21
rowan Too lazy to set a custom title Join Date: Mar 2002 Location: Australia Posts: 17,393	Did any of you guys actually read the article? correcthorsebatterystaple is a little harder to crack, but not impossible. They use custom dictionaries that brute force multiple WORDS as well as multiple characters.

05-28-2013, 10:43 PM	#22
Basileus Confirmed User Industry Role: Join Date: Sep 2003 Location: Planet Earth Posts: 56	Because only retards use md5. If it was SHA512 we'd never see this article ;)

05-29-2013, 01:21 AM	#24
pimpmaster9000 Too lazy to set a custom title Industry Role: Join Date: Dec 2011 Posts: 26,732	if your system is open to brute force then you pretty much deserve what happens...

05-29-2013, 11:35 AM	#29
KillerK Confirmed User Join Date: May 2008 Posts: 3,406	I've started using password as my password, I figure it's so common nobody would code a cracker to waste testing it.

05-29-2013, 11:42 AM	#30
brassmonkey Pay It Forward Industry Role: Join Date: Sep 2005 Location: Yo Mama House Posts: 77,053	ok thanx 4 the stress __________________ TRUMP 2025 KEKAW!!! - The Laken Riley Act Is Law! DACA ENDED - SUPPORT AZ HCR 2060 52R - email: brassballz-at-techie.com

05-29-2013, 12:45 PM	#31
x-rate Confirmed User Industry Role: Join Date: Jun 2008 Location: Montreal Posts: 725	I use 'wrong' as password so when I don't type it properly site tell me: your password is wrong __________________ Have quality traffic? Make money with Crakrevenue Email: misterxmtl @ hotmail.com Skype: misterxmtl

05-29-2013, 05:25 PM	#35
blackmonsters Making PHP work Industry Role: Join Date: Nov 2002 Location: 🌎🌅🌈🌇 Posts: 20,273	Just buy a cheap server. A billion request will crash the motherfucker. __________________ Make Money with Porn