Password Recovery Bundle 2014 & security of passwords

Back to Giveaway of the Day

Giveaway of the Day Forums » Technical notes

Password Recovery Bundle 2014 & security of passwords

(3 posts) (2 voices)

Started 10 years ago by mikiem2
Latest reply from Whiterabbit-uk

mikiem2
Moderator

With Password Recovery Bundle 2014 I didn't, couldn't make an effort to get something up right away -- I didn't feel too badly because early on someone posted about it's poor performance. They were accurate. I did find that you could add to or replace their dictionary, & that if you use the software against a plain, encrypted zip file using a word in that dictionary as your password, it works, fast. It does not appear to mutate the words in the list, nor will it work with a zip file using AES-256 encryption, even when the password was included in the list. The good part is it's almost portable as-is, so if you kept it or uninstalled there was very little impact to your system.

---

A common perception from the download page comments:

"A computer, which can test 1 billion passwords per second, tests (60x60x24x365x1,000,000,000) 3,15
16 passwords per year. Wow!, what a number! If you bundle 1 million of these supercomputers (think of the energy costs!) you crack 3,15 22 passwords per year…
If you create a password from letters and numbers (a..z,A..Z,0..9) with a password length of 15 characters, you have a password with 2,82 26 possibilities. To crack these with the above mentioned supercomputerbundle, you’ll need roundabout 9 billion years. Longer passwords are only of hypothetical use…
So don’t worry about used kernel, processor speed or other minor details. A longer password CANNOT be cracked by brute force, not now and not in the next future by nobody."

:) Maybe - maybe not... :)

If you're talking about super computers, & I mean the real deal, no government is going to give you real figures on performance breaking passwords. If you're talking private individuals, they can rent time on Amazon's servers, each with access to one or more GPUs for faster computations. If you're thinking about criminal types, remember that they do not use their own credit card numbers -- such can be bought wholesale for ridiculously small sums.

Now math is math & people are people -- that's where the above calculations go awry. There is for practical matters no such thing as random, & people use weak passwords -- you can download millions of actual passwords to use in attempted matching. There may be billions of possibilities, but a few million actual passwords + software that can mutate them a bit narrows the field immensely. Whenever you hear about whatever site being hacked & passwords stolen, odds are very high that those passwords were encrypted. Odds are also extremely high that the unencrypted versions will be available almost immediately. Because the word lists + software works. I've included links to a couple of articles.

Now things like encrypted zip & 7zip files are a bit of a different animal than cracking site passwords... there's more work to be done -- you have to check the contents -- and there's no fame or glory involved so far less time devoted to developing solutions. Add that someone desperate to get their stuff back will pay more, and you have the makings for a decent pay-ware market. Despite it being designed to check site security, working with hashes, you can, assuming you don't mind the command line, use the community version of John The Ripper on zip files fairly easily, but there are warnings that you might get some false hits.

Posted 10 years ago #
mikiem2
Moderator

This is hardly definitive, but FWIW...

For password or any crypto generation, codes, scrambled communications, that sort of thing, the long sought after ideal is a truly random number or character or frequency etc. This is the stuff of high tech & spy agencies & state secrets. KeePass has a pseudo-random generator that can use typed input or mouse movements -- other password generators use other methods to come closer to random that your PC or Windows can manage. Since most password cracking is on the order of trial & error, usually using lists of words to start with, a generator like the one in Keepass can use characters that are unlikely to ever be typed, & some that your keyboard does not have keys for, like high ANSI characters. Here's a sample I just generated with all of the options checked or turned on: ´nÜ¸§³u_¹Ô,áüEØÇFÀÕ¼U*±9 . Of course entering something like that has to be copy/paste, & you often have to reduce the complexity by unchecking options until you get something a site or software will accept -- by rights they all should accept that sample as it's not hard to do, but this is far from a perfect world. What makes it more a PITA is many sites won't tell you they won't work with your password -- you don't know a site accepted it until you successfully log in, & when that fails, follow the steps for a forgotten password, then try again with something less complex.

Passwords are in use partly because they're well accepted, and partly because of fears re: what happens if your identity is stolen & something like your DNA or iris scan is either replaced or released into the wild. You can change your password but not your DNA or eyes.

Cracking passwords is part art [& experience], part technology, taking advantage of the latest in hardware processing. Most of what you'll read, & most free tools have to do with cracking lists of passwords like you'd find with a web site -- that's where all the fame, glory, & $ is. That doesn't mean you can't find tools & methods to use the best free stuff on something like a zip file, but that they're harder to find & in many cases require *nix. I suspect that sometimes ways have been found around software passwords, exploiting a weakness in the software or some sort of a back door that allegedly only the folks at the NSA know about. Something to think about -- everyone likes to advocate open source encryption software, but when the source is available, that goes a long ways towards handing someone what they need to get around it, e.g. there's a Keepass cracker built with Keepass source code that gets around the app's 3 try limit.

Since someone needing a password for a zip file or similar is often the owner, & may be desperate for whatever it was they thought important enough to password protect, software designed just for that is often more expensive than may be otherwise justified. As to how long it takes to crack a password, agencies like the NSA have super computers, against which the most powerful PC isn't even up to the level of a simple calculator. Most people wouldn't think an agency like the NSA, or their counterparts in other countries would bother with them. One, it's easier to process everything rather then on a targeted basis, & two, I personally feel that people are people, regardless where they work, so odds are those agencies employ bad guys who will sell whatever data &/or their methods of retrieval. Along the same line of reasoning, most of us have worked with lazy people &/or morons, so there's a decent chance all that data isn't stored as securely as one might hope -- it may be intended that way, but when people don't do their jobs...

From Google "crack password" [w/out quotes]

http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/

http://blog.erratasec.com/2012/06/linkedin-vs-password-cracking.html#.U4nkiCh9Ar0

http://www.wired.co.uk/news/archive/2013-05/28/password-cracking

Note: the graphics hardware used were the favored AMD/ATI x9xx models. They're not necessarily cheap or as easy to come by as other cards -- that's largely because these cards are also preferred for Bitcoin mining. I mention it in case anyone tries this sort of thing with a lesser graphics card & wonders why they can't match the published results.

Google "reset windows password" [w/out quotes]

An old standard
http://ophcrack.sourceforge.net/

http://www.howtogeek.com/96805/how-to-reset-your-windows-password-without-an-install-cd/

http://pcsupport.about.com/od/toolsofthetrade/tp/password-cracker-recovery.htm

Posted 10 years ago #
Whiterabbit-uk
Games Guru

Thanks for the discussion Mikiem. :)

Posted 10 years ago #

RSS feed for this topic

Reply

You must log in to post.