Hackers crack 16-character passwords in less than an HOUR

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Nasty
    Confirmed User
    • Aug 2002
    • 1575

    #1

    Hackers crack 16-character passwords in less than an HOUR

    This is pretty disturbing

    During an experiment for Ars Technica hackers managed to crack 90% of 16,449 hashed passwords. Six passwords were cracked each minute including 16-character versions such as 'qeadzcwrsfxv1331'

    A 25-computer cluster that can cracks passwords by making 350 billion guesses per second. It was unveiled in December by Jeremi Gosney, the founder and CEO of Stricture Consulting Group. It can try every possible Windows passcode in the typical enterprise in less than six hours to get plain-text passwords from lists of hashed passwords.

    The article
    http://www.dailymail.co.uk/sciencete...ords-hour.html

    “Ours is a world of nuclear giants and ethical infants. We know more about war than we know about peace, more about killing than we know about living. If we continue to develop our technology without wisdom or prudence, our servant may prove to be our executioner.” ― Omar Bradley (1948)
  • nexcom28
    So Fucking Banned
    • Jan 2005
    • 3716

    #2
    350 billion guesses per second...

    Comment

    • Intrinsic
      Confirmed User
      • Jun 2008
      • 1589

      #3
      I heard the safest passwords were four word combos with dashes (??) and would take forever to crack

      example: take-fish-dirt-reed
      example: sdfk-fjsd-weij-akji

      Comment

      • shake
        frc
        • Jul 2003
        • 4663

        #4
        Wow that's a lot of GPU power.
        Crazy fast VPS for $10 a month. Try with $20 free credit

        Comment

        • _Richard_
          Too lazy to set a custom title
          • Oct 2006
          • 30991

          #5
          damn they're coming along nicely

          Comment

          • ajrocks
            Confirmed User
            • Nov 2004
            • 4526

            #6
            most systems have brute force prevention in place to prevent this sort of stuff. But if they came in using a bot net you would be in trouble until you caught it.
            SEO Strategy - Digital Strategy - Cannabis Lead Generation

            Skype aj.durden1

            Comment

            • shake
              frc
              • Jul 2003
              • 4663

              #7
              Originally posted by Intrinsic
              I heard the safest passwords were four word combos with dashes (??) and would take forever to crack

              example: take-fish-dirt-reed
              example: sdfk-fjsd-weij-akji
              Pass phrases were all the rage for a bit, but I think even those would be crackable, unless they are very long. Pretty soon we'll have to use a USB drive with a megabyte size password or something.
              Crazy fast VPS for $10 a month. Try with $20 free credit

              Comment

              • seeandsee
                Check SIG!
                • Mar 2006
                • 50945

                #8
                but this will work to unpack and unprotect files, to access your NET accounts, he can't do it via bruteforce, server and program will just take it down...
                BUY MY SIG - 50$/Year

                Contact here

                Comment

                • nexcom28
                  So Fucking Banned
                  • Jan 2005
                  • 3716

                  #9
                  Originally posted by Intrinsic
                  I heard the safest passwords were four word combos with dashes (??) and would take forever to crack

                  example: take-fish-dirt-reed
                  example: sdfk-fjsd-weij-akji
                  I doubt that would take much working out.

                  1. You have x4 dictionary words
                  2. Just putting 4 dashes in aint gonna fool no-one.

                  I think site owners really need to make their sites secure against multiple login attempts rather than getting us to remember 5%6Yy*5$fdd1$8>KKhJo)o or some such shit.

                  Comment

                  • Klen
                    • Aug 2006
                    • 32235

                    #10
                    Originally posted by nexcom28
                    I doubt that would take much working out.

                    1. You have x4 dictionary words
                    2. Just putting 4 dashes in aint gonna fool no-one.

                    I think site owners really need to make their sites secure against multiple login attempts rather than getting us to remember 5%6Yy*5$fdd1$8>KKhJo)o or some such shit.
                    Actualy it's better to have password like "iliketurtlesandsausegeswithcream12345"which is long enough yet still easy to remember.

                    Beside as longest you have some sort of bruteforce protection things like this dont mean much.

                    Comment

                    • edgeprod
                      Permanently Gone
                      • Mar 2004
                      • 10019

                      #11

                      Comment

                      • Lichen
                        Tube Master
                        • May 2004
                        • 1640

                        #12
                        Originally posted by Intrinsic
                        I heard the safest passwords were four word combos with dashes (??) and would take forever to crack

                        example: take-fish-dirt-reed
                        example: sdfk-fjsd-weij-akji

                        Include numbers, special characters and uppercase/lowercase. Like this:

                        71#Testpassword

                        Comment

                        • spiederman
                          Confirmed User
                          • Nov 2012
                          • 1216

                          #13
                          surrentlysober is pretty safe with Icunta4rdapassw0rd

                          Comment

                          • grumpy
                            Too lazy to set a custom title
                            • Jan 2002
                            • 9870

                            #14
                            great server if it allows you 3.5 billion tries a second.
                            Don't let greediness blur your vision | You gotta let some shit slide
                            icq - 441-456-888

                            Comment

                            • nexcom28
                              So Fucking Banned
                              • Jan 2005
                              • 3716

                              #15
                              Originally posted by grumpy
                              great server if it allows you 3.5 billion tries a second.
                              I could do with it for my sites

                              Comment

                              • _Richard_
                                Too lazy to set a custom title
                                • Oct 2006
                                • 30991

                                #16
                                Originally posted by edgeprod

                                Comment

                                • pornmasta
                                  Too lazy to set a custom title
                                  • Jun 2006
                                  • 20016

                                  #17
                                  The example, Ars Technica use is: hashing the password 'arstechnica' produced the hash c915e95033e8c69ada58eb784a98b2ed

                                  Read more: http://www.dailymail.co.uk/sciencete...#ixzz2Ud94lCOi
                                  md5 hashing... this problem is not new

                                  Comment

                                  • edgeprod
                                    Permanently Gone
                                    • Mar 2004
                                    • 10019

                                    #18
                                    Originally posted by grumpy
                                    great server if it allows you 3.5 billion tries a second.
                                    Likely, the crackers had the hashes available, and were cracking against the hashes, versus against a live server.

                                    Comment

                                    • Grapesoda
                                      So Fucking Banned
                                      • Jul 2003
                                      • 46238

                                      #19
                                      Originally posted by nexcom28
                                      I doubt that would take much working out.

                                      1. You have x4 dictionary words
                                      2. Just putting 4 dashes in aint gonna fool no-one.

                                      I think site owners really need to make their sites secure against multiple login attempts rather than getting us to remember 5%6Yy*5$fdd1$8>KKhJo)o or some such shit.
                                      I use passwords like this: `#LG\`yf8tyLkx5([Rd9RA ....the only issue is some sites won't allow special characters...
                                      Last edited by Grapesoda; 05-28-2013, 04:06 PM.

                                      Comment

                                      • The Heron
                                        Confirmed User
                                        • Apr 2001
                                        • 4496

                                        #20
                                        I don't use a password, just leave it blank they can guess all they want they'll never solve it!!

                                        Comment

                                        • rowan
                                          Too lazy to set a custom title
                                          • Mar 2002
                                          • 17393

                                          #21
                                          Did any of you guys actually read the article? correcthorsebatterystaple is a little harder to crack, but not impossible. They use custom dictionaries that brute force multiple WORDS as well as multiple characters.

                                          Comment

                                          • Basileus
                                            Confirmed User
                                            • Sep 2003
                                            • 56

                                            #22
                                            Because only retards use md5. If it was SHA512 we'd never see this article ;)

                                            Comment

                                            • Chosen
                                              • Aug 2001
                                              • 63151

                                              #23
                                              Originally posted by spiederman
                                              surrentlysober is pretty safe with Icunta4rdapassw0rd

                                              Comment

                                              • pimpmaster9000
                                                Too lazy to set a custom title
                                                • Dec 2011
                                                • 26732

                                                #24
                                                if your system is open to brute force then you pretty much deserve what happens...
                                                Report a suspicious cracker: Click Here

                                                Comment

                                                • Markul
                                                  Likes Pie
                                                  • Dec 2007
                                                  • 12403

                                                  #25
                                                  Originally posted by edgeprod
                                                  That is awesome
                                                  But.... I pulled out...

                                                  Comment

                                                  • just a punk
                                                    So fuckin' bored
                                                    • Jun 2003
                                                    • 32393

                                                    #26
                                                    Originally posted by ajrocks
                                                    most systems have brute force prevention in place to prevent this sort of stuff. But if they came in using a bot net you would be in trouble until you caught it.
                                                    Please read carefully. Whey did that on password hashes.
                                                    Obey the Cowgod

                                                    Comment

                                                    • Barry-xlovecam
                                                      It's 42
                                                      • Jun 2010
                                                      • 18083

                                                      #27
                                                      Originally posted by Basileus
                                                      Because only retards use md5. If it was SHA512 we'd never see this article ;)
                                                      QFT

                                                      Comment

                                                      • edgeprod
                                                        Permanently Gone
                                                        • Mar 2004
                                                        • 10019

                                                        #28
                                                        Originally posted by rowan
                                                        Did any of you guys actually read the article? correcthorsebatterystaple is a little harder to crack, but not impossible. They use custom dictionaries that brute force multiple WORDS as well as multiple characters.
                                                        Against a hash .. which is an unlikely scenario in most cases. Against a weak remote web service, at 1,000/hr, I'm comfortable with 550 years of security versus 3 days.

                                                        Comment

                                                        • KillerK
                                                          Confirmed User
                                                          • May 2008
                                                          • 3406

                                                          #29
                                                          I've started using password as my password, I figure it's so common nobody would code a cracker to waste testing it.

                                                          Comment

                                                          • brassmonkey
                                                            Pay It Forward
                                                            • Sep 2005
                                                            • 77396

                                                            #30
                                                            ok thanx 4 the stress
                                                            TRUMP 2026 KEKAW!!! - The Laken Riley Act Is Law!
                                                            DACA ENDED - SUPPORT AZ HCR 2060 52R - email: brassballz-at-techie.com

                                                            Comment

                                                            • x-rate
                                                              Confirmed User
                                                              • Jun 2008
                                                              • 725

                                                              #31
                                                              I use 'wrong' as password so when I don't type it properly site tell me: your password is wrong
                                                              Have quality traffic? Make money with Crakrevenue
                                                              Email: misterxmtl @ hotmail.com
                                                              Skype: misterxmtl

                                                              Comment

                                                              • biskoppen
                                                                Confirmed User
                                                                • Mar 2003
                                                                • 5809

                                                                #32
                                                                Originally posted by x-rate
                                                                I use 'wrong' as password so when I don't type it properly site tell me: your password is wrong
                                                                You should change it to incorrect, I hear it's the new thing
                                                                Submit my videos to make bank, tons of 5 minute videos offered right here

                                                                Comment

                                                                • RyuLion
                                                                  • Mar 2003
                                                                  • 32369

                                                                  #33
                                                                  Originally posted by x-rate
                                                                  I use 'wrong' as password so when I don't type it properly site tell me: your password is wrong
                                                                  Originally posted by Grapesoda
                                                                  I use passwords like this: `#LG\`yf8tyLkx5([Rd9RA ....the only issue is some sites won't allow special characters...

                                                                  Adult Biz Consultant A tech head since 1995
                                                                  Affiliate Support: Chaturbate | CCBill Live

                                                                  Comment

                                                                  • ladida
                                                                    Confirmed User
                                                                    • Nov 2005
                                                                    • 2179

                                                                    #34
                                                                    Originally posted by ajrocks
                                                                    most systems have brute force prevention in place to prevent this sort of stuff. But if they came in using a bot net you would be in trouble until you caught it.
                                                                    You did not really say this...

                                                                    Anyway, md5 is so 1990, not even sure who hashes with md5 anymore.
                                                                    agentGFY *at* gmail.com

                                                                    Comment

                                                                    • blackmonsters
                                                                      Making PHP work
                                                                      • Nov 2002
                                                                      • 20964

                                                                      #35
                                                                      Just buy a cheap server. A billion request will crash the motherfucker.

                                                                      Free Open Source Live Aggregated Cams Script (FOSLACS)

                                                                      Comment

                                                                      Working...