Brute-force cracking of TWC password hashes

[Squid]

What I'm surprised by is how a GPU which was designed to process just graphics and never to be faster than the CPU, became faster than the CPU.

Only for doing floating point arithmatic, since that's what a GPU is designed to be excellent at, while a CPU is designed to be a jack of all trades, so its good at everything but not excellent at anything.

[Bolkonsky]

Only for doing floating point arithmatic, since that's what a GPU is designed to be excellent at, while a CPU is designed to be a jack of all trades, so its good at everything but not excellent at anything.

Yup, CPU's are generally designed to work better with integers. On the AMD Bulldozer processor, there's 1 floating point core to every 2 integer cores.

EDIT: My father just out of the blue sent me this, I thought it was surprisingly relevant.
http://www.zdnet.com/blog/identity/y...82?tag=nl.e539

[Squid]

Very interesting. I'd love for the server guys at my work to read that, but it still wouldn't accomplish anything since that would require a paradigm shift in thinking about password security that isn't likely to happen any time soon.

[GrnEyedDvl]

I agree, but you can speed up your internet - I think the person with the fastest internet connection in the world was an american teenager who built his own modem. I can't say for sure though.

Where do you get these ideas??


I can say for sure that no idiot in his house has the "fastest internet connection in the world" by building his own modem. The very idea is absurd. The worlds fastest internet is 120 gbps (thats 120 times faster than the fastest network card you can buy for your computer without going to a fiber optic backplane that costs about $12,000 btw) and its a test network only built by Cisco and Telia. The general public couldnt connect to it without drilling a hole in the ground and physically running cable to it.

I dont care what you have in your house, the most you are going to get out of your internet connection is determined by what is at the other end in the building owned by your ISP. Most of them are running Cisco enterprise level routers with caps of 100 mbps per connection. Even TWCs connection would max out at 1 Gbps if we pushed it that far, and it wouldnt matter if I spent a billion dollars on network equipment to make it faster.

Please quit spouting nonsense in these threads.

Even sending data over a fibre line, the fastest speed of connectivity available right now, is still orders of magnitude slower than the processing power of a CPU much less a GPU.

That it is.

Very interesting. I'd love for the server guys at my work to read that, but it still wouldn't accomplish anything since that would require a paradigm shift in thinking about password security that isn't likely to happen any time soon.

Some people really are stuck in their ways, its annoying. Like the idiot I quoted above saying something about "he couldnt imagine forcing a 9 character password". People like him are the ones who should be hung out to dry when a network gets hacked.

[Jom]

Here is my input on this matter:

[Armatus]

Cable companies still only alow you a certain amount of bandwith. Even if you could speed it up (highly unlikely) they would notice and shut your internet down.

Correct these days it's much more likely any major MSO will catch it, how soon is another mater. All the big players are throttling or gearing up to. My company has been testing various types of switches for this purpose for sometime, and while there are other caps in place such as modem configs, and provisioning at the CMTS, it's not always cut and dry. But for someone to exploit speed they would most likely have to have access or knowledge of the inside operations of the network to know what equipment is rolled out and where, not all service markets are created equal (yet).

Where do you get these ideas??


I can say for sure that no idiot in his house has the "fastest internet connection in the world" by building his own modem. The very idea is absurd. The worlds fastest internet is 120 gbps (thats 120 times faster than the fastest network card you can buy for your computer without going to a fiber optic backplane that costs about $12,000 btw) and its a test network only built by Cisco and Telia. The general public couldnt connect to it without drilling a hole in the ground and physically running cable to it.

I dont care what you have in your house, the most you are going to get out of your internet connection is determined by what is at the other end in the building owned by your ISP. Most of them are running Cisco enterprise level routers with caps of 100 mbps per connection. Even TWCs connection would max out at 1 Gbps if we pushed it that far, and it wouldnt matter if I spent a billion dollars on network equipment to make it faster.

Exactly, our company is leasing 10G links for backbone transport, but once your data arrives at it's intended destination it will be decreased significantly, anyone hacking their modem will get flagged and blacklisted. Even before all this people who were running up utilization would get noticed, which is a big part of why ISPs want to prioritize traffic, they cut down on abuse/utilization and at the same time get to promote various levels of service to customers.

[Ybbon]

Here is my input on this matter:

An excellent illustration! If you use the tool (passfault) referenced in the article Bolkonsky referred to, it's actually < 1 day to guess that Tr0ub4dor&3 and > 187 centuries for the horse.. one.

So I decided to change my corporate SSO and VPN passwords with this in mind - no go, I have to use 8-12 characters and enforced mix Perhaps I should send your cartoon to head of IT to convince him to change the policy

[Armatus]

Well what about using random characters verses a word with substitutions?

[Jom]

An excellent illustration! If you use the tool (passfault) referenced in the article Bolkonsky referred to, it's actually < 1 day to guess that Tr0ub4dor&3 and > 187 centuries for the horse.. one.

So I decided to change my corporate SSO and VPN passwords with this in mind - no go, I have to use 8-12 characters and enforced mix Perhaps I should send your cartoon to head of IT to convince him to change the policy

It's not my cartoon - all credit needs to go to Randall Munroe at www.xkcd.com

[Sicknero]

EDIT: My father just out of the blue sent me this, I thought it was surprisingly relevant.
http://www.zdnet.com/blog/identity/y...82?tag=nl.e539

I followed your link but I'm wary of an unknown site inviting me to enter a password (one that I use) for analysis. I was hoping for a download.

But I tried the two examples from the cartoon that Jom posted, and it certainly seemed to support that. Fascinating, I'd never looked at it like that before.

Great thread, thanks.

****************************************************

Edit; This post interested me...

I decided to change my corporate SSO and VPN passwords with this in mind - no go, I have to use 8-12 characters and enforced mix

... so I went back to Passfault and experimented with some 12-character passwords -

"raincarttree" - 2 months, 10 days.
"ra1ncarttre3" - 3 days.
"inracarttree" - 5 months, 20 days.
"inracarteetr" - 12 years.
"inracarte3tr" - 16 years.

So reversing the letter pairs in the first word more than doubles the time, while doing it with the first and last words, takes it to 12 years.
But (and this bit confuses me a little in light of "ra1ncarttre3"), reversing letter pairs in the first and last words, and then replacing just one letter with a digit (which I don't think is hard to remember, and should satisfy your SSO and VPN pword requirements), gives the best time of all at 16 years.

Intriguing. Or, I just need to get out more.

[Ybbon]

Edit; This post interested me...

... so I went back to Passfault and experimented with some 12-character passwords -

"raincarttree" - 2 months, 10 days.
"ra1ncarttre3" - 3 days.
"inracarttree" - 5 months, 20 days.
"inracarteetr" - 12 years.
"inracarte3tr" - 16 years.

funny, I sent an email to my colleagues about this and how our IT wouldn't allow it, and I got the same response from one of the managers, that they wouldn't enter their own password in any such site - I did experiments with the examples from the cartoon and some made up ones too, certainly didn't enter my real password

I did the same thing, but I'm surprised that substituting 3 for e is longest in them as that would be one of the common substitutions, if you were to do it you should use something more random, like 8 for N or 7 for Q or whatever, but 1 for l/L 4 for A, 5 for s etc are common.

[Sicknero]

Yes the substitute '3' really surprised me too. So much so that I've tried it several times just to see if gave the same result. And it gets stranger too...

"inracarte2tr" - 1 year, 5 months.
"inracarte0tr" - 16 years.
"inracarte8tr" - 16 years.
"inracarte4tr" - 16 years.
"inr9carte8tr" - 10 years.

Maybe there's some basic concept here that's escaped me. It's often the case

Also I was wondering about these 'brute-force' crackers... if they work by just trying every possible combination until they hit one that works, then isn't there an element of chance too? I mean, isn't it possible for such an app to hit on the right p-word in much less than than the time that passfault suggests, just by luck? Or am I mis-understanding the process.