BPadvertisementfrom

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Wednesday, 22 August 2012

Beating down hash functions

Posted on 18:00 by Unknown
The state of the art in GPU- and statistics-enhanced password cracking. Crackers beating down information entropy just like in the old days at Bletchley Park! (Trivia question: what are "bans" and "cribs"? Answers)
Ars technica: ... An even more powerful technique is a hybrid attack. It combines a word list, like the one used by Redman, with rules to greatly expand the number of passwords those lists can crack. Rather than brute-forcing the five letters in Julia1984, hackers simply compile a list of first names for every single Facebook user and add them to a medium-sized dictionary of, say, 100 million words. While the attack requires more combinations than the mask attack above—specifically about 1 trillion (100 million * 104) possible strings—it's still a manageable number that takes only about two minutes using the same AMD 7970 card. The payoff, however, is more than worth the additional effort, since it will quickly crack Christopher2000, thomas1964, and scores of others. 
"The hybrid is my favorite attack," said Atom, the pseudonymous developer of Hashcat, whose team won this year's Crack Me if You Can contest at Defcon. "It's the most efficient. If I get a new hash list, let's say 500,000 hashes, I can crack 50 percent just with hybrid." 
With half the passwords in a given breach recovered, cracking experts like Atom can use Passpal and other programs to isolate patterns that are unique to the website from which they came. They then write new rules to crack the remaining unknown passwords. More often than not, however, no amount of sophistication and high-end hardware is enough to quickly crack some hashes exposed in a server breach. To ensure they keep up with changing password choices, crackers will regularly brute-force crack some percentage of the unknown passwords, even when they contain as many as nine or more characters. 
"It's very expensive, but you do it to improve your model and keep up with passwords people are choosing," said Moxie Marlinspike, another cracking expert. "Then, given that knowledge, you can go back and build rules and word lists to effectively crack lists without having to brute force all of them. When you feed your successes back into your process, you just keep learning more and more and more and it does snowball."
Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in computing, cryptography, encryption, internet, security | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • PhD Comics: the movie
    PHD Movie Trailer from PHD Comics on Vimeo . I met Jorge Cham , the cartoonist who draws PhD Comics, a few years ago at Sci Foo. Cham was ...
  • Sitzfleisch
    Freeman Dyson reviews the new biography of Oppenheimer by Ray Monk. I discussed the book already here . NYBooks : ... The subtitle, “A Life ...
  • On the radio: NPR's On Point
    I'll be on live (I think) for an hour starting at 11 AM eastern. If you dial in, you might be able to ask me a question on the air :-) W...
  • What is the difference?
    Some excerpts from a talk by Richard Hamming (inventor of, among other things, hamming codes ) on how to do great research. I recommend rea...
  • Some recommended reading
    Robert Wald reviews the 2010 book Many Worlds?: Everett, Quantum Theory, and Reality , based on meetings at Oxford and at the Perimeter Ins...
  • A blog is born
    Raghu Parasarathy , a biophysicist at U Oregon, and my correspondent in this previous post on faculty blogging, has decided to try it out. ...
  • Talk cancelled
    This talk has been cancelled, for complex reasons that I will not discuss.
  • East Asian sociopaths?
    Some would assert that CEOs and other people in leadership positions are often warm sociopaths . Interestingly, it is claimed that there is ...
  • Swedish height in the 20th century
    Average height of Swedish military conscripts during the 20th century. Looks like an increase of roughly 1 cm per decade or about 1.5 SD in ...
  • MSU photos 2
    Touring a new building with the deans and provost. MSU vs Boise State from the skyboxes. QB play was a bit shaky for the Spartans.

Categories

  • ability (2)
  • academia (9)
  • affirmative action (8)
  • ai (13)
  • aig (1)
  • alan turing (3)
  • algorithms (2)
  • alpha (2)
  • american society (54)
  • art (3)
  • ashkenazim (1)
  • aspergers (4)
  • athletics (6)
  • autism (4)
  • autobiographical (13)
  • basketball (4)
  • bayes (1)
  • behavioral economics (4)
  • berkeley (5)
  • bgi (24)
  • biology (23)
  • biotech (6)
  • bjj (5)
  • black holes (4)
  • blade runner (2)
  • blogging (3)
  • books (5)
  • borges (2)
  • bounded rationality (10)
  • brainpower (57)
  • bubbles (3)
  • caltech (14)
  • cambridge uk (1)
  • careers (18)
  • charles darwin (1)
  • chet baker (2)
  • China (25)
  • christmas (1)
  • class (2)
  • cognitive science (35)
  • cold war (1)
  • complexity (1)
  • computing (9)
  • conferences (4)
  • cosmology (4)
  • creativity (3)
  • credit crisis (10)
  • crossfit (5)
  • cryptography (2)
  • data mining (4)
  • dating (2)
  • demographics (1)
  • derivatives (5)
  • determinism (1)
  • digital books (1)
  • dna (4)
  • economic history (5)
  • economics (38)
  • econtalk (2)
  • ecosystems (1)
  • education (5)
  • efficient markets (8)
  • Einstein (2)
  • elitism (14)
  • encryption (1)
  • energy (1)
  • entrepreneurs (3)
  • entropy (1)
  • environmentalism (1)
  • eugene (3)
  • evolution (19)
  • expert prediction (6)
  • fake alpha (2)
  • feminism (2)
  • Fermi problems (2)
  • feynman (7)
  • film (9)
  • finance (42)
  • fitness (3)
  • flynn effect (1)
  • foo camp (1)
  • football (5)
  • france (1)
  • free will (1)
  • freeman dyson (2)
  • fx (2)
  • game theory (1)
  • geeks (2)
  • gender (4)
  • genetic engineering (15)
  • genetics (79)
  • genius (24)
  • genomics (2)
  • geopolitics (7)
  • gilded age (13)
  • global warming (1)
  • globalization (23)
  • godel (2)
  • goldman sachs (2)
  • google (4)
  • happiness (2)
  • harvard (8)
  • harvard society of fellows (5)
  • hedge funds (4)
  • hedonic treadmill (1)
  • height (2)
  • higher education (38)
  • history (8)
  • history of science (12)
  • hormones (3)
  • hugh everett (2)
  • human capital (34)
  • humor (1)
  • income inequality (21)
  • india (2)
  • industrial revolution (1)
  • innovation (38)
  • intellectual history (10)
  • intellectual property (1)
  • intellectual ventures (1)
  • internet (4)
  • iq (16)
  • italy (4)
  • james salter (3)
  • japan (4)
  • jiujitsu (8)
  • keynes (1)
  • kids (13)
  • lewontin fallacy (1)
  • lhc (1)
  • literature (12)
  • luck (1)
  • machine learning (8)
  • malcolm gladwell (1)
  • manhattan (2)
  • many worlds (10)
  • mathematics (14)
  • meritocracy (7)
  • microsoft (2)
  • mma (10)
  • monsters (2)
  • moore's law (1)
  • movies (9)
  • MSU (18)
  • music (5)
  • mutants (2)
  • nathan myhrvold (1)
  • neal stephenson (1)
  • neanderthals (2)
  • nerds (3)
  • net worth (5)
  • neuroscience (7)
  • new yorker (1)
  • nicholas metropolis (1)
  • noam chomsky (2)
  • nobel prize (2)
  • nsa (2)
  • nuclear weapons (5)
  • obama (7)
  • olympics (4)
  • oppenheimer (7)
  • patents (1)
  • personality (9)
  • philip k. dick (1)
  • philosophy of mind (2)
  • photos (40)
  • physical training (13)
  • physics (73)
  • podcasts (10)
  • political correctness (6)
  • politics (4)
  • pop culture (2)
  • prisoner's dilemma (1)
  • privacy (2)
  • probability (5)
  • prostitution (2)
  • psychology (25)
  • psychometrics (31)
  • qcd (1)
  • quants (9)
  • quantum computers (2)
  • quantum field theory (3)
  • quantum mechanics (18)
  • race relations (10)
  • real estate (1)
  • realpolitik (6)
  • renaissance technologies (1)
  • research (3)
  • russia (2)
  • sad but true (2)
  • sci fi (8)
  • science (42)
  • sec (1)
  • security (5)
  • silicon valley (6)
  • singularity (1)
  • smpy (1)
  • social networks (2)
  • social science (12)
  • software development (2)
  • solar energy (1)
  • sports (13)
  • startups (19)
  • statistics (16)
  • success (2)
  • taiwan (1)
  • talks (16)
  • teaching (2)
  • technology (34)
  • television (2)
  • travel (24)
  • turing test (1)
  • ufc (8)
  • ultimate fighting (1)
  • universities (33)
  • university of oregon (6)
  • usain bolt (2)
  • venture capital (3)
  • volatility (1)
  • von Neumann (10)
  • wall street (2)
  • war (1)
  • warren buffet (1)
  • wwii (3)

Blog Archive

  • ►  2013 (134)
    • ►  August (10)
    • ►  July (15)
    • ►  June (22)
    • ►  May (20)
    • ►  April (21)
    • ►  March (18)
    • ►  February (14)
    • ►  January (14)
  • ▼  2012 (222)
    • ►  December (17)
    • ►  November (19)
    • ►  October (20)
    • ►  September (25)
    • ▼  August (19)
      • Genomic secrets of the dead: high-coverage Denisov...
      • Back in the MACT
      • Beating down hash functions
      • deCODE, de novo mutations, and autism risk
      • Genomic prediction: no bull
      • Recent human evolution: European height
      • "For the historians and the ladies"
      • Better to be lucky than good
      • Knightmare
      • Chomsky on po-mo
      • On doping
      • Gell-Mann, Feynman, Everett
      • The greatest of all time
      • The path not taken
      • Quantum correspondence
      • Curiosity has landed
      • Bolt, again!
      • Correlation, Causation and Personality
      • $440M in 45 minutes
    • ►  July (18)
    • ►  June (16)
    • ►  May (20)
    • ►  April (16)
    • ►  March (18)
    • ►  February (20)
    • ►  January (14)
  • ►  2011 (144)
    • ►  December (20)
    • ►  November (16)
    • ►  October (25)
    • ►  September (23)
    • ►  August (21)
    • ►  July (26)
    • ►  June (13)
Powered by Blogger.

About Me

Unknown
View my complete profile