Overclockers Australia Forums

OCAU News - Wiki - QuickLinks - Pix - Sponsors  

Go Back   Overclockers Australia Forums > Specific Hardware Topics > Networking, Telephony & Internet

Notices


Sign up for a free OCAU account and this ad will go away!
Search our forums with Google:
Reply
 
Thread Tools
Old 31st December 2016, 3:25 PM   #16
Bold Eagle
Member
 
Bold Eagle's Avatar
 
Join Date: Jun 2008
Location: Brisbane
Posts: 5,686
Default

Quote:
Originally Posted by evilasdeath View Post
what sort of music do you like Bold Eagle?
Abba - especially Money.............
__________________
PC3: Cardboard Box, peanut dispenser, highly conc caffine intravenous drip, little monkey w "electro El Shocko rectal probe", 3DMarkVantage=276818768
Bold Eagle is online now   Reply With Quote

Join OCAU to remove this ad!
Old 31st December 2016, 3:33 PM   #17
evilasdeath
Member
 
Join Date: Jul 2004
Posts: 4,562
Default

Quote:
Originally Posted by Bold Eagle View Post
Abba - especially Money.............
Told you social engineering was faster than brute force!
evilasdeath is offline   Reply With Quote
Old 4th January 2017, 10:25 PM   #18
James086
Member
 
James086's Avatar
 
Join Date: Mar 2010
Location: Perth
Posts: 2,224
Default

Quote:
Originally Posted by Bold Eagle View Post
I have since changed my password to the first line from a favorite song and the password is around 40-50 characters long now.
Don't be so sure that it's secure. Add some random characters to the end (don't replace "e" with "3", that's trivial) that you can remember somehow.

“thereisnofatebutwhat*wemake”—Turbo-charged cracking comes to long passwords
__________________
CPU: i7 2600K 4.3 GHz RAM: 16GB 2133MHz GPU: GTX 970 Folding PPD: 250 000
James086 is offline   Reply With Quote
Old 5th January 2017, 9:50 AM   #19
Aetherone
Member
 
Aetherone's Avatar
 
Join Date: Jan 2002
Location: Adelaide, SA
Posts: 8,379
Default

The performance of these crackers is only getting better and better...
Quote:
a PC running ocl-Hashcat-plus and two AMD HD 6990 video cards can cycle through 223,000 password candidates each second, fast enough to exhaust all 14.3 million words contained in the seminal RockYou dump of passwords in 65 seconds.
223,000 pwd/sec = 19,214,594,300 passwords per day... on old slow graphics cards what could you do with four titans and a 24 core / 48 thread E7-8890 v4?
Aetherone is offline   Reply With Quote
Old 5th January 2017, 5:09 PM   #20
Bold Eagle
Member
 
Bold Eagle's Avatar
 
Join Date: Jun 2008
Location: Brisbane
Posts: 5,686
Default

Quote:
Originally Posted by James086 View Post
Don't be so sure that it's secure. Add some random characters to the end (don't replace "e" with "3", that's trivial) that you can remember somehow.

“thereisnofatebutwhat*wemake”—Turbo-charged cracking comes to long passwords
Looks like it's time to start seriously considering biometrics from my domestic security - especially as fingerprint scanners can be bought for as little as $15.

For example:
A world without passwords: Windows Hello in Microsoft Edge
__________________
PC3: Cardboard Box, peanut dispenser, highly conc caffine intravenous drip, little monkey w "electro El Shocko rectal probe", 3DMarkVantage=276818768

Last edited by Bold Eagle; 5th January 2017 at 5:18 PM.
Bold Eagle is online now   Reply With Quote
Old 5th January 2017, 5:16 PM   #21
Aetherone
Member
 
Aetherone's Avatar
 
Join Date: Jan 2002
Location: Adelaide, SA
Posts: 8,379
Default

Quote:
Originally Posted by Bold Eagle View Post
fingerprint scanners can be bought for as little as $15.
Are they Jelly Baby resistant?
Aetherone is offline   Reply With Quote
Old 5th January 2017, 5:25 PM   #22
Bold Eagle
Member
 
Bold Eagle's Avatar
 
Join Date: Jun 2008
Location: Brisbane
Posts: 5,686
Default

Quote:
Originally Posted by Aetherone View Post
Are they Jelly Baby resistant?
LOL I did just read someone advising you to do at least three digits on record in case you cut one etc.
__________________
PC3: Cardboard Box, peanut dispenser, highly conc caffine intravenous drip, little monkey w "electro El Shocko rectal probe", 3DMarkVantage=276818768
Bold Eagle is online now   Reply With Quote
Old 10th January 2017, 8:11 PM   #23
IACSecurity
Member
 
IACSecurity's Avatar
 
Join Date: Jul 2008
Location: ork.sg
Posts: 842
Default

Lets be clear, if you have access to the hash, and you can't crack it, you will still be able to compromise the account.. because if you can get the hash, you will get the creds, in a true attack scenario. Its almost a definitive.

Quote:
Originally Posted by James086 View Post
Don't be so sure that it's secure. Add some random characters to the end (don't replace "e" with "3", that's trivial) that you can remember somehow.

“thereisnofatebutwhat*wemake”—Turbo-charged cracking comes to long passwords
Not relevant to cracking google passwords.. again unless you have the hash.

"I am a fucking sentence! W00t!" is for all practical purposes, uncrackable via the web. It is not uncrackable via hash based attacks. But see first comment.

Quote:
Originally Posted by Aetherone View Post
The performance of these crackers is only getting better and better...

223,000 pwd/sec = 19,214,594,300 passwords per day... on old slow graphics cards what could you do with four titans and a 24 core / 48 thread E7-8890 v4?
And they will continue to improve, and it doesnt really matter in the case of google cracking, because you are referencing local machine cracking. Not remote web app.. Because you can't sent 230K requests a second at google to break it for a few days.. Again you need the hash.. then you can sit and bang away on that. But as said before if you have the hash, shit is screwed already.

But then using PBKDF2 or Argon2 makes those 230K/sec not realistic as well.


Quote:
Originally Posted by Bold Eagle View Post
Looks like it's time to start seriously considering biometrics from my domestic security - especially as fingerprint scanners can be bought for as little as $15.

For example:
A world without passwords: Windows Hello in Microsoft Edge
No its not a reason to move to biometrics, nothing they have posted is any different from long ago. Passwords were, and are shit. Biometrics does not remove the issue of cracking 'hashes' which is basically what biometrics generate anyway. If you have access to the biometric 'hashes' my first comment would again apply in almost all scenarios.

Always enroll multiple fingers... you might have nutella on one that you were keeping for later


Use Google Auth (or Authy or whatever) and recovery codes (2FA), and you will be as secure as you can reasonably need.


redit: Quick relevant (close enough to correct) example: if you use PBKDF2 instead of a 'hash' you have iterations that the 'PBKDF2' thing runs. Lets say you do it 3000 times, that increases the crackers work load 3000 times. If you think, computers have got faster this year and it is a concern, change the iterations to 10,000, an don next password reset, those creds are now 3 times harder/longer to crack. But of course because I am looking at your hash table/file, i will own you anyway.
__________________
Wartcom man loves sad donkey
Whatever I say is generally bullshit Trololing. So get over it.

Last edited by IACSecurity; 10th January 2017 at 8:16 PM.
IACSecurity is offline   Reply With Quote
Old 10th January 2017, 9:01 PM   #24
Matthew kane
Member
 
Join Date: Jan 2014
Location: Melbourne
Posts: 528
Default

Quote:
Originally Posted by IACSecurity View Post
Lets be clear, if you have access to the hash, and you can't crack it, you will still be able to compromise the account.. because if you can get the hash, you will get the creds, in a true attack scenario. Its almost a definitive.


Extremely difficult to find the original password and compromise the original account with it even if you do the have the hash. Unless you have an extremely big rainbow table that allows you to match the first few values to the start of the hash its a very time consuming and intensive process to cycle through all possible permutations/combinations. Even difficult and worst if the hash is salted.

A google account password can be cracked depending on the password length, characters (mixed or not) itself. This does not compromise the account if you have the 2 factor authentication set up on your google account of authenticated through a mobile devices Google Authenticator app.
__________________
Intel i7 3960X @ 4.7GHZ - Noctua NH-D14 | 16GB OCZ Platinum Series DDR3 1600MHZ | Asus Rampage IV Extreme (4901 bios) | 2 x Leadtek GTX680 4GB | PNY GTX465 unlocked to 470 (Physx) | Creative X-Fi Titanium Fatality Pro with LME47920's opamps | OCZ Vertex 3 240GB | OCZ Vertex Plus 120GB| 1TB WD Black, 2TB WD Green, 4 x 2TB Seagate LP | Enermax Revolution 85+ 1250watt | Antec P280 + Veris Elite | LG BD Rewriter

Last edited by Matthew kane; 10th January 2017 at 9:05 PM.
Matthew kane is offline   Reply With Quote
Old 11th January 2017, 2:04 PM   #25
IACSecurity
Member
 
IACSecurity's Avatar
 
Join Date: Jul 2008
Location: ork.sg
Posts: 842
Default

Quote:
Originally Posted by Matthew kane View Post
Extremely difficult to find the original password and compromise the original account with it even if you do the have the hash. Unless you have an extremely big rainbow table that allows you to match the first few values to the start of the hash its a very time consuming and intensive process to cycle through all possible permutations/combinations. Even difficult and worst if the hash is salted.
If you have access to the hashes, you are almost guaranteed to compromise your target. It doesn't need to be bruting/cracking/tmto the hashes. Because if you have the hashes, you already have significant privileges on your target system - use that for leverage.
__________________
Wartcom man loves sad donkey
Whatever I say is generally bullshit Trololing. So get over it.
IACSecurity is offline   Reply With Quote
Old 11th January 2017, 4:20 PM   #26
Rubberband
Member
 
Rubberband's Avatar
 
Join Date: Jun 2001
Location: Doreen
Posts: 6,133
Default

All you need to know about strong passwords



/thread
__________________
CLIKK.com.au - Digital Marketing Agency: Facebook and AdWords Marketing.
Feel free to drop me a PM if you want help or free advice
Rubberband is offline   Reply With Quote
Old 27th February 2017, 1:16 PM   #27
KANNIS
Member
 
KANNIS's Avatar
 
Join Date: Dec 2003
Location: Sydney
Posts: 9,173
Default

View page info / security / view saved passwords always works lol..
__________________
|-O-| (-O-) |-O-|
"STAY IN ATTACK FORMATION"


OCAU Fishing Club Member #1
KANNIS is offline   Reply With Quote
Old 27th February 2017, 1:49 PM   #28
Doc-of-FC
Member
 
Doc-of-FC's Avatar
 
Join Date: Aug 2001
Location: Canberra
Posts: 2,616
Default

Quote:
Originally Posted by IACSecurity View Post
If you have access to the hashes, you are almost guaranteed to compromise your target.
Perpetrator #1:
Doc-of-FC is offline   Reply With Quote
Old 27th February 2017, 2:37 PM   #29
metalslaw
Member
 
Join Date: Feb 2003
Posts: 150
Default

Here is an online password generator if someone needs a really good one,

https://www.grc.com/passwords.htm
metalslaw is offline   Reply With Quote
Old 28th February 2017, 6:48 PM   #30
IACSecurity
Member
 
IACSecurity's Avatar
 
Join Date: Jul 2008
Location: ork.sg
Posts: 842
Default

Quote:
Originally Posted by metalslaw View Post
Here is an online password generator if someone needs a really good one,

https://www.grc.com/passwords.htm
Hack the gibson.

FWIW that is an appalling REAL world generator, no one will remember them.

This thread reminds me why people pay me well for my security advice, thank you.


ahah nice Doc. I was thinking even simpler. Hashes are almost always in the backend database. If your sufficiently privileged to see them, you can probably just root the box the front end, or DB is on, or get SA on the DB. At which point you probably have access into the SSL tunnel.. at which point you see plain text passwords. Hence no need to even crack the salts hashes, pepper... which is what I was hinting at from the start. All your plain text below to us. /insert old meme here.
__________________
Wartcom man loves sad donkey
Whatever I say is generally bullshit Trololing. So get over it.

Last edited by IACSecurity; 28th February 2017 at 6:50 PM.
IACSecurity is offline   Reply With Quote
Reply

Bookmarks

Sign up for a free OCAU account and this ad will go away!

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +10. The time now is 12:56 AM.


Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
OCAU is not responsible for the content of individual messages posted by others.
Other content copyright Overclockers Australia.
OCAU is hosted by Micron21!