The most thorough of the three cracks was carried out by Jeremi Gosney, a password expert with Stricture Consulting Group.
The Ars password team included a developer of cracking software, a security consultant, and an anonymous cracker. Our top cracker snagged 90 percent of them. Even the least successful cracker of our trio-who used the least amount of hardware, devoted only one hour, used a tiny word list, and conducted an interview throughout the process-was able to decipher 62 percent of the passwords. To put it mildly, they didn't disappoint. To prove the point, we gave them the same list and watched over their shoulders as they tore it to shreds. While Anderson's 47-percent success rate is impressive, it's miniscule when compared to what real crackers can do, as Anderson himself made clear. (For more details on password hashing, see the earlier Ars feature " Why passwords have never been weaker-and crackers have never been stronger.") In the event of a security breach that exposes the password data, an attacker still must painstakingly guess the plaintext for each hash-for instance, they must guess that "5f4dcc3b5aa765d61d8327deb882cf99" and "7c6a180b36896a0a8c02787eeafb0e4c" are the MD5 hashes for "password" and "password1" respectively. Instead, they work only with these so-called one-way hashes, which are incapable of being mathematically converted back into the letters, numbers, and symbols originally chosen by the user. Security-conscious websites never store passwords in plaintext. The list contained 16,449 passwords converted into hashes using the MD5 cryptographic hash function. The results, to say the least, were eye opening because they show how quickly even long passwords with letters, numbers, and symbols can be discovered.
We asked three cracking experts to attack the same list Anderson targeted and recount the results in all their color and technical detail Iron Chef style. The moral of the story: if a reporter with zero training in the ancient art of password cracking can achieve such results, imagine what more seasoned attackers can do. Within a few hours, he deciphered almost half of them. In March, readers followed along as Nate Anderson, Ars deputy editor and a self-admitted newbie to password cracking, downloaded a list of more than 16,000 cryptographically hashed passcodes.
0 kommentar(er)
