Posts

Showing posts from 2009

The RockYou 32 Million Password List Top 100

But first, a quick responses to one of the previous comments, (since it really did merit a front-page post). Tfcx posted: The initial vulnerability was posted 29th November on a hacking forum called darkc0de here: http://forum.darkc0de.com/index.php?action=vthread&forum=11&topic=13082 Thanks, as that really helps narrow down the timeframe, (and reading that post and related posts was interesting if a bit depressing). The hack itself appears pretty straightforward once you see it, (like most things once the solution is presented to you it's easy, but finding it in the first place is hard). I'm still interested in the hacker Igigi, and have been tossing about all sorts of theories; but I'll refrain from posting them here since they are all pure WAGs right now. Now on to the main topic: Per Thorsheim wrote: I would like to see a comparison of Twitters 370 banned passwords against the top 370 or so passwords stolen from rockyou (http://www.techcrunch.com/2009/12/27/twi...

RockYou Hacked: 32 Million, (yes that's Million), Passwords Stolen

As the title implies, the popular Facebook and MySpace game/widget maker RockYou was hacked, with the hack becoming public last week Tuesday, December 15th. What's worse is that RockYou stored all of their passwords in the clear, (no hashing), so 32 million plaintext passwords were stolen. I've been doing some digging into this so I can add something to the conversation, but for a great general overview I highly recommend reading TechCrunch's writeup . First of all, if you have ever used the following social networking applications, you probably should change your password ... like right now. Slideshow Uploadphoto Photofx Glittertext Funnotes Countdown Superhug Myspace layouts Stickers Superwall Pieces of flair Speedracing Likeness Hugme Birthday cards Yup, that's why we're talking about 32 million user accounts, (though in all fairness, many of those user accounts are almost certainly duplicates created by the same person). One day after the attack became public, t...

Google Wave Invite

I've been playing around with Google Wave , and received a couple of extra invites to the free beta. If you are interested, let me know and I'll send one your way. My short review: It looks like one of those tools where it takes a lot of work to gain any benefit from it. That being said, if you are collaborating with a lot of people on several different projects it has real potential.

Biometrics Are Not Going to Save Us - Or Get Used to Your Password

Image
Abstract: It generally is taken as common wisdom that one day, everyone is going to switch to biometrics so we can finally get rid of those pesky passwords. This post is an attempt to stave off that future. This isn't because I'm in the password cracking business, (I'm sure horse-buggy salesmen thought that cars were a poor substitute as well). Instead it's because biometrics are a really bad solution. In fact, over the long run, biometrics will make it even easier for an attacker to break your authentication schemes. The rest of this post is an attempt to explain why this is the case, along with some other reasons why you probably shouldn't go out and buy that thumbprint reader quite yet. If Biometrics Are So Bad, Why Do People Still Like Them: Let's face it, passwords suck. This is a blog pretty much devoted to password cracking. I'm aware of the fact that they suck. Passwords are a pain to use, a pain to remember, and pain to make secure. Who doesn't ...

Analysis of 10k Hotmail Passwords Part 5: Markov Model Showdown

Image
Don't worry; I'm still not done with this data-set. A little over a week ago I received an e-mail from Ilya Sokolov, saying: If I'm getting the numbers right from your graphs - you've got around 3k hashes bruteforced in about 1G guesses. Assuming you used --incremental mode of John, right? I guess you should try --markov too :) How right he is. Ilya went on to send some statistics my way, so I truly do appreciate e-mails like this. Before I talk about the results, first let me back up and spend a little time talking about the incremental and markov modes in John the Ripper. Aren't they both Markov based attacks? -- Ed Note: The following description of how the incremental attack works has been updated since I was incorrect about how JtR used trigraphs. A copy of the original incorrect description can be found in the comments. Well surprisingly yes they are, though they go about it in different ways. The --incremental option actually models the probability of trigra...

Installing John the Ripper Version 1.7.3.4 Tutorial

I just upgraded to the newest version of John the Ripper so I decided to make a tutorial out of my experience, (with screen-shots), since it was a fairly time consuming ordeal. It's mostly focused on installing John the Ripper on a Mac OSX Snow Leopard, but you should be able to use most of it when installing it to various flavors of Linux as well. Besides going over the base install, I also tried to cover: Which patches to install, where to find them, and how to apply them Picking the right build options Modifying the Makefile so it actually will install on Snow Leopard Modifying the code so you can use incremental attacks against passwords longer than eight characters long You can find it on my tools page , or by clicking on this link .

Defcon 17 Videos Posted Online

The title says it all. You can get all of the videos here . Just a warning, I may have used some inappropriate language in my talk on password cracking , so you might not want to watch it in front of small children. Also, my writeup of a couple of the talks can be found here , and here if you are having trouble deciding what to watch.

Analysis of 10k Hotmail Passwords - Even More Brute Force

Image
A reader asked me through e-mail how much better John the Ripper's Markov models were compared to pure brute force or letter frequency analysis. I knew there was a reason why I put my e-mail address on the side of this blog. That's a great question, since while I'd always had more success with Markov models vs letter frequency analysis, (and certainly brute force), I had never measured the difference before. What type of researcher am I? I better fix that, so let's check it out. Test 4: Markov Models vs. Letter Frequency Analysis vs. Pure Brute Force So in this test I reused the data collected previously in Test 1 using JtR's -incremental mode targeting lowercase letters and numbers, (a-z0-9). I then used the popular tool crunch to run both the brute force and letter frequency analysis, (which I'm going to call LFA), attacks since JtR doesn't support pure brute force, (well there is a bit of a hack, but crunch is easier). For the pure brute force attack I ...