Owen -
A forum I belong to has been hacked, including personal info as well
as passwords.
How do they use this information?
I presume they try the hash function on all combinations of possible
passwords. (Naturally optimized for faster convergence). They see a
match, i.e. a letter combination resulting in the given hash of the
password.
I presume you mean encrypted passwords. If the forum has been
compromised (and they know it) then whether they can recover them or
not, then the most they have is passwords to that site/forum? Unless of
course you have been practicing poor password hygiene, using the same
one (or very similar) on multiple sites?
If they crack one password, does that make cracking the rest any easier?
Only if there is no salt used. Since most/many sites have idiosyncratic
ideas of password constraints (must have xxx, can't have yyy, minimum,
maximum, precise lengths, etc.), having one or more passwords decrypted
can narrow those constraints to some extent (if a # or a % shows up in a
password, it is likely that *all* special characters are allowed, if
special characters *always* show up in the sample of decrypted
passwords, then it is likely it is a requirement... same for numerals
and capitals). Conversely, if one example of a decrypted password
shows up without one or more of these typical requirements, then a
smaller space can be searched for low-hanging fruit.
And does "salt" simply increase the difficulty, and indeed can it be
deduced, as above, by cracking a single password?
"salt" <http://en.wikipedia.org/wiki/Salt_%28cryptography%29> when used
correctly is per-password, so cracking one doesn't help you crack the
others... it really only helps against "guessing" (e.g. dictionary)
attacks. It makes up for unimaginative passwords basically.
.. or is it all quite different from this!
I don't know what the state of the art for random hackers is these days,
but if your own personal password hygiene (no-reuse, no dictionary
words/combos, special chars), then you are in fair shape (personally)
though now you are at risk for phishing from spoofed "friends" and
anything else that your "personal information" opens you to.
Of course, the NSA, the KGB, ha Mos'ad and other organized crime groups
can brute force a lot these days... what they can and can't brute force
is obviously classified.
Moral of the story, "don't be a low-hanging fruit!" .
Perhaps if you communicate only in Zuni (Shiwi) or Basque, that will
help a little ;^\.
/Luk hom an beye:na:kwe deliba?da'kowa we'atchonan/,
- Steve
============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com