WRT password cracking - Dan Goodin has a good series of articles on password cracking at Ars Technica.
http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/ http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ http://arstechnica.com/security/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking/ TL;DR - Current GPU-based password cracking using 20-million word dictionaries make truly random passwords below 14 characters and nearl all pass-phrases susceptible to cracking in a relatively short time. On a related subject, roughly 75% of websites store passwords as nothing more complicated than simple, unsalted MD5 hashes. This is almost as easy to break as as NTLM. Salt makes the initial crack more difficult, but if the same salt is used for all hashes, then subsequent cracks ignore it. WRT the use of PII - it's sold on various markets, correlated in a "big data" manner with other exposures, and, if enough information is available and the person's credit score is high enough, is used for credit attacks. In some cases, if banking information is correlated, the collection is used for banking attacks. If there is poor correlation but an email or FQDN is in the information, then the data may be used as a target list. Ray Parks Consilient Heuristician/IDART Program Manager V: 505-844-4024 M: 505-238-9359 P: 505-951-6084 NIPR: rcpa...@sandia.gov SIPR: rcpar...@sandia.doe.sgov.gov (send NIPR reminder) JWICS: dopa...@doe.ic.gov (send NIPR reminder) On Nov 18, 2013, at 10:12 AM, Owen Densmore wrote: > A forum I belong to has been hacked, including personal info as well as > passwords. > > How do they use this information? > > I presume they try the hash function on all combinations of possible > passwords. (Naturally optimized for faster convergence). They see a match, > i.e. a letter combination resulting in the given hash of the password. > > If they crack one password, does that make cracking the rest any easier? > > And does "salt" simply increase the difficulty, and indeed can it be deduced, > as above, by cracking a single password? > > .. or is it all quite different from this! > > -- Owen > ============================================================ > FRIAM Applied Complexity Group listserv > Meets Fridays 9a-11:30 at cafe at St. John's College > to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
smime.p7s
Description: S/MIME cryptographic signature
============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
