I find passwords really hard to remember. Especially those sites that require numbers, symbols,uppercase, and lower case characters. I personally would rather use a 20 character all lowercase password<http://preshing.com/20110811/xkcd-password-generator/>than an 8 character mixed symbol password. As a result keep a document, in the cloud, with all of my passwords stored in plain text. Many of these passwords I could care less if someone cracked. Also, I was under the impression that salting prevents the use of rainbow tables <https://www.freerainbowtables.com/>.
Cody Smith On Mon, Nov 18, 2013 at 11:28 AM, Parks, Raymond <rcpa...@sandia.gov> wrote: > WRT password cracking - Dan Goodin has a good series of articles on > password cracking at Ars Technica. > > http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/ > > http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ > > http://arstechnica.com/security/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking/ > > TL;DR - Current GPU-based password cracking using 20-million word > dictionaries make truly random passwords below 14 characters and nearl all > pass-phrases susceptible to cracking in a relatively short time. > > On a related subject, roughly 75% of websites store passwords as nothing > more complicated than simple, unsalted MD5 hashes. This is almost as easy > to break as as NTLM. > > Salt makes the initial crack more difficult, but if the same salt is used > for all hashes, then subsequent cracks ignore it. > > WRT the use of PII - it's sold on various markets, correlated in a "big > data" manner with other exposures, and, if enough information is available > and the person's credit score is high enough, is used for credit attacks. > In some cases, if banking information is correlated, the collection is > used for banking attacks. If there is poor correlation but an email or > FQDN is in the information, then the data may be used as a target list. > > Ray Parks > Consilient Heuristician/IDART Program Manager > V: 505-844-4024 M: 505-238-9359 P: 505-951-6084 > NIPR: rcpa...@sandia.gov > SIPR: rcpar...@sandia.doe.sgov.gov (send NIPR reminder) > JWICS: dopa...@doe.ic.gov (send NIPR reminder) > > > > On Nov 18, 2013, at 10:12 AM, Owen Densmore wrote: > > A forum I belong to has been hacked, including personal info as well as > passwords. > > How do they use this information? > > I presume they try the hash function on all combinations of possible > passwords. (Naturally optimized for faster convergence). They see a > match, i.e. a letter combination resulting in the given hash of the > password. > > If they crack one password, does that make cracking the rest any easier? > > And does "salt" simply increase the difficulty, and indeed can it be > deduced, as above, by cracking a single password? > > .. or is it all quite different from this! > > -- Owen > ============================================================ > FRIAM Applied Complexity Group listserv > Meets Fridays 9a-11:30 at cafe at St. John's College > to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com > > > > ============================================================ > FRIAM Applied Complexity Group listserv > Meets Fridays 9a-11:30 at cafe at St. John's College > to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com >
============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
