Stories
Slash Boxes
Comments

SoylentNews is people

Researchers Reverse 320 Million Hashed Passwords

posted by Fnord666 on Tuesday September 05 2017, @09:39PM   Printer-friendly
from the have-you-checked-your-passwords-lately? dept.

MrPlow writes:

Submitted via IRC for TheMightyBuzzard

CynoSure Prime, a "password research collective", has reversed the hashes of nearly 320 million hashed passwords provided by security researcher Troy Hunt through the Pwned Passwords searchable online database.

Their effort, pulled off with the help of two other researchers, revealed many things:

  • Interesting statistics regarding these real world passwords exposed in data breaches,
  • The fact that this database also contains some 2.5 million email addresses and 230,000 email/password combinations (Hunt intends to purge that data from the database), and
  • Some bugs in the Hashcat password recovery tool.

"The longest password we found was 400 characters, while the shortest was only 3 characters long. About 0.06% of passwords were 50 characters or longer with 96.67% of passwords being 16 characters or less," the collective shared.

"Roughly 87.3% of passwords fall into the character set of LowerNum 47.5%, LowerCase 24.75%, Num 8.15%, and MixedNum 6.89% respectively. In addition we saw UTF-8 encoded passwords along with passes containing control characters."

Source: https://www.helpnetsecurity.com/2017/09/05/researchers-reverse-320-million-hashed-passwords/

Original Submission

 
This discussion has been archived. No new comments can be posted.
Researchers Reverse 320 Million Hashed Passwords | Log In/Create an Account | Top | 31 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by Runaway1956 on Wednesday September 06 2017, @12:44AM (9 children)

    by Runaway1956 (2926) Subscriber Badge on Wednesday September 06 2017, @12:44AM (#563991) Journal

    What you are, what you know, what you have.

    A biometric, a password, and a dongle of some sort, actually begins to be "secure". Two-factor authentication tries to address the issue. A password, in and of itself, is little more than meaningless. Many of us here have cracked passwords in the past, I'm sure, if only as a challenge. If passwords ever had any meaning, that meaning ended with the introduction of rainbow tables. A password that I may have brute-forced over a period of days or weeks came up in just a few minutes using a table.

    Rainbow tables are an indication of the future. Serious hackers/crackers aren't going to throw anything away. With the tables, you crack a password one time, then put it into a database. Similar tricks will be seen in the future. Nothing will be forgotten, neither successes nor failures. It all goes into a database, for future reference.

    Most of us don't really need to secure anything important. But, if and when you really DO want to keep some secrets, you better have something better than just a password.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2) by Runaway1956 on Wednesday September 06 2017, @12:55AM (2 children)

    by Runaway1956 (2926) Subscriber Badge on Wednesday September 06 2017, @12:55AM (#563996) Journal

    Oh yeah - if you have an important secret, NEVER_EVER_EVER_PUT_IT_ON_AN_INTERNET_CONNECTED_MACHINE !!!!!!!!!

    That secret may be safe from some amateur like myself, but the pros can and do get into state systems. Sometimes, the state doesn't even know anyone has been there. There are no secrets on the internet.

    What's that? You actually thought "the cloud" was a thing? ROFLMAO!

    • (Score: 3, Insightful) by arslan on Wednesday September 06 2017, @01:33AM

      by arslan (3462) on Wednesday September 06 2017, @01:33AM (#564005)

      Except the world is heading in the direction where everything is on the internet and these *things* have sensors that will pick up information on non-internet thingies and have that in the internet.

      It will get harder and harder to avoid...

    • (Score: 2) by Pino P on Wednesday September 06 2017, @04:14PM

      by Pino P (4721) on Wednesday September 06 2017, @04:14PM (#564187) Journal

      What's that? You actually thought "the cloud" was a thing?

      Yes. "The cloud" most commonly means someone else's farm of identical servers offered for lease on short notice and for short durations. Some people fear "the cloud" because application service providers have co-opted the term [gnu.org]. But in practice, the suitability of leasing such a server for a particular project depends on three things:

      1. whether a particular server farm's operator can guarantee sufficient confidentiality for your project,
      2. whether you have access to audit non-trivial applications running on these servers, and
      3. whether the service provided by the server is sufficiently general that a server can be replaced with a competitor's.

      A generic VPS (such as Amazon EC2) or a generic NAS (such as Amazon S3) differs greatly in points 2 and 3 from a more specialized application service provider.

  • (Score: 5, Interesting) by The Mighty Buzzard on Wednesday September 06 2017, @01:35AM (1 child)

    by The Mighty Buzzard (18) Subscriber Badge <themightybuzzard@proton.me> on Wednesday September 06 2017, @01:35AM (#564007) Homepage Journal

    Sorry, no. You cannot build a rainbow table large enough to go from all possible three-character passwords up to the ones I use. You can't even build one with the exact same amount of characters. One terabyte by fucked up measuring standards is 1 * 1012 bytes. My current passwords start at needing ~3 * 1049 bytes of storage for a rainbow table big enough to account for them to be built.

    There are not that many hard drives in existence on the planet. A stack of all the necessary 5TB hard drives to rainbow table my password would in fact be much, much larger than the planet. Specifically, it would be 1.56358066931 * 1024 KM3, given a standard 3.5" drive. To give you some scope, the earth is ~1 * 1012 KM3. Even Jupiter is only 1.43 * 1015 KM3 (Uranus is 6.833 * 1013 KM3. You shouldn't have any fiber worries.). Thankfully there's good ole Sol to the rescue sitting there at 1.4 * 1027 KM3 or roughly a thousand times larger.

    --
    My rights don't end where your fear begins.

    • (Score: 2) by jasassin on Wednesday September 06 2017, @05:29AM

      by jasassin (3566) <jasassin@gmail.com> on Wednesday September 06 2017, @05:29AM (#564044) Homepage Journal

      Uranus is 6.833 * 1013 KM3.

      Oh yaeah? Who you think you talking to BITCH? You anus at least twice that big!

      --
      jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A

  • (Score: 4, Insightful) by FatPhil on Wednesday September 06 2017, @02:33AM (2 children)

    by FatPhil (863) <{pc-soylent} {at} {asdf.fi}> on Wednesday September 06 2017, @02:33AM (#564016) Homepage
    salt destroys rainbow tables. it's very cheap to add more salt (linear growth in storage), but devastatingly expensive on the tables (geometric growth).
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves

    • (Score: 2) by Pino P on Wednesday September 06 2017, @04:40PM (1 child)

      by Pino P (4721) on Wednesday September 06 2017, @04:40PM (#564196) Journal

      Is it a bad idea to derive the salt from the user ID, user name, and timestamp of account creation? Or must the salt always be derived from a cryptographically random source whenever the password changes?

      • (Score: 2) by FatPhil on Wednesday September 06 2017, @07:18PM

        by FatPhil (863) <{pc-soylent} {at} {asdf.fi}> on Wednesday September 06 2017, @07:18PM (#564229) Homepage
        Salt effectively just extends the password by several characters that the user doesn't need to memorise. Absence of salt means that dictionaries (even clever storage-optimised dictionaries like rainbow tables (most of the implicit content of which is randomish strings that aren't actually so useful, the win is by limiting what that randomness might be in order to maximise the chance of covering an actually-used password)) can be shared for every account. Common salt means that the dictionaries can be shared for all those who share that common salt (at that particular point in time). So what you really want is just to have as many of your users having different salt. That is a *statistical* requirement, not a *cryptographic* one. So a shitty (i.e. typical libc srand(time(0));rand()) random number is perfectly good enough to achieve that. Just make it long enough that collisions are uncommon so dictionaries cannot be effectively leveraged.

        User ID, user name, and timestamp of account creation are presumably constant for the user, which means that if a group of people find themselves in a big cluster of collisions on the seed value, they're stuck with being easier as a target. Because that is clearly not better than just a shitty (as above) random number, it matters not whether it's actually worse (which I have a gut-feel it is), one may as well use a known-good-enough shitty random number source.
        --
        Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves

  • (Score: 0) by Anonymous Coward on Wednesday September 06 2017, @11:37AM

    by Anonymous Coward on Wednesday September 06 2017, @11:37AM (#564111)

    What you are, what you know, what you have.

    You mean "what you were, what you've forgotten, and what you've lost".