Submitted via IRC for TheMightyBuzzard
CynoSure Prime, a "password research collective", has reversed the hashes of nearly 320 million hashed passwords provided by security researcher Troy Hunt through the Pwned Passwords searchable online database.
Their effort, pulled off with the help of two other researchers, revealed many things:
- Interesting statistics regarding these real world passwords exposed in data breaches,
- The fact that this database also contains some 2.5 million email addresses and 230,000 email/password combinations (Hunt intends to purge that data from the database), and
- Some bugs in the Hashcat password recovery tool.
"The longest password we found was 400 characters, while the shortest was only 3 characters long. About 0.06% of passwords were 50 characters or longer with 96.67% of passwords being 16 characters or less," the collective shared.
"Roughly 87.3% of passwords fall into the character set of LowerNum 47.5%, LowerCase 24.75%, Num 8.15%, and MixedNum 6.89% respectively. In addition we saw UTF-8 encoded passwords along with passes containing control characters."
Source: https://www.helpnetsecurity.com/2017/09/05/researchers-reverse-320-million-hashed-passwords/
(Score: 2) by FatPhil on Wednesday September 06 2017, @07:18PM
User ID, user name, and timestamp of account creation are presumably constant for the user, which means that if a group of people find themselves in a big cluster of collisions on the seed value, they're stuck with being easier as a target. Because that is clearly not better than just a shitty (as above) random number, it matters not whether it's actually worse (which I have a gut-feel it is), one may as well use a known-good-enough shitty random number source.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves