Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Thursday October 10 2019, @01:23PM   Printer-friendly
from the simple-but-complex dept.

Submitted via IRC for Bytram

Father of Unix Ken Thompson checkmated as his old password has finally been cracked

Back in 2014, developer Leah Neukirchen found an /etc/passwd file among a file dump from the BSD 3 source tree that included the passwords used by various computer science pioneers, including Dennis Ritchie, Ken Thompson, Brian Kernighan, Steve Bourne, and Bill Joy.

As she explained in a blog post on Wednesday, she decided at the time to try cracking the password hashes, created using DES-based crypt(3), using various cracking tools like John the Ripper and hashcat.

When the subject surfaced on the Unix Heritage Society mailing list last week, Neukirchen responded with 20 cracked passwords from the file that's she'd broken five years ago. Five hashed passwords, however, remained elusive, including Thompson's.

ZghOT0eRm4U9s

"Even an exhaustive search over all lower-case letters and digits took several days (back in 2014) and yielded no result," wrote Neukirchen, who wondered whether Thompson might somehow have used uppercase or special characters.

The mailing list participants, intrigued by the challenge, set to work on the holdouts. The breakthrough came on Wednesday, from Nigel Williams, a HPC systems administrator based in Hobart, Tasmania.

"Ken is done," he wrote in a post to the mailing list. The cracking effort took more than four days on an AMD Radeon RX Vega 64 running hashcat at a rate of about 930MH/s.

ZghOT0eRm4U9s is a hash of p/q2-q4!

It's a common chess opening in descriptive notation. As Neukirchen observed, Thompson contributed to the development of computer chess.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Funny) by RamiK on Thursday October 10 2019, @02:39PM (5 children)

    by RamiK (1813) on Thursday October 10 2019, @02:39PM (#905222)
    --
    compiling...
    Starting Score:    1  point
    Moderation   +3  
       Funny=3, Total=3
    Extra 'Funny' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 3, Funny) by All Your Lawn Are Belong To Us on Thursday October 10 2019, @04:25PM

    by All Your Lawn Are Belong To Us (6553) on Thursday October 10 2019, @04:25PM (#905264) Journal

    That's the problem... you're surrounded by Soylentholes....

    --
    This sig for rent.
  • (Score: 3, Interesting) by FatPhil on Thursday October 10 2019, @04:57PM (3 children)

    by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Thursday October 10 2019, @04:57PM (#905285) Homepage
    The funny thing is that that sequence of characters has the ability to become a made-up word that a nerd might base his password around. The dictionary crackers could add it to their word-list, of course, if they thought it was low enough entropy.

    I still plan on building an entropy-based dictionary attack where (first you build an approximate model of entropy, and then) you generate every single possible password in increasing entropy order, and test that. The problem is that part of the requirement is to evaluate the entropy of the application of various filters that people might apply to the simplest building blocks. I'd need to analyse a lot of used passwords to evaluate those. For example "append a digit" is an add-2-or-4-bits-of-entropy filter ("add a 1" being 2 bits at most). Worst would be pruning of passwords that have multiple parent nodes. So "up" and "side" would be lowish entropy components, but the application of "join 2 words" would lead to "upside" which would already be known as a lowish-entropy word. Similarly, "leetify word" might lead to the same new word as "append a digit" if the leetified word now ended with a "1".

    Never get hooked on information theory, it'll drive you mad!
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
    • (Score: 4, Interesting) by RamiK on Thursday October 10 2019, @07:49PM

      by RamiK (1813) on Thursday October 10 2019, @07:49PM (#905359)

      The problem is that part of the requirement is to evaluate the entropy of the application of various filters that people might apply to the simplest building blocks

      You can try and train a neural net on one of the leaked password databases to try and predict passwords based on account meta. Or just go through it manually and stat certain patterns you notice to see how common they (and their variants) are.

      --
      compiling...
    • (Score: 2) by NotSanguine on Thursday October 10 2019, @08:18PM (1 child)

      by NotSanguine (285) <NotSanguineNO@SPAMSoylentNews.Org> on Thursday October 10 2019, @08:18PM (#905367) Homepage Journal

      The obvious solution is to add enough entropy to make brute force/dictionary attacks impractical.

      As an example, take a common phrase/quote/song lyric like "That's what she said" and modify it to be "Twat's said her hat?" or "In the town where I was born" and modify it to be "Into the townies I was borne" or similar.

      This increases entropy against brute force attacks, and confounds phrase dictionary attacks as well. What's more, once you've created your *modified* phrase, it's just as memorable as the original -- at least to you.

      And now I will ruin another perfectly good password/phrase by posting it here:
      Modify "Four score and seven years ago, our forefathers..." to "More points and every yore from now, my mother..."

      --
      No, no, you're not thinking; you're just being logical. --Niels Bohr
      • (Score: 3, Interesting) by FatPhil on Friday October 11 2019, @07:06AM

        by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Friday October 11 2019, @07:06AM (#905624) Homepage
        I'm happy that you support the scheme that I adopted 31 years ago. I still have the same base password for all of the sites I care about (and trust to do sensible password non-storage) that I did when I was a student. None of my own machines have that base, of course, and none of the sites I don't trust either.
        --
        Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves