Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Thursday October 10 2019, @01:23PM   Printer-friendly
from the simple-but-complex dept.

Submitted via IRC for Bytram

Father of Unix Ken Thompson checkmated as his old password has finally been cracked

Back in 2014, developer Leah Neukirchen found an /etc/passwd file among a file dump from the BSD 3 source tree that included the passwords used by various computer science pioneers, including Dennis Ritchie, Ken Thompson, Brian Kernighan, Steve Bourne, and Bill Joy.

As she explained in a blog post on Wednesday, she decided at the time to try cracking the password hashes, created using DES-based crypt(3), using various cracking tools like John the Ripper and hashcat.

When the subject surfaced on the Unix Heritage Society mailing list last week, Neukirchen responded with 20 cracked passwords from the file that's she'd broken five years ago. Five hashed passwords, however, remained elusive, including Thompson's.

ZghOT0eRm4U9s

"Even an exhaustive search over all lower-case letters and digits took several days (back in 2014) and yielded no result," wrote Neukirchen, who wondered whether Thompson might somehow have used uppercase or special characters.

The mailing list participants, intrigued by the challenge, set to work on the holdouts. The breakthrough came on Wednesday, from Nigel Williams, a HPC systems administrator based in Hobart, Tasmania.

"Ken is done," he wrote in a post to the mailing list. The cracking effort took more than four days on an AMD Radeon RX Vega 64 running hashcat at a rate of about 930MH/s.

ZghOT0eRm4U9s is a hash of p/q2-q4!

It's a common chess opening in descriptive notation. As Neukirchen observed, Thompson contributed to the development of computer chess.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Insightful) by nitehawk214 on Thursday October 10 2019, @02:55PM (1 child)

    by nitehawk214 (1304) on Thursday October 10 2019, @02:55PM (#905226)

    But it is completely stupid to have a site give you a password for use in a password manager. The manager itself should generate the password in a way that there is no possibility of it being logged somewhere.

    --
    "Don't you ever miss the days when you used to be nostalgic?" -Loiosh
    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  

    Total Score:   2  
  • (Score: 3, Informative) by NotSanguine on Thursday October 10 2019, @03:22PM

    by NotSanguine (285) <NotSanguineNO@SPAMSoylentNews.Org> on Thursday October 10 2019, @03:22PM (#905236) Homepage Journal

    The manager itself should generate the password in a way that there is no possibility of it being logged somewhere.

    Or use an offline password manager. I use a closed-source, proprietary password manager with significant vulnerability to "brute force" attacks. It's called my brain.

    Lack of password reuse (and lack of *userid* reuse) enhances security further.

    And while $5 wrenches are still effective, they are even more effective against a software based password manager. Since giving up the master password for a software password gives an attacker *all* your passwords at once.

    Swinging that wrench is hard work!

    --
    No, no, you're not thinking; you're just being logical. --Niels Bohr