SoylentNews is people
SoylentNews
Submitted via IRC for Bytram
Father of Unix Ken Thompson checkmated as his old password has finally been cracked
Back in 2014, developer Leah Neukirchen found an /etc/passwd file among a file dump from the BSD 3 source tree that included the passwords used by various computer science pioneers, including Dennis Ritchie, Ken Thompson, Brian Kernighan, Steve Bourne, and Bill Joy.
As she explained in a blog post on Wednesday, she decided at the time to try cracking the password hashes, created using DES-based crypt(3), using various cracking tools like John the Ripper and hashcat.
When the subject surfaced on the Unix Heritage Society mailing list last week, Neukirchen responded with 20 cracked passwords from the file that's she'd broken five years ago. Five hashed passwords, however, remained elusive, including Thompson's.
ZghOT0eRm4U9s
"Even an exhaustive search over all lower-case letters and digits took several days (back in 2014) and yielded no result," wrote Neukirchen, who wondered whether Thompson might somehow have used uppercase or special characters.
The mailing list participants, intrigued by the challenge, set to work on the holdouts. The breakthrough came on Wednesday, from Nigel Williams, a HPC systems administrator based in Hobart, Tasmania.
"Ken is done," he wrote in a post to the mailing list. The cracking effort took more than four days on an AMD Radeon RX Vega 64 running hashcat at a rate of about 930MH/s.
ZghOT0eRm4U9s is a hash of p/q2-q4!
It's a common chess opening in descriptive notation. As Neukirchen observed, Thompson contributed to the development of computer chess.
(Score: 2) by janrinok on Friday October 11 2019, @07:11AM (1 child)
I'm pleased that you are happy with KeePass.
However, from what I read here, most people use a second device to back up their password data. For many people that simply is not possible. It is easy to imagine that everyone now uses a mobile/cell phone - this is simply not the case. In some places of work, your mobile devices are not permitted inside the workplace and thus are useless as a second device for backing up your passwords at work. Additionally, having to back up to a second on-line device simply provides a second attack surface for anyone trying to collect your passwords. Yep, we believe that they are secure - until the news comes out sometime in the future that they're not.
Finally, if I have understood correctly, whatever piece of software you use to remember your passwords, it is only protected by a single password which, in turn, gives access to the program providing access to all of the others. So, ultimately, it is only as secure as that single password.
I have a system - which I will not detail here for obvious reasons - whereby I can recall in most cases, or at least deduce, the password which tends to be between 20-24 characters in length and uses both cases and symbols, and is linked to the site I am trying to access. I will confess that I have only started using this system in the last 3-4 years and I have, therefore, some passwords which do not follow the rules I have created and which are probably considerably weaker, but none of them give access to anything that would cause me a problem if they were compromised.
(Score: 2) by Common Joe on Friday October 11 2019, @10:57AM
It's called pick your poison and risk management.
Yes, it's a risk to use a password manager like KeePass (which I use in Windows; I use the variant KeepassXC in Linux). However, the passwords inside are encrypted and it forgets your copied password after specified amount of time, defaulted to 10 or 12 seconds. (I set it for 30 seconds after installation.)
Your method is also risky. You're basing your passwords on a formula that is difficult to change. Once one of your passwords is compromised, it weakens all of your others. Not to mention, it's nice to write encrypted notes and keep URLs associated with logins and passwords. And there are keyboard shortcuts for almost everything.
Finally, as far as backing up passwords: copying the KeePass file is like copying any other file, so it's ultra easy to backup. If you can't backup data in your work environment, then that itself is a problem too, but that problem has nothing to do with passwords or password managers.