[Cryptography] Possible reason why password usage rules are such a mess
Sid Spry
sid at aeam.us
Fri Nov 20 17:53:51 EST 2020
On Fri, Nov 20, 2020, at 1:57 PM, Arnold Reinhold wrote:
> and Sid Spry wrote:
>
> > reversing a properly salted
> > password database is only feasible with such a dictionary.
> >
> > Brute force in the strictest sense isn't usually tractable.
>
> These two comments do not reflect the current state of the art. For
> example by 2012 it was possible to try all Windows NTLM eight-character
> password containing upper- and lower-case letters, digits, and symbols
> in 5.5 hours using 25 AMD Radeon graphics cards of that era (GPUs have
> gotten a lot faster since).
> https://arstechnica.com/information-technology/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/
>
> Modern cracking software, such as John the Ripper use a variety of
> modes, including dictionaries, straight brute force and pattern-based
> searches using word mangling rules. Almost all the passwords in
> recovered corpuses were from stolen file of hashedd passwords. It’s
> rare to hear of a hacked firm storing plaintext passwords. Recovery
> rates from stolen hash files are typically 70 to 80%.
>
Point: NTLM is particularly weak compared to modern constructions and
as you are aware JtR is using dictionaries and pattern based searches gleaned
from analyzing plaintext and reversed user databases.
That's not really brute force, you're guiding the search. But thankfully(?)
most people choose bad password.
More information about the cryptography
mailing list