• ARRSE have partnered with Armadillo Merino to bring you an ARRSE exclusive, generous discount offer on their full price range.
    To keep you warm with the best of Merino gear, visit www.armadillomerino.co.uk and use the code: NEWARRSE40 at the checkout to get 40% off!
    This superb deal has been generously offered to us by Armadillo Merino and is valid until midnight on the the 28th of February.

How I became a password cracker.

#3
If you want to find out how to 'crack' others passwords or even find out how to not have yours cracked, visit http://searchlores.org/

Of course it is down and you will need to find a mirror. There are several. Some even including the tools available there.


It not only gives all the tools, but techniques such as social engineering which is far more effective.


There are other tools available. But there isn't a self-respecting cracker that hasn't read searchlores.

Of note is the Reality Cracking essays on how to crack reality, news etc..


When you have a target in your sites, there are very few that are that clued up or that well protected that they can not be stalked and cracked black and blue.


Best to stay under the radar. Or use other techniques.

I'm off to read the fa now.

Ah, John The Ripper. Good stuff. No mention of Rainbow Tables and linux distros such as Konboot which makes your windows box mine. Or anyone's who has the CD. Maybe I missed it, I did skim.

But it don't matter. Most sites won't let you use passwords of certain lengths including special characters and mix and match.

The article does cover how passwords are stored server side as hashes, but as mentioned doesn't go into how easy that is to crack with Rainbow Tables. Though to be fair they do mention salting the hashes which makes things considerably more difficult especially if you have a good hard long password to start with.


Let's face it. Brute forcing aside. You probably have a crap password and you use that for several sites. So, once I crack your arse password, I have your email, possibly even banking details too, if you are that lazy. Or vice versa. It's all good.


Personally I have absolutely zero interest in this. But there will be those that want details for financial gain. It is not just good passwords you need, but only using certain OSs for banking, and using anti-key loggers if you do choose to use windows. Firewalls etc..

It's actually quite easy to get locked down when you know what you are doing. And what you want. I think at the minimum you need to do your banking from a live cd of linux. That eliminates a majority of stuff right there.

Every beast can be hunted down. It will be the slowest and most wounded that get caught and the others that live to fight another day.

Nothing I have said here is disclosing any special information that is not available widely on the net to anyone that has the wherewithal to look.


;-)
 
#5
Genuine question, and as I have a meeting to get to (which interrupts my arrse browsing) I might get round to reading the response later this afty.
For the masses of the great unwashed, do we rerally need to have hyper clever passwords or is my last 4 plus my first dogs name sufficient? I get the feeling that it's not really worth the effort for anyone to hack my system and the only real threat will be the twat that does it just for spite. Or have I answered my own question as there are lots of said twats about?
 
#6
Genuine question, and as I have a meeting to get to (which interrupts my arrse browsing) I might get round to reading the response later this afty.
For the masses of the great unwashed, do we rerally need to have hyper clever passwords or is my last 4 plus my first dogs name sufficient? I get the feeling that it's not really worth the effort for anyone to hack my system and the only real threat will be the twat that does it just for spite. Or have I answered my own question as there are lots of said twats about?
Depends on the consequences. If someone just hacks your Arrse or Facebook account, that's no more than irritating/embarrassing. If they get at the e-mails detailing your affair with that nice little bit of stuff from across the road ... or your work account, with details of strategy for the coming year, or ...

One thing that will defeat a large percentage of hackers is to use a pass phrase, rather than a word, and drop the occasional special character into it, like "Senior member adbo i%s enjoying l/fe in [anada" Easy for you to remember, impossible to guess, and brute force is going to take a while.
Or so I understand ... until some crypto genius rocks up and tells me I'm way out of date.
 
#7
Genuine question, and as I have a meeting to get to (which interrupts my arrse browsing) I might get round to reading the response later this afty.
For the masses of the great unwashed, do we rerally need to have hyper clever passwords or is my last 4 plus my first dogs name sufficient? I get the feeling that it's not really worth the effort for anyone to hack my system and the only real threat will be the twat that does it just for spite. Or have I answered my own question as there are lots of said twats about?
Treat your password like a key.

Consider what it unlocks, and whether you care that someone else could unlock it - or if you don't care what are the implications of someone impersonating you.

e.g. Your Arrse forum password does not need to be the most secure password ever. But if someone logs on as you and posts in your name will that be a problem for you?

If you use multiple forums you could use the same password for ease, or keep them different to minimise a breach

Your internet banking details ought to be more secure. But there should also be a bit more then just a password, e.g. you have a user ID, password, probably a PIN / secondary code with randomly requested characters, or a key ring dongle generating a code

Your email could be used to validate password resets etc for many other areas, so possibly should be equaly secure

The issue with a 'good' secure password is it is likely to be harder to remember, and you may write it down. But it is not necessarily the worst thing ever to write down your password. Sticking your password on a post it note on you PC in the office would not be so clever.
Equally writing the code on the door for a combination lock is not very clever

Some discussion on hacking password hashes is academic. You need access to the password hash data. If your network server is secure then people cannot access the hashes and cannot crack the passwords using the hashes.
If someone can access the hashes and take them offline then they can crack the data. The security of the passwords is then measureable against the time taken to crack them compared to the time they can be used.
If possible password combinations can be cracked in a month, but they are changed weekly then they can be considered reasonably secure. However if a password is the first one tried then it is cracked in seconds and therefore is insecure.
This is not a reliable calculation of security, as with additional resources - or an improvement in technology the cracking time is speeded up.

The issue of twats hacking for spite can be compared to Facebook Fraping. If people around you will log into your facebook account and change your status then you are at risk of hacking. However they have a low impact. The one to worry about is the one who does not log in and change your status, its the one who logs in as you and noses around without making changes, or making subtle changes. You don't notice what has happened.
This is the same reason that old viruses in the 80s etc used to be jokes with letters falling off your screen and were found quickly, the ones that were subtle or waited would infect more computers before being discovered.


Take the old headlines about how many people give away their password outside Waterloo station (coincidentaly at the time of security conferences) ... in 2003 mostly men were willing to tell their passwords, in 2004 mostly women would
The reason being that in 2003 they gave pens to people giving the password, in 2004 they gave away chocolate.
The change in statistics only meant that women were more likley to give an answer for chocolate. It does not mean they told the truth


Office workers give away passwords for a cheap pen • The Register
Would you trade your password for chocolate? • The Register
 
#10
See - Ophcrack


There isn't a machine in the world running XP that I couldn't get into (or you or anyone else) with these tables. Well... maybe if they used a really clever password. What do you think? Is that possible?

But don't give it up. I'll be round in half an hour. I want twenty quids worth. Don't neck it by the time I come round eh?
 

Drivers_lag

On ROPS
On ROPs
#11
**** mate, it's you that's on the crack, it is.



Btw, my nuts aren't even numb, they are tingling, awaiting your reply.




All the best.
Mine actually DID that the other day!!! I was very fortunate to meet an available young lady that doesn't charge for her services in circumstances that allowed me to invite her out.

Thanks to my new herculean physique, she accepted.

Just thought I'd share.
 
#12
Genuine question, and as I have a meeting to get to (which interrupts my arrse browsing) I might get round to reading the response later this afty.
For the masses of the great unwashed, do we rerally need to have hyper clever passwords or is my last 4 plus my first dogs name sufficient? I get the feeling that it's not really worth the effort for anyone to hack my system and the only real threat will be the twat that does it just for spite. Or have I answered my own question as there are lots of said twats about?
http://imgs.xkcd.com/comics/password_strength.png

Is probably the easiest way I've ever learned to remember strong passwords
 
#14
If you want to find out how to 'crack' others passwords or even find out how to not have yours cracked, visit http://searchlores.org/
Purely as an academic interest of course, or for the amusement of friends who allow you to attempt to break their passwords as part of a fun packed saturday of geekiness.

Not to be used in any way without the data or system owners permission. Particularly be wary if you have an interest in UFO's, like wearing tinfoil hats and have the urls of some US DoD sites. You may need to have a background history of some mental illness that can be used in your defence when Uncle Sam wants to cart you off for an all expenses trip to Gitmo in a rather fetching orange boiler suit.

I am sure none of the upstanding characters on this site would be considering any potential nefarious activities they could be getting up to that could be deemed in contravention of particular SyOPS or even the Computer Misuse act :)
 

Guns

ADC
Moderator
Book Reviewer
#16
Use a password manager and not the one in your browser

Never use the same password for different accounts. Lets say rafregt.com email is I $p@nK my m0nkey. Good solid password, 17 characters (with the spaces) but still possible to crack. Now if you log in to everything with iblowgoats@rafregt.com password I $p@nK my m0nkey and one of the lesser sites - say a quick log in to a small scale badly run site - is hacked they now have every log in and password for you. No matter how good the sites security they just need to hack the weakest one in the herd. Off they go and try user username and password on all the big ones - Amazon, porn sites you get the idea.

So now you have iblowgoats@rafregt.com for your personal stuff. NEVER EVER use it as a log in email. Go to GMail/Outlook or your email provider of choice and get another account. Use this for logging in to sites (see later for proper tin foil hat stuff). Your password should be auto generated by the password manager to the max characters allowed and frankly you shouldn't care what it is because the app will take care of it all.

If you don't want to do that then take your password I $p@nK my m0nkey and add say arrse to the end of it for your arrse account.

Both of these measures mean that for any site hack only that password (for you) is compromised.

I am a bit more paranoid and have bought @<name>.me.uk as my very own email domain. Cost a pound a month from 1&1 and it gives me 5 email accounts. So I have main@<name>.me.uk as the working account. I have set up a rule that *@<name>.me.uk will get forwarded to main@<name>.me.uk. This means anything before the @ is sent to that account. Each online account has a log in like this ispankmonkeys@<name>.me.uk with a password via Last Past. Then my other account arrse@<name>.me.uk or navynet@<name>.me.uk also re-directs to the main account. My personal email account is <name>@<name>.me.uk and that is for friends etc only. What this does is limit the log in details to single online accounts. I also have spam@<name>.me.uk and use this when I really can't be arsed to follow up. That email account auto deletes daily.

Also if a site offers two factor authentication use it. Its a ball ache but so is loosing all your data

How Apple and Amazon Security Flaws Led to My Epic Hacking | Gadget Lab | Wired.com
 
#17
Mine actually DID that the other day!!! I was very fortunate to meet an available young lady that doesn't charge for her services in circumstances that allowed me to invite her out.

Thanks to my new herculean physique, she accepted.

Just thought I'd share.
No, it's alright mate. One needs all the friends one can get around here. Maybe we could do a private roasting and split the proceeds. Not that I'm into that or anything, but it's nice to have the offer all the same.

;-)

You sound like a good chap to have on one's side, so I'm up for it ;-).
 
#19
Purely as an academic interest of course, or for the amusement of friends who allow you to attempt to break their passwords as part of a fun packed saturday of geekiness.

Not to be used in any way without the data or system owners permission. Particularly be wary if you have an interest in UFO's, like wearing tinfoil hats and have the urls of some US DoD sites. You may need to have a background history of some mental illness that can be used in your defence when Uncle Sam wants to cart you off for an all expenses trip to Gitmo in a rather fetching orange boiler suit.

I am sure none of the upstanding characters on this site would be considering any potential nefarious activities they could be getting up to that could be deemed in contravention of particular SyOPS or even the Computer Misuse act :)
Thankyou very much. Ergo eh er um eh?

Only some one that knew what they were talking about could have given such an answer. The equivalent of the third match.

You got my number, but I got your number too.

Btw, calling yourself SecurityGeek is not the brightest of names if you are into security and you really are a geek.

Just saying...


;-)

I, however, am the grey man.


Unless...
 
#20
Thankyou very much. Ergo eh er um eh?

Only some one that knew what they were talking about could have given such an answer. The equivalent of the third match.

You got my number, but I got your number too.

Btw, calling yourself SecurityGeek is not the brightest of names if you are into security and you really are a geek.

Just saying...


;-)

I, however, am the grey man.


Unless...
My IP address is 192.168.0.3.

Feel free to have a go.
 

Latest Threads

New Posts