How I became a password cracker.

Discussion in 'Gaming and Software' started by ObnoxiousJockGit, Apr 7, 2013.

Welcome to the Army Rumour Service, ARRSE

The UK's largest and busiest UNofficial military website.

The heart of the site is the forum area, including:

    • Like Like x 1
  1. Use lastpass and audit all your login details/passwords, its the future!
     
    • Like Like x 1
  2. If you want to find out how to 'crack' others passwords or even find out how to not have yours cracked, visit http://searchlores.org/

    Of course it is down and you will need to find a mirror. There are several. Some even including the tools available there.


    It not only gives all the tools, but techniques such as social engineering which is far more effective.


    There are other tools available. But there isn't a self-respecting cracker that hasn't read searchlores.

    Of note is the Reality Cracking essays on how to crack reality, news etc..


    When you have a target in your sites, there are very few that are that clued up or that well protected that they can not be stalked and cracked black and blue.


    Best to stay under the radar. Or use other techniques.

    I'm off to read the fa now.

    Ah, John The Ripper. Good stuff. No mention of Rainbow Tables and linux distros such as Konboot which makes your windows box mine. Or anyone's who has the CD. Maybe I missed it, I did skim.

    But it don't matter. Most sites won't let you use passwords of certain lengths including special characters and mix and match.

    The article does cover how passwords are stored server side as hashes, but as mentioned doesn't go into how easy that is to crack with Rainbow Tables. Though to be fair they do mention salting the hashes which makes things considerably more difficult especially if you have a good hard long password to start with.


    Let's face it. Brute forcing aside. You probably have a crap password and you use that for several sites. So, once I crack your arse password, I have your email, possibly even banking details too, if you are that lazy. Or vice versa. It's all good.


    Personally I have absolutely zero interest in this. But there will be those that want details for financial gain. It is not just good passwords you need, but only using certain OSs for banking, and using anti-key loggers if you do choose to use windows. Firewalls etc..

    It's actually quite easy to get locked down when you know what you are doing. And what you want. I think at the minimum you need to do your banking from a live cd of linux. That eliminates a majority of stuff right there.

    Every beast can be hunted down. It will be the slowest and most wounded that get caught and the others that live to fight another day.

    Nothing I have said here is disclosing any special information that is not available widely on the net to anyone that has the wherewithal to look.


    ;-)
     
  3. Genuine question, and as I have a meeting to get to (which interrupts my arrse browsing) I might get round to reading the response later this afty.
    For the masses of the great unwashed, do we rerally need to have hyper clever passwords or is my last 4 plus my first dogs name sufficient? I get the feeling that it's not really worth the effort for anyone to hack my system and the only real threat will be the twat that does it just for spite. Or have I answered my own question as there are lots of said twats about?
     
  4. Depends on the consequences. If someone just hacks your Arrse or Facebook account, that's no more than irritating/embarrassing. If they get at the e-mails detailing your affair with that nice little bit of stuff from across the road ... or your work account, with details of strategy for the coming year, or ...

    One thing that will defeat a large percentage of hackers is to use a pass phrase, rather than a word, and drop the occasional special character into it, like "Senior member adbo i%s enjoying l/fe in [anada" Easy for you to remember, impossible to guess, and brute force is going to take a while.
    Or so I understand ... until some crypto genius rocks up and tells me I'm way out of date.
     
  5. Treat your password like a key.

    Consider what it unlocks, and whether you care that someone else could unlock it - or if you don't care what are the implications of someone impersonating you.

    e.g. Your Arrse forum password does not need to be the most secure password ever. But if someone logs on as you and posts in your name will that be a problem for you?

    If you use multiple forums you could use the same password for ease, or keep them different to minimise a breach

    Your internet banking details ought to be more secure. But there should also be a bit more then just a password, e.g. you have a user ID, password, probably a PIN / secondary code with randomly requested characters, or a key ring dongle generating a code

    Your email could be used to validate password resets etc for many other areas, so possibly should be equaly secure

    The issue with a 'good' secure password is it is likely to be harder to remember, and you may write it down. But it is not necessarily the worst thing ever to write down your password. Sticking your password on a post it note on you PC in the office would not be so clever.
    Equally writing the code on the door for a combination lock is not very clever

    Some discussion on hacking password hashes is academic. You need access to the password hash data. If your network server is secure then people cannot access the hashes and cannot crack the passwords using the hashes.
    If someone can access the hashes and take them offline then they can crack the data. The security of the passwords is then measureable against the time taken to crack them compared to the time they can be used.
    If possible password combinations can be cracked in a month, but they are changed weekly then they can be considered reasonably secure. However if a password is the first one tried then it is cracked in seconds and therefore is insecure.
    This is not a reliable calculation of security, as with additional resources - or an improvement in technology the cracking time is speeded up.

    The issue of twats hacking for spite can be compared to Facebook Fraping. If people around you will log into your facebook account and change your status then you are at risk of hacking. However they have a low impact. The one to worry about is the one who does not log in and change your status, its the one who logs in as you and noses around without making changes, or making subtle changes. You don't notice what has happened.
    This is the same reason that old viruses in the 80s etc used to be jokes with letters falling off your screen and were found quickly, the ones that were subtle or waited would infect more computers before being discovered.


    Take the old headlines about how many people give away their password outside Waterloo station (coincidentaly at the time of security conferences) ... in 2003 mostly men were willing to tell their passwords, in 2004 mostly women would
    The reason being that in 2003 they gave pens to people giving the password, in 2004 they gave away chocolate.
    The change in statistics only meant that women were more likley to give an answer for chocolate. It does not mean they told the truth


    Office workers give away passwords for a cheap pen • The Register
    Would you trade your password for chocolate? • The Register
     
  6. It's Rainbow Crack, numb nuts. it just uses the tables.
     

  7. **** mate, it's you that's on the crack, it is.



    Btw, my nuts aren't even numb, they are tingling, awaiting your reply.




    All the best.
     
  8. See - Ophcrack


    There isn't a machine in the world running XP that I couldn't get into (or you or anyone else) with these tables. Well... maybe if they used a really clever password. What do you think? Is that possible?

    But don't give it up. I'll be round in half an hour. I want twenty quids worth. Don't neck it by the time I come round eh?
     
  9. Mine actually DID that the other day!!! I was very fortunate to meet an available young lady that doesn't charge for her services in circumstances that allowed me to invite her out.

    Thanks to my new herculean physique, she accepted.

    Just thought I'd share.
     
  10. http://imgs.xkcd.com/comics/password_strength.png

    Is probably the easiest way I've ever learned to remember strong passwords
     
  11. MMMMMMmmmmmmm Entropy calculations..........drool, gibber wibble :)
     
  12. Purely as an academic interest of course, or for the amusement of friends who allow you to attempt to break their passwords as part of a fun packed saturday of geekiness.

    Not to be used in any way without the data or system owners permission. Particularly be wary if you have an interest in UFO's, like wearing tinfoil hats and have the urls of some US DoD sites. You may need to have a background history of some mental illness that can be used in your defence when Uncle Sam wants to cart you off for an all expenses trip to Gitmo in a rather fetching orange boiler suit.

    I am sure none of the upstanding characters on this site would be considering any potential nefarious activities they could be getting up to that could be deemed in contravention of particular SyOPS or even the Computer Misuse act :)
     
  13. If you want to understand what makes good passwords and their composition (and easy ways to remember them)
    read this article https://www.grc.com/haystack.htm

    There is also a short video on the page from ABC news that explains the concept well.