Reply to post:

Father of Unix Ken Thompson checkmated: Old eight-char password is finally cracked

Anonymous Coward
Anonymous Coward

There are 555,278,657 unique passwords in https://haveibeenpwned.com/Passwords

It would take a matter of seconds to create the hashes for a single, known salt on most modern PC's will likely generate the list at >100M passwords a second. If you have openssl installed, "openssl speed sha512" will give you a good idea of the CPU's hash speed - if you wish to use hashcat, you will also need OpenCL support installed.

If you don't know the salt, then you need to do this for every possible salt to build a rainbow table - assuming Linux with a SHA512 password, the salt is either 2^48 (i.e. 8 characters of base64) or 2^96 (upto 16 characters are specified in the spec but I'm not aware of any mainstream OS's using this) so you still require a lot of time and storage to produce this.

Which leads onto "how do we easily find the salt value?"

If the passwords have been stored securely with SHA512 (i.e. modern Linux), the answer is likely luck in brute forcing the salt, but at 2^48 you have reduced the strength of the password dump to that as finding one salt allows you to quickly find a large percentage of the others and the remaining brute force is significantly easier. But even with a large resource dedicated to this and continuing technology advances, you are looking at more than 2^20 years (i.e. 3x10^10 seconds in a year, 2x10^10 hashes a second, 1x10^7 hosts for a distributed effort).

However... in many of the dumps in the wild, the salt is either not used (i.e. LinkedIn's password dump - ref:https://queue.acm.org/detail.cfm?id=2254400) or there are other weaknesses (i.e. NTLM stored as two 7-character hashes or some IDAM applications require reversible encryption to be enabled on AD for full AD integration) that may make this much easier and once you have usable usernames/passwords, password re-use may get you a long way.

Back to how this affects you, as you only have trust to protect you with third parties, long passwords and avoiding password re-use are the only real options for avoiding a password compromise on one service spreading to other services that you use.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2019