THIS PROJECT IS IN LIFE-SUPPORT MODE. This repo tracks the old version of Wifite (v1) which does not receive frequent updates and has many bugs (check.
Shutterstock In March, readers followed along as, Ars Technica deputy editor and a self-admitted newbie to password cracking, downloaded a list of more than 16,000 cryptographically hashed passcodes. Within a few hours,. The moral of the story: if a reporter with zero training in the ancient art of password cracking can achieve such results, imagine what more seasoned attackers can do. Imagine no more. We asked three cracking experts to attack the same list Anderson targeted and recount the results in all their colour and technical detail style. The results, to say the least, were eye opening because they show how quickly even long passwords with letters, numbers, and symbols can be discovered. [Html## ##KeepInline] The list contained 16,449 passwords converted into hashes using the.
Security-conscious websites never store passwords in plaintext. Instead, they work only with these so-called one-way hashes, which are incapable of being mathematically converted back into the letters, numbers, and symbols originally chosen by the user. In the event of a security breach that exposes the password data, an attacker still must painstakingly guess the plaintext for each hash -- for instance, they must guess that '5f4dcc3b5aa7deb882cf99' and '7c6a180b36896a0a8c02787eeafb0e4c' are the MD5 hashes for 'password' and 'password1' respectively. (For more details on password hashing, see the earlier Ars feature '.' ) Read next •. By Matt Burgess While Anderson's 47-percent success rate is impressive, it's miniscule when compared to what real crackers can do, as Anderson himself made clear.
To prove the point, we gave them the same list and watched over their shoulders as they tore it to shreds. To put it mildly, they didn't disappoint.
Even the least successful cracker of our trio -- who used the least amount of hardware, devoted only one hour, used a tiny word list, and conducted an interview throughout the process -- was able to decipher 62 percent of the passwords. Bern hogarth risuem golovu cheloveka pdf. Our top cracker snagged 90 percent of them. The Ars password team included a developer of cracking software, a security consultant, and an anonymous cracker. The most thorough of the three cracks was carried out by, a password expert with. Using a commodity computer with a single, it took him 20 hours to crack 14,734 of the hashes, a 90-percent success rate.
Jens Steube, the lead developer behind, achieved impressive results as well. (oclHashcat-plus is the freely available password-cracking software both Anderson and all crackers in this article used.) Steube unscrambled 13,486 hashes (82 percent) in a little more than one hour, using a slightly more powerful machine that contained two. A third cracker who goes by the moniker radix deciphered 62 percent of the hashes using a computer with a single 7970 card -- also in about one hour. And he probably would have cracked more had he not been peppered with questions throughout the exercise. The list of 'plains,' as many crackers refer to deciphered hashes, contains the usual list of commonly used passcodes that are found in virtually every breach involving consumer websites. '123456,' '1234567,' and 'password' are there, as is 'letmein,' 'Destiny21,' and 'pizzapizza.' Passwords of this ilk are hopelessly weak.
Despite the additional tweaking, 'p@$$word,' '123456789j,' 'letmein1!,' and 'LETMEin3' are equally awful. But sprinkled among the overused and easily cracked passcodes in the leaked list are some that many readers might assume are relatively secure. ':LOL1313le' is in there, as are 'Coneyisland9/,' 'momof3g8kids,' '1368555av,' 'n3xtb1gth1ng,' 'qeadzcwrsfxv1331,' 'm27bufford,' 'J21.redskin,' 'Garrett1993*,' and 'Oscar+emmy2.' As big as the word lists that all three crackers in this article wielded -- close to 1 billion strong in the case of Gosney and Steube -- none of them contained 'Coneyisland9/,' 'momof3g8kids,' or the more than 10,000 other plains that were revealed with just a few hours of effort. So how did they do it? The short answer boils down to two variables: the website's unfortunate and irresponsible use of MD5 and the use of non-randomised passwords by the account holders. Life in the fast lane Read next •.
Like SHA1, SHA3, and most other algorithms, MD5 was designed to convert plaintext into hashes, also known as 'message digests,' quickly and with a minimal amount of computation. That works in the favour of crackers. Armed with a single graphics processor, they can cycle through more than eight billion password combinations each second when attacking 'fast' hashes. By contrast, algorithms specifically designed to protect passwords require significantly more time and computation. For instance, the SHA512crypt function included by default in Mac OS X and most Unix-based operating systems passes text through 5,000 hashing iterations.