The Death Throes of crypt()

dex writes "Tom Perrine and Devin Kowatch of the San Diego Supercomputer Center have issued "Teracrack: Password cracking using TeraFLOP and PetaByte Resources" (PDF, HTML version via Google). Using SDSC's prodigious computing facilities, they precomputed 207 billion crypt() hashes in 80 minutes."

Solaris

[CrankyFool]

I wonder if this will spur Sunto finally make the default password encryption algorithm on Solaris something other than crypt...

Re:Solaris

[hackstraw]

Solaris uses PAM, so its trivial to add any kind of authentication method that you want.

Re:Solaris

[FireDoctor]

crypt() is just an interface to an underlying algorithm. In Solaris 9 12/02, there is an option to use Blowfish or MD5:

Enhanced crypt() Function Password encryption protects passwords from being read by intruders. Three strong password encryption modules are now available in the software:

* A version of Blowfish that is compatible with BSD systems

* A version of MD5 that is compatible with BSD and Linux systems

* A stronger version of MD5 that is compatible with other Solaris 9 12/02 systems

Solaris 9 12/02 Release Notes

and System Administration Guide: Security Services

Re:Solaris

>Solaris uses PAM

Solaris PAM. Doesn't that make the acronym "SPAM"? So they're the ones who sent me all that crap! I knew it!

Re:Solaris

[jonabbey]

I wonder if this functionality would make it feasible to use md5Crypt hashed passwords on a NIS network with Solaris 9 systems. md5Crypt and scalable blowfish (see the OpenBSD blowfish crypt paper) are designed so that you can identify the hash function used by looking for specific prefixes in the hashed text.

Obviously NIS should be dead and buried, but in far too many places it is not, yet. It would be nice if it were possible to use a more worthy hash function in conjunction with NIS.

Re:Solaris

[Darren.Moffat]

Yes it does. As long as the hosts in the nameservice domain are running Solaris 9 12/02 or higher. It works with files, NIS(YP), NIS+ and LDAP.

I had to change rpc.ypasswdd and rpc.nispasswdd to make this work (both made assumptions about the length of the string returned fron crypt(3c)) so the NIS/NIS+ master must also be upgraded to Solaris 9 12/02 or higher.

Note that Solaris 9 12/02 also has a 3rd module that was written by Alec Muffett (of crack fame) and myself: crypt_sunmd5.so. It is believed to be more secure than the crypt_bsdmd5 module that is compatible with BSD & Linux.

It is possible to add new algorithms by creating a shared object that implements just two functions:

crypt_gensalt_impl and crypt_genhash_impl

Re:Solaris

[jonabbey]

Well, we don't use nispasswdd or ypasswdd. We run a Ganymede server which is responsible for mastering all password changes into NIS.

Ganymede has had md5Crypt support forever, so it'd be easy to generate the passwd map with md5crypted hashes, if we could rely on systems being able to make use of the new hash format.

Re:Solaris

[Darren.Moffat]

That should work just fine.

A testament to crypt()

[grub]

Actually with most Unixish systems going to other password formats such as MD5 and Blowfish I'd think that this goes to show that (NSA notwithstanding) crypt() has had a long, healthy existance. Rather than saying 'crypt() is dead' they should be saying 'it took 30ish years but crypt() is at the end of its useful life'.

Not many pieces of code will be able to boast that lifespan.

Re:A testament to crypt()

[Leffe]

Not many pieces of code will be able to boast that lifespan.

10 PRINT "HELLO WORLD"

The most secure piece of code, even on Microsoft(r) Windows(tm) platforms.

I've also got a question; What is the default/general password encryption scheme used in most GNU/Linux distributions? DES? Is DES an algorithm or a collection or interface or something... I don't know anything :(

I did write a program that worked exactly as crypt did though, it included certain unspoken functions from -lcrypt, especially one named crypt.

Re:A testament to crypt()

No idea what Linux uses but OpenBSD has used Blowfish for ages, those dang visionaries.

Re:A testament to crypt()

[Directrix1]

I think this more shows that reliance on a password being hashed is a futile means of obscuring the source. If a password file is compromised, than it can easily be a short matter of time before it is cracked. The moral of the story, don't let your system be compromised, or at least not the security subsystem.

Re:A testament to crypt()

[Qzukk]

Depending on your distribution its either crypt or MD5 hashing. Most modern distributions give you a choice: MD5 hash for long password support and security, crypt for supporting legacy applications that don't use standard calls for checking the password in whatever format.

Re:A testament to crypt()

[mahdi13]

even though it took 30 years...how many haX0rs do you know that have machine capable of running TeraFLOPs per second?

Re:A testament to crypt()

[tuffy]

how many haX0rs do you know that have machine capable of running TeraFLOPs per second?

They don't need to own such a machine, only have access to one long enough.

Re:A testament to crypt()

[tinfoil_hat] I suppose you think Seti@Home is looking for ET? [/tinfoil_hat]

Re:A testament to crypt()

[Carnildo]

DES is the Digital Encryption Standard. IIRC, it's a 56-bit symmetric-key encryption method, and is considered insecure, as a high-end desktop machine can crack anything encrypted with it in under 24 hours.

Re:A testament to crypt()

[Mysticalfruit]

Here's the more important question...

In ten years, how many haX0rs will have access to TerFLOP machines?

Answer: Lots...

Re:A testament to crypt()

[frodo+from+middle+ea]

OK, I am making a calculate d guess here , but I may be wrong.

For any system that takes password inputs from users i.e. the password is entered from outside the system, It really doesn't need to store the password even in encrypted format.

The system merely stores a hash value of the password , when the user enters the password, the sytem generates the hash of the user entered password and compares it with stored hash value. If they match bingo, if not try again. Also the system progressively delays the next log-in prompt upon match failure to tackel, such a mass brute force attack.<P>
If I am not wrong these days, the password is stored in MD5 hash. And since hash value is theorotically irreversible, it can be stored in plain text. But I guess as an added safety measure, the linux boxes these days store passwords in /etc/shadow rather than /etc/passwd. The shadow file can only be read by root, while other world readable info is in passwd file.

Re:A testament to crypt()

[hackstraw]

Maybe I'm nop paranoid enough, but I've never been too concerned about the security of people's passwords after root has been compromised, so I don't care what format the hashes are in /etc/shadow.

Also, the method of "cracking" crypt() passwords can generate collisons, so the password that worked on one system may not work on another (because of different salts used).

Re:A testament to crypt()

[GammaTau]

I've also got a question; What is the default/general password encryption scheme used in most GNU/Linux distributions?

If I recall correctly, Debian defaults to MD5. The traditional way is offered as an alternative if you need it for compatibility.

Re:A testament to crypt()

[mattgreen]

Definitely not grub.

(The bootloader, not the author of the parent comment)

Re:A testament to crypt()

The point is you don't have to compute it anymore, just look up the hash in the database they just made, and find the matching password...

They are pointing out that just because the password is hashed, doesn't mean it is safe if you know the algorithm.

Re:A testament to crypt()

Yes, but he was probably thinking of Triple DES.

Re:A testament to crypt()

[Leffe]

That sounds very right :)

Re:A testament to crypt()

[jaredmauch]

lets see, if ms-sql(slammer) and w32.nachi were built to hide passwords and the crypt() result in their icmp messages, and provide a distributed database of this information, how hard would this be?

also, if you set aside the cpu costs, and need a few terabytes of disk space to store this data, how much does that cost today? according to pricewatch, you're talkinga bout $266 for (about) 300GB of disk. So for just over $1k, you've got 1TB.

Table 7 comes up with 2.263TB of disk space storage, so maybe i'll need a bit more than $2k just for disk. Calcualate your I/O and crypt()/sec, how long would it take for you to generate them all if you generated a distributed application (eg: setiathome-like) and have them be 'uploaded' to you? Obviously you can't do this on your DSL/cable, and you start to see the network performance issues they mentioned, but if you set up a small cluster of your older PCs in a room, use FE to link them up, you'll have that disk and ethernet card spinning (interrupting that is) at a steady clip trying to fill up your disk.

Make a worm/virus that spreads and distributes work units out to other hosts it's able to infect, and you could probally just keep the database in-memory across a wide set of hosts.

Re:A testament to crypt()

[Lour]

They dont need a TeraFLOP machine, they just need the 1:1 hash:password file that it generates. So all you need is one haX0r with TeraFLOP access and it seems that we already have one. Then its just a matter of doing a lookup.
The resulting file will be HUGE but with storage as cheap as it is today....

Re:A testament to crypt()

"What is the default/general password encryption scheme used in most GNU/Linux distributions? "

Who cares? Its not like anybody is running anything critical on it.

That's what Windows 98se is for...

Re:A testament to crypt()

[anno1a]

DES is a 56-bit symmetric encryption algorithm, which is depricated by now. Specially built hardware machines can easilly break it.

It's official successor is AES, which is a 128/192/256 bit algorithm, which is thought to be very secure.

It's direct successor is triple DES, where you encrypt with one key, decrypt with another, and encrypt again with a third. This is probably what will take over if AES fails.

Re:A testament to crypt()

[ThogScully]

Debian Woody asks you which you'd rather have. I actually think it defaults to using crypt, not MD5, but it's really just a matter of which one is pre-selected for you when the window pops up and the box makes it clear that MD5 is for security and crypt is only if you need backward compatibility with something.
-N

Re:A testament to crypt()

[Mysticalfruit]

Actually, after I quickly posted the response, I got thinking about how much disk I actually have.

I have two EMC Clariions each with about 4TB of usable disk.

Aside from that I've also about 1.5TB of good old directly attached fibre disk.

So, I've got the disk space at least.

As for the computers, I've got whole company full of machines (~3k) all connected to a 100MB full duplex networks.

It's not the amazingly interconnected IBM blue machine but it would do.

I suppose I could write a taskbar app and push it out with SMS that would have lots of machines all using their idle CPU time to crunch away on salts and passwords.

So, even though I'm not a haX0r, with some work, I've probably got a teraflop machine in the making...

Re:A testament to crypt()

[MooCows]

Actually, quite a lot of them have it now, in the form of thousands of compromised machines.
Can be used to DDOS, or to compute.

Re:A testament to crypt()

[Carnildo]

What about a partial compromise that gives access to files that are supposedly root-only, but doesn't give full root access? Or a physical security compromise that lets someone collect hashes?

Re:A testament to crypt()

[panaceaa]

20 GOTO 10

Haha! Now it's a denial of service algorithm! Bet you wish you had

11 END

now, eh?

Re:A testament to crypt()

20 GOTO 10

Haha! Now it's a denial of service algorithm! Bet you wish you had

11 END

now, eh?

Witness my l33t sk1llz as I inject a piece of code which will soon be processed as the program counter loops...

11 end

Re:A testament to crypt()

[JAgostoni]

I've always preferred:
while(1) fork();

Re:A testament to crypt()

This statement starts off true and ends up totally false. A high end desktop machine cannot "crack" DES in under 24 hours. It can't even "crack" DES in under 24 years.

1) DES has never been "cracked". It has been brute forced.

2) A single machine would take on the order of 600 to 1200 years to brute force a single 56-bit key. Obviously, this number changes with the method used to brute force and the machine used.

There has never been a machine demonstrated capable of cracking 56-bit DES in under 24 hours. The EFF built a DES Cracker which could search the entire key space in 9 days.

DES is not considered insecure. Many applications would likely benefit from another choice however.

Re:A testament to crypt()

[GoofyBoy]

>This is probably what will take over if AES fails.

AES = Advanced Encryption Standard.

How arrogant were the designers to label it "Advanced"?

When I'm going to create a new encryption scheme I'm calling it "The Extra Special, Super-Duper, I-dare-you-no-I-triple-dare-you-to-break-it" Encryption Standard. (TESSDIDYNITDYTBIES)

Re:A testament to crypt()

[Uerige]

I bet you have learned now what the 'Preview'-button is for?

Re:A testament to crypt()

[Piquan]

Is DES an algorithm or a collection or interface or something...

DES is a cipher. It's been used for years, by governments, banks, etc. It's a symmetric cipher, so the same key is used to decrypt as to encrypt.

crypt() was traditionally an interface to DES, used for passwords. It would encrypt a string of six zeros as the plaintext. The key would be the user's password, concatenated with two random bytes (the "salt"). The salt is stored along with the encrypted output. When the user logs in, the salt is retrieved, the password encrypted, and compared against the stored ciphertext.

Using the password as the key rather than the plaintext makes a hash out of DES. That way, even the sysadmin can't retrieve the password. Using the salt prevents a prebuilt dictionary from being useful: it would have to be too long to handle all the possible salts.

Modern unixes use MD5 or Blowfish instead of DES.

Re:A testament to crypt()

[minektur]

Change that to

while (!fork());

and you'll have a much more interesting program.

With your version, if the program is not run as root, root has a good chance of 'kill -STOP' ing them all and then 'kill -9' ing them. Since the pid list is fairly static it is somewhat easy to get a ps listing and then run kill on the pids.

With my version, not only do you get constantly changing pids but you also get the bennefit of having more forks going on continuosuly, more memory exercised, etc. Much more fun.

Re:A testament to crypt()

[apankrat]

Maybe I'm nop paranoid enough, but I've never been too concerned about the security of people's passwords after root has been compromised..

It's not about the paranoia, but rather about the fact that people tend to use the same password in more than one place.

Re:A testament to crypt()

How arrogant were the designers to label it "Advanced"?

The designers called it "Rijndael", NIST gave it the name "AES".

Re:A testament to crypt()

[crawling_chaos]

Considering the speed of most ATMs and other critical systems, I'm of the opinion that most "critical" systems are running on a PDP-1, which is periodically taken down so that the operators can have a rousing game of Spacewar.

Re:A testament to crypt()

[jrockway]

I selected the MD5 option but I can still type the first 8 characters of my password and then random garbage and I still get in. Good thing somebody could just steal my computer if they wanted my data...

Re:A testament to crypt()

[schon]

hash value is theorotically irreversible

OK, I'm not a mathematician, but I thought that a (proper) hash was provably irreversible, not just theoretically irreversible?

Re:A testament to crypt()

TLESYWEN

"The Last Encryption Standard You Will Ever Need."

FES

"Final Encryption Standard."

Re:A testament to crypt()

[mindriot]

1 PRINT "0WN3D"
2 GOTO 1

Better start out at 1, while you're at it :-)

Re:A testament to crypt()

[frodo+from+middle+ea]

Its been a while since i touched cryptography. But as far as I remember about Hash values , they are theorotically irreversible. But As of yet I haven't seen any example of two messages having same hash.

But it's been a while so I may have faded memory.

Re:A testament to crypt()

I know for sure that SuSE allows you to change the hash/encryption methods from yast. It allows for MD5 + DES + 3DES + Blowfish. It think it even has options fro combinations. I am working from a RedHat machine at work so I can't say for sure.

Re:A testament to crypt()

[sholden]

The only difference is that your parent process exits after forking, whereas in the original it keeps on forking children.

Turning it into a tiny little program that uses up hardly any resources is more interesting than a program that will bring most systems (unless they have process limits) to their knees in seconds?

You have a pretty boring definition of interesting.

Re:A testament to crypt()

I have long maintained that closed-source software is potentially doing something nasty behind your back ..... especially as each copy is "seeded" with a different "serial number" or "activation code" ..... think about it ..... why else would Microsoft and friends be so against you seeing it if it wasn't there to steal your data or do something equally evil? How can you trust anything where you haven't seen the source code?

Re:A testament to crypt()

[Vellmont]

There has never been a machine demonstrated capable of cracking 56-bit DES in under 24 hours. The EFF built a DES Cracker which could search the entire key space in 9 days.


Naw, the EFF machines was later upgraded, and combined with distributed.net was able to crack a DES encoded message in 22 hours

Re:A testament to crypt()

Not just the original parent, but each program forks as many children as possible and then exits, while the rest of the existing processes continue to do the same -- PIDs constantly changing makes doing anything but a reboot pretty difficult.

True, it might be nice to have something like:

while (!fork())
{ /* malloc and write to some ram here*/ /* memory-map some files here and read them*/ /* free up results of above */

}

but the more you do in the block, the more likley that a priveleged administrator (who can still spawn new processes since the user is inside a bunch of resource limits) can kill them.

Any box set up right will have resource limits for the typical user account, and while(1) fork(); is downright easy to recover from compared to while (!fork());

Re:A testament to crypt()

What do you mean by tera(Floating point operations per second) per second? Is this the computational eqivalent of acceleration?

Question 2: Have you ever keyed a PIN number into an ATM machine?

Re:A testament to crypt()

[jonbryce]

Not quite. I think 40 bit can be brute forced in a couple of weeks.

Re:A testament to crypt()

[X-ite]

For any system that takes password inputs from users i.e. the password is entered from outside the system, It really doesn't need to store the password even in encrypted format.

If I recall correctly, the password isn't stored in encoded form at all. A string of zeros is encoded using your supplied password as the key. The result is then stored in the passwd file. (See man crypt)

The system merely stores a hash value of the password , when the user enters the password, the sytem generates the hash of the user entered password and compares it with stored hash value.

You are overlooking the fact that identical passwords would produce identical hash values every time. This would make spotting identical passwords a breeze. Idem for creating dictionaries.

Re:A testament to crypt()

> You are overlooking the fact that identical passwords would produce identical hash values every time.
> This would make spotting identical passwords a breeze. Idem for creating dictionaries.

That's what the salt is for. A pseudo-random appendix that causes the same password to be able to generate several different hash-values.

Re:A testament to crypt()

That "provability" would at least need to ignore brute-force-attacks (generate all possible hashes and see which input(s) generated the correct one).
At least, if by "irreversible" you mean the relevant version, that is, to find ONE input that has this hash-value. Since there are a lot of them, the hash-function is indeed not reversible. (Which of the many possible inputs (with the same hash-value) would you reverse one value to?))

Re:A testament to crypt()

[X-ite]

Exactly my point. This is why just storing the hashes (without a salt) doesn't cut the cake.

Re:A testament to crypt()

[frodo+from+middle+ea]

Yep you are right.

Its definitely been a while , since i last touched cryptography

Re:A testament to crypt()

10 PRINT "HELLO WORLD"

The most secure piece of code, even on Microsoft(r) Windows(tm) platforms.

Are you kidding, that dangerous piece of haxor code causes a buffer overflow in shell.helloworld

Mind you [indowsW] buffer overflows itself!

Re:A testament to crypt()

[welsh+git]

If you mean irreversible as in "are not reversible to something that then can be hashed back into the original hash", then that obviously depends on the strength of the hash algorithm being used.

If you mean "reversible into the original text" then its clearly impossible if the original text has more bits than the hash has.

If you hash all combinations of a 129bit number into a 128bit hash, you are BOUND to get repetitions.. NO, I haven't seen any either, but they still exist :-)

Re:A testament to crypt()

[Graphyx]

What about the steps: 13. ??? And 18. Profit!!!

Re:A testament to crypt()

[PureFiction]

Who modded this up? 3-DES is significantly weaker than AES-256 or even 128 (arguably).

3DES is a kludge using the original DES in triplicate because alone it was too easy to brute force the keyspace.

Re:A testament to crypt()

Ah. IC. I thought your parent-posters point was only that not the password itself is stored, but it's hash, and that you were objecting to this.

Re:A testament to crypt()

[woods]

Actually, you'd think that collisions would happen more frequently, but the paper says that in the entire key space, there was only one "real" collision where two words hashed to the same value.

The words were "$C4U1N3R" and "SEEKETH" (I understand the second one, but the first one must be leet-speak :/ ). Both words hash to "ChERhgHoo1o".

Neat.

Re:A testament to crypt()

I've always said physical access = root. If you can't secure your machine, what's the point? Also, i've seen a lot of machines where 'root' is left logged in on the console in what they think is a secure facility. The key is to have good security practices to shield yourselves from all possible attacks knowing that you will have compromise at some point.

Re:A testament to crypt()

[alehmann]

DES is vulnerable to both linear and differential cryptanalysis. I believe the differential attack is singificantly easier than brute force if you can handle the volume of information it requires.

Re:A testament to crypt()

[swillden]

You have a pretty boring definition of interesting.

Combining them might be interesting...

while(!fork());
while(1) fork();

Of course, the original does a pretty good job at hammering most systems into the ground, unless they have process limits.

Re:A testament to crypt()

[oh]

OK, I am making a calculate d guess here , but I may be wrong.

Your not wrong, just not all right

If I am not wrong these days, the password is stored in MD5 hash. And since hash value is theoretically irreversible, it can be stored in plain text

It should be irreversible, but by definition it must be "forwardable". I can take every possible password, hash it, and compare the result. If they match, I have figured out the password without reversing the hash function.

This was always possible by exploiting week passwords, but it is feasible to guess all alpha-numeric passwords (a-z,A-Z,0-9 total of 62 characters). An eight character password has 62^8 combinations, (218,340,105,584,896 approx 2.1 x 10^14). Now this is a large number, but do-able on PC hardware. Now there are no more then 256^8 possible values for an eight character password (18,446,744,073,709,551,616 approx 1.8 x 10^20). I don't know if this is do-able on a desktop (yet) but no matter how theoretically impossible it is to reverse a hash, it doesn't stop someone from throwing a dictionary (or a random number generator) at it.

Of course, almost all passwords out there don't contain non-printable characters, so if you a really trying to guess a password you would try more likely passwords first.

Re:A testament to crypt()

[Kent+Recal]

Ah you guys are so boring.

Don't paste:
bash$ :(){ :|:&};:

Re:A testament to crypt()

Actually, ATMs run on OS/2 or the newer ones on NT. Scary, huh?

Re:A testament to crypt()

[SuperFrink]

IIRC 3DES is not exactly encrypting with DES 3 times. Instead it is Encrypt with key 1, Decrypt with key 2 then Encrypt with key 1 again.

This is opposed to Encrypting with key1, then key2, then key3. Or I suppose with key1 three times.

As an aside Cliff Stoll mentioned creating a dictionary of crypt()s in The Cuckoo's Egg back in 1989.

Re:A testament to crypt()

3-DES is not known to be weaker than AES (of any keysize), and is certainly not known to be "significantly weaker". Such a thing has not been proven, either way. 3-DES has proven itself in the field for many many years, and AES hasn't yet. Meanwhile, no one can yet hope to attack the keyspace of 3-DES, although birthday attacks may be possible (if not practical).

At some future date, when AES has been around for quite a while, and it's larger keyspace and block size comes to matter in brute force attacks, and no theoretical weaknesses are found, it may earn the label "more secure than 3-DES". But a truly conservative person wouldn't yet assume that.

Re:A testament to crypt()

10 PRINT "HELLO WORLD"

The most secure piece of code, even on Microsoft(r) Windows(tm) platforms.


Actually, after the infamous tab/backspace bug in NT, I would not be surprised running this in the right conditions will cause BSOD.

Re:A testament to crypt()

This is opposed to Encrypting with key1, then key2, then key3. Or I suppose with key1 three times.


Uhm, that's because if encrypting n times in a row is retarded. If you DES encrypt > 1 time, there is always some key that can decrypt the ciphertext directly.

Re:A testament to crypt()

[guru_Stew]

Further info on DES.

DES was built based on the lucipher cypher along time ago, it was based on a 64 - 8 bit keyspace and uses both permutation and substitution. it encrypts a padded out 64 bits of plain text with the key. it can be used in cypher block chaining mode to encrypt streams of data.
The DES algorithm runs the exact same permutations to decrypt and to encrypt in the same order.
Tripple DES is preffered over double DES as double des can leave to much information about the plain text (digraphs and trigraphs i think, cant remember).

There, I did remember something from my Internet Security subject

Re:A testament to crypt()

[radja]

the designers also proposed the name "koeieuier" (cow's udder), which is a very nice dutch word. mainly because to non-dutch speakers it looks like its already encrypted.

Re:A testament to crypt()

DES is considered insecure, especially when brute-forcing it becomes easier all the time.

The 56-bit key length was considered too small even at the time DES was introduced!

There is simply no reason to use key lengths that small now that far better algorithms have been around for a while.

However, passwords are an entirely different matter from generic encryption; they typically have far less than 56 bits of entropy, so brute forcing a password using all combinations of printable characters up to a certain length is the easiest method.

What you should be using for passwords is a hash and decent-sized salt, not a block cipher. To make brute-forcing even more difficult, use several rounds to make the algorithm slower. And even then, don't make the hashes public. You should always have multiple layers of security; even if one layer gets compromised, that shouldn't mean everything is lost.

Re:A testament to crypt()

[anno1a]

As I said, if AES were to be broken, ie. some method be found such that it could be decrypted significantly faster than brute force without knowing the key, then 3DES would take over. And yes, a single DES key would be too easy to find, but by doing it this way the keyspace doesn't remain 54bit, but is enlarged to 112bit AFAIR. This is enough!

While AES is the new hot algorithm, DES is "proven through practice" understood the way that it has been used for at least 30 years, and not been broken (only brute forced). This is why much people favor 3DES over AES, or other of the new algorithms.

Re:A testament to crypt()

[LuYu]

However, according to the article you posted:

1. it was not a single computer,

   ...a worldwide coalition of computer enthusiasts, worked with the Electronic Frontier Foundation's (EFF) "DES Cracker," a specially designed supercomputer, and a worldwide network of nearly 100,000 PCs on the Internet...

2. it was not a "high-end desktop" (in response to Carnildo's post),

   ...the Electronic Frontier Foundation's (EFF) "DES Cracker," a specially designed supercomputer...

3. the time where desktop computers pose a threat to DES is not yet upon us (also in response to Carnildo's post).

   "As today's demonstration shows, we are quickly reaching the time when anyone with a standard desktop PC can potentially pose a real threat to systems relying on such vulnerable security," said Jim Bidzos, president of RSA Data Security, Inc.

Therefore, while it is not military grade encryption, it is still good enough for some purposes. It will not protect you from a government or a corporation (if it so happens that they are interested enough in you commit the necessary resources), but it will probably protect you from your next door neighbor.

Re:A testament to crypt()

DES is too considered insecure, as is any 64-bit-or-smaller system in the days of TeraFLOPS computers.

Re:A testament to crypt()

How many script kiddies can write massively parallel programs for compromised Windows systems?

Re:A testament to crypt()

[Wolfrider]

--For that you may need to look to /etc/login.defs:

# Number of significant characters in the password for crypt().
# Default is 8, don't change unless your crypt() is better.
# If using MD5 in your PAM configuration, set this higher.
#
PASS_MAX_LEN 8

--Now I know *that* much, but which package do I have to dpkg-reconfigure to change my password hash method? Anybody know?

Re:A testament to crypt()

[wkcole]

"As today's demonstration shows, we are quickly reaching the time when anyone with a standard desktop PC can potentially pose a real threat to systems relying on such vulnerable security," said Jim Bidzos, president of RSA Data Security, Inc.

It is wise to note that Mr. Bidzos had very strong personal financial incentives in making everyone believe that the above statement was true when he said it, well before the expiration of the RSA patent. He likely believed it sincerely, but he was by no measure an unbiased source. The more free encryption seemed to be weak, the more his company could milk from their patents. It is no accident that the record for brute-forcing a DES key is still the one set 4 years ago before the RSA patent expiration or that there has been a slowing of the pace of new decryption feats since then.

A fact that is often ignored (in what seems like an endemic cryptography fetish) is that the 'weak' encryptions like DES are in fact strong enough for many uses simply because the information they protect is far less valuable than the resources needed to break the encryption. It is also commonly the case for situations where crypt() is the only protection that positive social engineering presents a far higher hurdle than the technical ones: if the people who can ypcat passwd know that running crack against what they get will run a strong risk of rendering them them jobless, unemployable, and fighting a lawsuit which will destitute them and their heirs, they tend to not do it.

Re:A testament to crypt()

[PureFiction]

3-DES is not known to be weaker than AES (of any keysize)

I should have clarified keysize and cryptanalytic attacks. In terms of keysize, AES-256 offers a significant advantage over 3-DES, but your other points are well taken.

There are no known weaknesses in either 3-DES (which has had TONS of scrutiny) or AES (which has had less) from a cryptanalytic viewpoint.

Also, some would argue that the infamous NSA involment in the DES S-BOX design is unsettling and another point above for AES. (I'd still like to know the details of the work they did on this...)

Re:A testament to crypt()

3DES has been 'broken' just not badly. The key is 64 * 3. The effective keysize is 112 bits. Where'd those extra bits go? Guess.

Re:A testament to crypt()

A good point, but remember, the "infamous" NSA suggestion regarding changing the S-Boxes made DES resistent to differential cryptanalysis. That differential wasn't know in the non-classified world at the time didn't make the NSA's contribution less useful.

A more worrying (and tinfoil hat inducing) perspective is that the NSA would probably only help strengthen DES (and risk revealing the only-known-to-them differential cryptography) if they could _still_ crack it in its new form.

Re:A testament to crypt()

Most Linux distributions have used MD5 for quite a while. Arguably OBSD's blowfish is superior, but MD5 has seen substantially more cryptanalysis, and is thus more 'proven'.

It depends on how conservative you want to be. MD5 is FAR more than sufficient (with good passwords, obviously) so using a more experimental algorithm could be considered dangerous.

But...

[jchawk]

Unless they release these hashes out into the wild, the average cracker/hacker does not have access to this type of resource...

Definately cool though for proof of concept!

Re:But...

[kfishy]

They did say however that with $10K of resources, an average cracker should be able to do the same in about a month. Sounds quite serious!

Re:But...

[UnderScan]

Read the PDF. The first page tell us that:
Using the Blue Horizon supercomputer at the San Diego Supercomputer Center, we found that pre-computing the 207 Billion hashes for over 50 million passwords can be done in about 80 minutes. Further, this result shows that for about $10K anyone should be able to do the same in a few months time, using one uni-processor machine.

Re:But...

[LilJC]

It's more than proof of concept. They did this in 80 minutes. Sure, you and I can't do it in 80 minutes, but even if it took us weeks we'd have a shot at cracking something that hadn't yet changed. Maybe not the first time, but eventually someone would get a start on it shortly after it been changed and considered "safe" long enough to be cracked.

Besides, never underestimate the power of distributed computing by MS worms.

Re:But...

[*weasel]

for about 10k anyone should be able to do the same in a few months time, using one uniprocessor machine

so how fast could they do it with 10 1k uniprocessor machines? or 20 $500 machines?

partciularly with an easily segmented problem like this, the most likely 'wild' resource would be @home-ish.

Re:But...

[Leffe]

We real security experts working for the SCO change our passwords at least once every week. The rabid Linux fanboys/SCO haters are actually a little scary, I have to admit.

-- Darl McBride, SCO SPOKESMANN
-- darltehking:edirBcMlarD

WARNING: Do not hack us or our lawyers will have a talk with You.

Re:But...

[Frymaster]

so how fast could they do it with ... 20 $500 machines?

well, after the week it would take you to get the 20 $500 machines, install all the os's and clustering software and then write yr custom mpi app to do the cracking... you'd have lost the race already.

Re:But...

[OrangeTide]

I think they should make a CGI portal to this database so that the entire community can benefit from it. Information should be free, right?

Re:But...

You don't need clustering, just a start and stop point for each program running. Alphabetically would work fine. Then cat the files together.

for (i=0;i<=azzzzzzzzz, i++){
print ("%s : %s", i, crypt(i))
}

Need more power

[pvt_medic]

80 Minutes? Obviously we just are not using enough power.

Re:Need more power

[grub]

Obviously we just are not using enough power.

Yup, if they ran this on the 220-230V systems in Europe this would have taken only 40 minutes. :)

Re:Need more power

> Obviously we just are not using enough power.

> Yup, if they ran this on the 220-230V systems in Europe this would have taken only 40 minutes. :)

Right, and two planes flying from New York to London get there in half the time!
Imagine a Beowulf clus... ;-)

Re:Need more power

[TobiasSodergren]

I thought it was because of the time zones.. You can start a little earlier in Europe ;)

Re:Need more power

He was being sarcastic about the misuse of the word "power" you numbnuts.

Re:Need more power

Dear sir,

I find your attempted bon mot about "two planes flying into New York" to be quite offensive. Please desist in you hateful attempts at humor.

Yrs,
Brigader A. Troll, (ms)

Re:Need more power

210, 220, whatever it takes

Re:Need more power

Actually if you're going to make cute jokes it would be 20 minutes.

Re:Need more power

Yup, if they ran this on the 220-230V systems in Europe this would have taken only 40 minutes. :)

You rotten AMD pimp, we at Intel say this depends on howmany Hz the clock is.. 50 or 60Hz

Need better crypto

[ObviousGuy]

There are lots of alternatives to crypt, but none that are as simple and straightforward to use as it. What is needed is an unbreakable crypto scheme that is simple to use.

Re:Need better crypto

[Directrix1]

Your name is ObviousGuy for a reason then, huh?

Re:Need better crypto

[dbavirt]

There are drop-in replacements for crypt such as MD5. How are these any less easy to use than crypt? Sure, MD5 strings are a little longer, but still (I'm pretty sure) less than 80 characters.

Re:Need better crypto

[Mikey+Hawk]

I think the answer to that question is obvious, guy.

Re:Need better crypto

[prockcore]

Sure, MD5 strings are a little longer, but still (I'm pretty sure) less than 80 characters.

md5 strings are 32 characters. And most linux distros use md5 for their shadow files already.

Re:Need better crypto

It's a pity that the human mind can't be emulated using a computer, otherwise one could store the passwords in the mind of a woman, which is both impossible to understand and decrypt. ;)

Re:Need better crypto

otherwise one could store the passwords in the mind of a woman, which is both impossible to understand and decrypt.

Will the system let you in is all you need to know ...

Re:Need better crypto

[mikecron]

It's better to refer to md5 hashes as 128-bit numbers. The 32 character "string" you are refering to is the hex representation.

Re:Need better crypto

[orb_fan]

You're missing the point entirely - it doesn't matter which scheme is used to encyrpt the passwords - they can just as easily create MD5 strings instead of crypt() hashs. It just (possibly) takes a little longer and more storage.

Better crypto isn't the answer, better passwords are. I would bet that most users have less than 8 characters in their passwords, and most of those would fall the a dictionary attack pretty quickly.

Re:Need better crypto

[Directrix1]

I think your statement is redundant, guy.

Re:Need better crypto

[Directrix1]

Wow, even when people mod me as a troll I still get at least 2 for my score. But honestly, that wasn't a troll. I was merely bringing to everyone's attention that the guy's name is ObviousGuy and is probably just trolling for somebody to go on a much more extensive rant than I have above.

Re:Need better crypto

[Old+Wolf]

Just set the dials to "O P E" and then slaughter your entire platoon

Re:Need better crypto

[buffer-overflowed]

Well it will, but only if you buy it dinner and take it to a movie first.

Change of Methods Needed?

[Erioll]

In the wake of stories like this, and yesterday's story about RSA-576 being cracked (here), is this a message that we need more secure forms of encryption than we already have? RSA is great so far, but how long until 1024 is broken? Or any other schemes, like the MD5 hashing that's used for digital signatures?

Topics that people with lots of credentials behind their names are going to have to solve. Keeping ahead of the crackers is a big concern not only for security of transactions, but for personal privacy as well.

Erioll

Re:Change of Methods Needed?

[haxorest]

Keeping ahead of the crackers is a big concern not only for security of transactions, but for personal privacy as well.

Who are you calling a cracker? You insensitive clod!

Re:Change of Methods Needed?

RSA is great so far, but how long until 1024 is broken?

About 2^224 times as long. Suffice it to say that it's still reasonably safe, exempting an attack on the algorithm itself, or an extreme advance in computing.

Re:Change of Methods Needed?

[the+morgawr]

I thought I read that MD5 had some problems as well (that's why OpenBSD uses Blowfish). I think it had something to do with the hashes not being evenly and randomly distributed over the possible space. Anyone who knows more about this care to comment?

Re:Change of Methods Needed?

[gorilla]

Remember that every bit approximatly doubles the type to break it. RSA-1024 is about 10^134 times harder to break than RSA-576.

Re:Change of Methods Needed?

[Anml4ixoye]

In a word, no.

As was also discussed yesterday, *nothing* is uncrackable, with the exception of correctly used one-time pads.

The key is to put the appropriate level of security with the data you want protected. For example, if you have data you have to keep secret for 2 months, and they can crack it in 6, you can use that. But if you need to keep data, worth millions of dollars, secret for an extended period, then you should review your security.

However, I think that if you didn't start off with the above concept in mind when you started encrypting your data, then you weren't doing your job. Have 576 cracked shouldn't worry you unless you have older encrypted data using that.

You are right that it is a game. To keep information secure, you have to protect it. Because you protected it, people will want to try to unprotect it. Eventually they will, and if one doesn't keep up, you will lose it.

So, we don't need more secure forms of encryption, we just need to review the current ones and use the appropriate encryption scheme for the data trying to be protected.

Re:Change of Methods Needed?

The real threat to cryptography as we know it is quantum computing. Barring attacks on the algorithms themselves, most algorithms in use today can easily be scaled to be unbreakable for the rest of the lifetime of this universe. By "normal" computers, that is. Quantum cryptography provides "perfectly" secure transmission of data, so quantum computing's detrimental effect on current cryptographic communication schemes isn't really problematic. The real problem lies in secure storage and digital signing. AFAIK there is no quantum cryptographic scheme for securely storing data, but current schemes are easily broken by quantum computing (once it becomes feasible to use a few thousand qbits).

Re:Change of Methods Needed?

[k98sven]

The increase is sqrt(2), since one of the factors must be within 1 and sqrt(2^keylength).

So 10^67 then.. but it's still a friggin' big number.

Re:Change of Methods Needed?

[mellon]

This does weaken MD5 slightly, but it's still stronger than crypt(). To put it in perspective, MD5 is still widely specified in new protocols - it's not being phased out.

Re:Change of Methods Needed?

[damballah]

Elliptic curve cryptography will probably be the new standard in PK encryption. The NSA has already invested time and money to it (there was a story here about the NSA buying a license to the technology from a private company). Moreover, it uses less bits than RSA does. It looks very promising.

Re:Change of Methods Needed?

[AnotherBlackHat]

is this a message that we need more secure forms of encryption than we already have?

No, it's a message that if you're still using stuff that was developed in the 1970s, you should consider upgrading to the stuff from two years ago.

-- this is not a .sig

Re:Change of Methods Needed?

You're confusing RSA numbers with RSA encryption algorithms. Stop that. ;)

Re:Change of Methods Needed?

[MrLint]

does anyone have a timeline of cracked hashes vs computing power? it might be interesting to see if the raw power that is doing the job or better math.

Re:Change of Methods Needed?

[An+Onerous+Coward]

Actually, it's worse than that. You don't have to test every number between 1 and sqrt, just the primes.

I recall reading somewhere that it takes about ten bits to double the security of a public key, rather than one. I don't know if that's actually true.

Re:Change of Methods Needed?

[Delirium+Tremens]

That's why MD5 is more of a checksum algorithm than a digital signature one.
If you want a more secure hashing algorithm, use SHA-1 or any other algorithm designed for cryptographique usage, not simply checksum!

Re:Change of Methods Needed?

[dgatwood]

Actually, I would argue that even one-time pads are also easily crackable. It's just that they are cracked through social engineering rather than mathematics or software engineering. Never underestimate the bandwidth of the five finger discount as it pertains to data security.

If you really need to keep data secret for an extended period of time, you need to review your business model, not your security. If someone cracking a document's encryption after five years could devastate you, then you either aren't taking sufficient advantage of copyrights/patents or the information you're trying to protect probably isn't as revolutionary as you think it is.... unless, of course, your business model involves the sale or trading of information itself, in which case you're probably screwed anyway.

Re:Change of Methods Needed?

[Glonoinha]

How long before Bill Gates proclaims "1024 bit security ought to be enough for anybody."

Re:Change of Methods Needed?

[hackstraw]

How about a change of paradigms? Passwords suck. Always have, always will. All they say is that some bozo knows some pseudorandom string of characters. How many of you have typed your password accidentally in plaintext because of a typo like typing 'us' instead of 'su' and then throwing your password in there. Hell, I used to look in people's .bash_history file for passwords before they thought it was a good idea to not let that file be world readable.

Lets talk about real tokens like those RSA keychains, smartcards, biometrics. Passwords will NEVER be secure. As an exercise to the reader, go randomly call up any business and see how many passwords you can get from people over the phone just by asking them.

Re:Change of Methods Needed?

[bigbadbob0]

Doesn't breaking RSA-576 mean that they have successfully found the prime factorization of -one- 576 bit number. It proves not that a 576 bit key is insecure, but simply that it is possible to factor it in less than a lifetime. Add to that the fact that it probably cost a whole lot more than the $10,000 prize money they'll get for factoring it and suddenly it just doesn't seem like a real threat anymore. Is your Yahoo! mail worth >$10k? To show that these SDSC guys have computed 2 billion hashes and stored it in a table isn't anything particularly special. As people are finally pointing out on this post, it's a hash. There is no one-to-one relationship between a password and its hash.

Re:Change of Methods Needed?

[k98sven]

>You don't have to test every number between 1 and sqrt, just the primes.

Oh yeah.. know any formula which will tell me if a number is prime or not? (joke..)

Seriously though, the most popular method is the Elliptic Curve method.. which is significantly better than simply testing all possible primes.

The thing is, it's not sufficiently better to make decryption practical for large keys.

Re:Change of Methods Needed?

[prizog]

Oh yeah.. know any formula which will tell me if a number is prime or not?

Yes: probablistically (Rabin-Miller), and definitely (AKS). Search for "Primality Testing"

Re:Change of Methods Needed?

[zCyl]

Actually, I would argue that even one-time pads are also easily crackable. It's just that they are cracked through social engineering rather than mathematics or software engineering. Never underestimate the bandwidth of the five finger discount as it pertains to data security.

Or in summary, the extreme weakness of the one-time pad is that you can't effectively store it in your head.

Re:Change of Methods Needed?

[adrianbaugh]

It's easy to tell whether a number is prime or not (worst case: try dividing it by every number up to sqrt(n) or by every prime up to sqrt(n) if you're keeping records, and I'm sure there are better ways), but that's laborious. What (as I understand it) is hard is to find a quick way of determining the next prime number greater than n without bothering to test all the numbers in between.

Re:Change of Methods Needed?

[Eigenray]

What (as I understand it) is hard is to find a quick way of determining the next prime number greater than n without bothering to test all the numbers in between.

Each one takes O(log(n)^12)* to check, but you'd only need to check log(n) numbers on average anyway, which isn't a big deal.
*With AKS. Assuming the Extended Riemann Hypothesis, you can primality test deterministicly in O(log(n)^4).

Re:Change of Methods Needed?

[Daniel]

I thought there was a patent on elliptic curve cryptography. Did I misremember?

Daniel

Mirror.

[themassiah]

Mirrored here:

http://home.twcny.rr.com/scooper2/teracrack.pdf

Re:Mirror.

Yup, I'm sure the folks who just computed 10 Billion possible passwords in 80 minutes really need your roadrunner mirror.

interesting system integration issues

[jrexilius]

This should cause some interesting systems integration issues as crypt has become the defacto standard for cross system authentication and password management. (hash it at your web server, compare it with app server, store it in DB, where it is used by samba to auth winblow users, blah blah, I know these arent exact implementation examples but you get the idea). Just a lot of code or libraries to change to make a system secure.

Re:interesting system integration issues

[Trejkaz]

Actually to compare a value to a crypt()ed value you can't just pass the hash because you don't know in advance what salt was used to create the hash. In all these cases the plain password is probably sent instead... this is certainly the case with Samba unless you enable the Windows-style hashed passwords.

Re:interesting system integration issues

[Permission+Denied]

Actually to compare a value to a crypt()ed value you can't just pass the hash because you don't know in advance what salt was used to create the hash. In all these cases the plain password is probably sent instead...

In standard crypt() format, the salt is the first two characters of the hash.

The canonical way hash a password using crypt():

% perl
$pass = "hello";
$hash = crypt($pass, 'xo');
print "hash: $hash\n";
hash: xoqGBOjl8JQ8I

The characters "xo" are chosen at random when the password is first hashed. Note how they are the first two characters of the hash. The canonical way to check if a given password matches a hash is:

% perl
$hash = "xoqGBOjl8JQ8I";
$pass = "hello";
print "they match\n" if $hash eq crypt($pass, $hash);
they match

Note how I use the entire hash as the salt. Only the first two characters of the salt are actually used by crypt(). Actually, only twelve bits from the first two characters are used for the salt:

% perl
print crypt("hello", ";!") . "\n";
print crypt("hello", "#*") . "\n";
;!dR0/E99ehpU
#*dR0/E99ehpU

Two different salts resulted in the same hashes: this shows that crypt() does not use the entire 16 bits of the two characters (indeed, not even the entire 14 bits of the characters as US-ASCII). Only twelve bits are in fact used.

Also, the entire password is not used: in fact, only the first eight characters of the password are used:

print crypt("12345678", "xo") . "\n";
print crypt("123456789", "xo") . "\n";
xoUgvoME1De5c
xoUgvoME1De5c

Since slashcode strips un-american characters, I cannot demonstrate the the top bit of each character in the passphrase is discarded.

Now, we can do some math: if 12 bits of salt is used, we have 4096 possible salts (2 ^ 12). If 7 bits of 8 characters are used, we have 7 * 8 = 56 bits of possible password. Thus, we have 2 ^ 56 * 4096 = 295147905179352825856 possible passwords (295 quintillion).

Now, these numbers don't match up with what's reported in the article description (207 billion hashes). It's possible that some combinations of passwords and salts produce identical hashes, but I would never expect nearly this many...time to read the article.

OK, I skimmed the article. They did not cover the entire keyspace of passwords. They only created a list of candidate passwords from a system dictionary using Crack's password generation routines. There are 1425835290 (1.4 billion) times more possible passwords than they tested. If they tried hashing all possible passwords, it would have taken them 217022 years at the rate they're going (80 minutes per 207 billion passwords). The storage of these hashes is out of the question (I don't know my metrics that high :).

Actually, on second thought, I can imagine a compression scheme that could drastically cut down on the storage involved: but this is irrelevant, the CPU time is still overwhelming.

Lesson learned: worry more about the quality of your passwords than the quality of your password hashing algorithm.

[Perhaps I missed something? Anyone care to check my arithmetic?]

Re:interesting system integration issues

[jrexilius]

Damn fine post. A thread had discussed this a long time ago.. or was that somewhere else.. ?.. damn addled brain.

At any rate, it is not feasible to store all possible combo's but moderately feasible to store 207 billion most likely passwords. Which leaves you with a large number of passwords that are not likely to be easily remembered by users. Which is why this is an issue. However, I would note that 207 billion hashes at 10 bytes a pop gives you 2,070 billion bytes of storage. Most script kiddies are not going to have access to ~2 terabytes of storage just for cracking of hashes. They wont be able to make it part of a rootkit as very few hosts could store the root kit. So the likely scenario would be a small subset of those hashes being employed (or a really good cracker would distribute the 207 billion over many nodes with a trojan acting as a compare server but that poses its own difficulties).

So the parent poster is correct in that what you REALLY have to worry about is using passwords that are not in dictionarys.

crypt() not necessarily the crypt algorithm

[peyote]

Remember that many glibc2 "overloads" crypt() to be able to deal with MD5 hashes. I wonder how many MD5 hashes they can generate...

Re:crypt() not necessarily the crypt algorithm

[Cynicx]

340282366920938463463374607431768211456 is a rough guestimate [16^32] :-)

Re:crypt() not necessarily the crypt algorithm

[Dan-DAFC]

I for one welcome our new glibc2 overloads.

Re:crypt() not necessarily the crypt algorithm

I for one welcome our new glibc2 overloads.

HAhahaha, holy crap that's hilarious.

Re:crypt() not necessarily the crypt algorithm

[Eraser_]

bash-2.05b$ md5 -t
MD5 time trial. Digesting 100000 10000-byte blocks ... done
Digest = 766a2bb5d24bddae466c572bcabca3ee
Time = 18.865835 seconds
Speed = 53005869.601767 bytes/second

So for that sake of this argument, you have a 10,000 character password, and I have a 500 mhz P3 running FreeBSD 5. :) This computer is also running X, mozilla, a few rxvt+ssh terms, and gaim.

If my math checks out below, in 80 minutes you can do 25 million 10,000 character passwords. I assume you have 8bit bytes, and one byte is one char. If you use the raw speed measurment, then you get 31,803,521,400 8 character passwords. I know that the "raw speed" isn't accurate as there is setup and teardown time involved in any measurement.

My G4-400 running OS 10.3 went at 23 seconds for the same time trial.

bc 1.06

80*60/19
252
252*100000
25200000

80*60
4800
4800*53005869
254428171200
254428 171200/8
31803521400

Re:crypt() not necessarily the crypt algorithm

[thunderbird46]

My g3/700 iBook comes up with a speed of 66666666 bytes/sec. Should I call an exorcist? :)

Re:crypt() not necessarily the crypt algorithm

[jonabbey]

Except that the md5Crypt() function isn't just a single MD5 operation. It actually carries out a sequence of 1000 md5 operations in sequence to try and slow down the overall operation.

Of course, 10 years of Moore's law eats 3 factors of magnitude fairly nicely.

Re:crypt() not necessarily the crypt algorithm

[Eraser_]

Odds are I dont use 10,000 character passwords, either. :)

Re:crypt() not necessarily the crypt algorithm

[scrod]

I wonder how many MD5 hashes they can generate

Not to take away Eraser's fire, but if you were to generate enough hashes to fill the "key" space (2^128) of the MD5 algorithm and store them on disk in the manner described by this paper, you would need 4,503,599,627,370,496 (2^52) yottabytes. A yottabyte is 1,099,511,627,776 (2^40) terabytes.

The reality is

[phorm]

That over time, any encryption alghorythm may be broken by superior computer. 50 years from now, normal computers will put anything we have to shame, and supercomputers will make current ones look like calculators.

Crypt is already supplantable by many improved techniques, but even if it is used, are they going to make these keys available to the world?

If not, now that it's known a really faster computer can solve then, perhaps the next step in spammy-crackers' arsenal will be to take their virussed drones away from attacking anti-spam sites and focus them at generating crypt or other password solutions? How many drones working P2P-style (you create these hashes, I'll create these ones) would it take to equal this supercomputer?

Re:The reality is

[MikeCapone]

How many drones working P2P-style (you create these hashes, I'll create these ones) would it take to equal this supercomputer?

I believe that what you are refering to is called "distributed computing".

A good example of crypto-key cracking by distributed computing can be found here.

Re:The reality is

Quantum computing. BZZT unless you run a quantum computer you are wasting youre time encrypting in future.

Re:The reality is

[Awptimus+Prime]

probably a bunch.

Re:The reality is

Weeeeelllllllll,

One time pads (generated with truly random values, that's another issue) will never be broken, by any computer, no matter how superior.

Re:The reality is

Naah.. In the good old days supercomputers used to be million times faster than home computers. Today, the ratio is only about 1000-to-1. I'll predict that 50 years from now on, they are actually going to be slower than your brand new googolplentium.

Re:The reality is

[NegativeK]

That over time, any encryption alghorythm may be broken by superior computer. 50 years from now, normal computers will put anything we have to shame, and supercomputers will make current ones look like calculators.

Heh. It's much more extreme right now. Current calculators make computers from twenty years ago look like.. Well, calculators. My TI-89 runs on a Motorola MC68k processor (10 MHz, I believe.)

Proof that this was MEANT to happen! :-P

[Wyzard]

Clearly, crypt() was meant to die: just look at its name!

As Schneier says on the first page of Chapter 1 of "Applied Cryptography",

(If you want to follow the ISO 7498-2 standard, use the terms "encipher" and "decipher". It seems that some cultures find the terms "encrypt" and "decrypt" offensive, as they refer to dead bodies.)

ftp site seems slow

[morcheeba]

They've got the tables on their ftp server, but it seems slashdotted because it's going really slow... my computer says "downloaded 4194304 bytes of 1209462790550 bytes (0.00034%)"

Anyone have a bit torrent for this thing?

Re:ftp site seems slow

[lakeland]

*LOL*

Incidentially, your calculation is slightly wrong. .0000346 rounds to 0.00035, not 0.00036.

Cheers

Re:ftp site seems slow

maybe he does use a pentium cpu?

Re:ftp site seems slow

[imsabbel]

do you really think his internet explorer knows how to round correctly...? :)

Re:ftp site seems slow

[Just+Some+Guy]

All joking aside, it may not be so slow via DNS. Imagine that you could:

localmachine# host -t any sacrewq!cre$#@sdsc.edu
sacrewq!cre$#@sdsc.edu descriptive text "godloveR00t"

Suddenly this seems a little less funny, doesn't it, when Joe Kiddie has read access to your /etc/passwd and an easy query to the full database?

Re:ftp site seems slow

[mindriot]

I'd give you a .torrent, but after downloading 4294967295 bytes, it simply went back to 0...

Re:ftp site seems slow

[Trejkaz]

Most download managers round down, rather than to nearest. The reason is when you get near the end you don't want to see 100% before you are finished.

Re:ftp site seems slow

[morcheeba]

that's fine... just break it up into 282 smaller files. In the mean time, I'll just go out and get a set of seven huge drives to store them on. Thanks!

Re:ftp site seems slow

[Rich0]

Assuming the file is ordered you could just FTP various ranges of it until you find the desired hash. Start in the middle and start dividing in half like a B-tree...

Re:ftp site seems slow

[Just+Some+Guy]

Sure, but 207 billion (assuming US notation) is approximately 2^38. I don't know that I'd want to make 38 calculated FTP transfers for each query.

OTOH, a virtual FTP server could represent each byte, say, of the hash as a folder. To get the results of "crq7839!", do a directory listing of "ftp://ftp.sdsu.edu/hashes/c/r/q/7/8/3/9/!/"; each filename could represent a string that hashes to that particular value.

Basically, you're going to have to run a hack on any pre-existing protocol for it to be reasonably useful for these things. There are two reasons I recommended DNS:

1) UDP vs. TCP. You get to avoid the interactive connection buildup and teardown which adds substantial overhead.

2) Results of queries are cached downstream of the actual "hash server". It's not unreasonable to imagine that two systems being cracked would have the same salt, and that a user on each system picked the same password. Of course, the odds of collision are pretty small, so you'd have to have a lot of people doing some serious cracking to make it pay off.

MD5.

[DAldredge]

MD5 is what most modern Linux distros use.

Re:MD5.

[Carnildo]

From personal experience with cracking passwords, I wouldn't consider unmodified MD5 to be very secure. My computer can test 5 million MD5 hashes a second, or the entire 8-character password space in ten months.

Re:MD5.

[scheme]

From personal experience with cracking passwords, I wouldn't consider unmodified MD5 to be very secure. My computer can test 5 million MD5 hashes a second, or the entire 8-character password space in ten months.

You're mistaken. If you assume that a 8 character password only has upper and lower letters and numbers there are 218340105584896 possible combinations. That would take your computer about 7 years to test the space completely. If you allow passwords to have punctuation then this increases a lot more.

Re:MD5.

[NoMoreNicksLeft]

For the sake of the argument, assume he can do it in even half the time he claims, 5 months.

Shouldn't passwords be changed more often than this? I mean, it's not about being able to brute-force the thing period... but about being able to do it in a practical amount of time.

If everyone can start doing this in 1 month's time, I just have to start doing password changes every 2 weeks. Or am I wrong?

Just imagine a...

[GeekDork]

... no, I'm not gonna say it!

Perhaps not

[AKAImBatman]

If I understand the article correctly, they're using serious computer power to develop a database of all passwords and their resulting hashes. In doing so, they can reverse engineer any hash back into a password via a 1 to 1 lookup. The only problem is that the attacker still needs physical access to your password hashes. In other words, this is much more serious for "insider" hacks where a system user wants root control.

Correct me if I'm wrong, but wasn't the point of moving the hashes from passwd to another root protected file (like "master.passwd") to prevent this sort of problem?

Re:Perhaps not

Shadow passwords work sometimes. Sometimes you can just do "ypcat -k passwd" and get the hashes anyway.

Re:Perhaps not

[iamnotaclown]

• If I understand the article correctly, they're using serious computer power to develop a database of all passwords and their resulting hashes.

Look for it on eBay. Coming soon, to a 733t h4x0r near you!

Re:Perhaps not

[AKAImBatman]

Sometimes you can just do "ypcat -k passwd" and get the hashes anyway.

Just tried it on my Solaris box. I received the error "the domainname hasn't been set on this machine." A security flaw in NIS domains perhaps? That would certainly make the "insider" problem far worse.

Re:Perhaps not

[hackstraw]

Sometimes you can just do "ypcat -k passwd" and get the hash...

You must be confused into thinking NIS is secure.

Re:Perhaps not

[Tony+Hoyle]

Sometimes you can just do "ypcat -k passwd" and get the hashes anyway.

Not unless your actually not using shadow passwords at all...

'ypcat shadow' might do it but nobody with any ounce of sanity would put the shadow file on NIS. I use kerberos auth for the passwords and NIS for the rest of the stuff, which works fine... then again I'm behind a nice tight firewall.

Re:Perhaps not

[Ancil]

Sorry, but you are wrong.

By moving to a hash like MD5, you can use a much larger "salt". This makes pre-encrypted dictionaries infeasible. Current crypt()-based scemes use a mere 12 bits of salt. A more advanced hash lets you use any length salt you'd like (though anything longer than the hash size is worthless).

Quick primer for those wondering what "salt" is. UNIX stores not only your encryped password, but also a 12-bit salt. The salt is essentially part of your password, which the OS stores in plaintext. Its sole function is to make pre-encrypted password databases difficult. The crypt function is not a true "hash", so UNIX cheats by permuting the encryption boxes using the salt. The effect is the same as adding the salt to a password before hashing it with MD5.

The scheme was developed for the express purpose of defeating attacks like this one. However, 12 bits ain't what it used to be. With only 4096 salts available, pre-encrypted dictionaries are now becoming feasible.

The Solution (TM) is to use a modern hash like MD5, and store a salt which is as long as the hash itself. In essence, this renders encrypted dictionaries worthless -- it's just as easy to brute-force a password from scratch.

Re:Perhaps not

[cgb8176]

In doing so, they can reverse engineer any hash back into a password via a 1 to 1 lookup

It will still not be 1 to 1.

Re:Perhaps not

[AKAImBatman]

It will still not be 1 to 1.

Excuse me? Why not? Take one hash, search for all rows with that hash. Take the first row and apply the password from it. Am I missing something here?

Side note: It is true that the password you use may not actually match the real password. That's beside the point. As long as the hashes match, the system will allow you in.

Re:Perhaps not

[AKAImBatman]

However, 12 bits ain't what it used to be. With only 4096 salts available, pre-encrypted dictionaries are now becoming feasible.

You said it, not me. I'm not wrong, just not very detailed. :-)

Re:Perhaps not

[ComputerSlicer23]

You said it yourself, when you used the expression "take the first row". Using the adjective first, implies that there are many of them. However, you are correct in saying, there is no need to store more then one. If "asdf" and "3146t" have the same crypt (for a given salt), then technically, both of them are your password. By the pigeon hole princeple (you can have more bits in the password, then there bits in the salt + crypt( passwd ) ), at least one hash will have more then one password that hashes to that, hence technically, the parent is correct, it isn't a 1 to 1 lookup.

I've always wondered by nobody did this before, but then realized just how much space it would take to store. In order to store that many keys to be able to brute force them all, is insane.

Kirby

Re:Perhaps not

The Solution (TM) is to use a modern hash like MD5, and store a salt which is as long as the hash itself. In essence, this renders encrypted dictionaries worthless -- it's just as easy to brute-force a password from scratch.

no it's not, having a sorted list does wonders on the time, start in the middle, take the half with the hash, repeat.

Re:Perhaps not

[mlyle]

But you can't have more bits in the password than there are bits in the salt + crypt(passwd).

The total crypted hash is 13 characters. 2 characters are the salt, leaving 11 bytes out. 11 * 6 bits/character=66 bits, which are used to store the 56 bits of DES output + 8 bits of parity (with 2 bits left over).

For a given salt, each of the 2^56 possible passwords will have different crypts. The only place you'll see duplicates for the same salt is because of truncation effects (only the first 8 characters of the password are used in crypt, and the high bits are thrown out, to get things down to a 56 bit key size).

Re:Perhaps not

[warkda+rrior]

What's your IP?

Re:Perhaps not

[sawak]

For a given salt, each of the 2^56 possible passwords will have different crypts. The only place you'll see duplicates for the same salt is because of truncation effects

Unless the salt is "1/" and your password is "$C4U1N3R" or "SEEKETH." :-P

Re:Perhaps not

[mlyle]

In my haste to reply I phrased my reply incorrectly.

The only time you will see -more duplicates than you'd expect on a typical hash algorithm- (e.g. not all man values would be duplicated, for 2^56 inputs and 2^56 outputs) is because of truncation effects.

My point was to say it's not like if you had 2^56 inputs and 2^48 outputs, where there would be a little more than 256 duplicates per input value.

Most of the time DES crypt will indeed be 1-to-1.

Re:Perhaps not

The original poster is not wrong, just addressing a slightly different kind of attack. Better salt can prevent someone from building a MONSTROUS dictionary of all likely passwords + all possible salts (by making the salts huge and random, the precomputation becomes infeasible), like the article discusses.

But, the need to keep the password hash and salts secret (ie /etc/shadow) is also necessary to prevent bruteforce attacks on "weak" passwords. And doing this ALSO protects against dictionary attacks, even with low salt entropy.

Re:Perhaps not

[Chuu]

Actuially, modern salt schemes go a step further. Instead of storing a plaintext salt and then "Adding" it to your password before hashing it, now what happens is in addition to a "public" salt which is as the parent describes, a completly small amount of "private" salt is generated -- and never stored. Every time you log on, the computer has to try to figure out this random salt by trying every possible combination of private salt + public salt + your password. Essentially, on modern unix systems every time you are loggin on, you are trying to crack your own password!

-Chu

Re:Perhaps not

[Wakko+Warner]

Well, shadow passwords are all well and good, until you run NIS.

Most big places do, unfortunately.

- A.P.

Re:Perhaps not

[Wolfrider]

--Anyone here got info on how to convert existing Debian crypt() passwords to MD5 or Kerberos w/o hours of work? (Serious question.)

Re:Perhaps not

[simoncrute]

You have obviously not worked where I have worked ......

Re:Perhaps not

[ahg]

I haven't had to do this myself - so this is just a random suggestion I'm pulling out of....

How about enabling MD5 hashing and then expiring your all your user's passwords, forcing them to choose a new pasword when they login? When they pick a new password it will be MD5 hashed. (only need a simple perl script to do this for all UID>1000)

Of course this only works if they have shell access. If they have only have POP access... then you have to use some other mechanism to allow your users to change passwords. (google for poppassd)

Re:Perhaps not

A commmon wordlist with 12bits of has resulted in 1.1 Terabytes. About $1000 of storage.

MD5 crypt() implementations usually use up to 64 bits of salt (and most commonly, exactly 64 bits). Each additional bit doubles your storage. Fast algorithms are no match for unreasonable storage requirements. How much is 5 x 10^15th Terabytes these days?

Fast table-based dictionary attacks against current MD5 crypt() schemes will not be feasbile for a ridiculously long time.

Re:Perhaps not

[cgb8176]

Very good point, my mistake. Any password with the same hash is just as good. Although there would be some value in knowing their true password, for use on another system with a different hash.

Only if you have the crypt string

[dbavirt]

The ability to generate lots of crypt strings only helps you if you have the original crypt string to compare against. Most modern UNIX systems store crypt strings in /etc/shadow which is only readable by root. The crypt string is never passed across the net during most auth sequences. (Certain types of LDAP auth being the exception here.)

The problem occurs if someone manages to break into a machine, achieve root, and pick up the /etc/shadow file. They can now brute-force all the passwords given enough time, and it appears that the amount of time needed is shrinking.

This is a good argument for using different passwords on untrusted boxese and changing your password often.

Re:Only if you have the crypt string

[Tony+Hoyle]

If they've broken into your box and achieved root, there are about 10 zillion methods of them getting the password. And about another 10 zillion of putting so many backdoors onto your system they'll never need a password again... /etc/shadow is the least of your worries...

Re:Only if you have the crypt string

[dbavirt]

Sure, but the /etc/shadow file is their key to getting the cleartext of your password for use on other machines. At this point, it may be easier to brute force /etc/shadow than it is to set up backdoors, trojans, network sniffing, etc.

It can be much harder to determine that someone has hijacked your account than it is to note that a root kit has been installed

Re:Only if you have the crypt string

[coyote-san]

How hard do you think it is to write a PAM module that sends off an email with the user name and password?

This won't "crack" inactive accounts, but it will capture any account where somebody uses a password to log in. On most systems the attacker wouldn't even need to hide this function in an existing pam module, they could just provide a new one with an official sounding name (e.g., "pam_audit") and edit the PAM configuration files.

(N.B., not all access requires passwords. E.g., I prefer using SSH DSA authentication instead of password authentication.)

triple crypt lie DES

[goombah99]

Why not do the same thing for crypt as was done for DES. DES became triple DES. just iterate it 3 times with different salts at each step. Unless there is something insecure about crypt itself, and the sandiego study does not say this, then this should foil any brute force attack like this for another hundered years.

Re:triple crypt lie DES

[Zork+the+Almighty]

They have a database of all possible hashes. Your scheme would mean that an attacker would have to do three lookups, instead of one.

Re:triple crypt lie DES

Crypt doesn't encrypt passwords, it hashes them. The cracking method did not attack the algorithm directly, but just created a catalog of all possible inputs and outputs, then allowed you to use a reverse lookup to "decrypt" any hashed password.

This is a method that could be used to break any hashed passwords, but most modern hashes allow for more variation in their input values than crypt() does, making this (currently) unfeasible.

Aside from the fact that 3DES doesn't just run the same process three times (it uses two keys), this is not really comparable. The hashing algorithm was not directly attacked, so doing it multiple times wouldn't change anything. The passwords were still limited to 8 characters and the salts limited to 2. THAT's the weakness of crypt(), not the iterations.

(Okay, TECHNICALLY, you could hash it three times using two salts, and that WOULD increase difficulty--but not by enough to be safe foreven another week!)

Re:triple crypt lie DES

[AT]

The problem here isn't the strength of the encryption. The problem is that with crypt() there is only a two byte salt limited to certain characters, so each password maps to at most 4096 different passwords. Many unix systems use a newer system that allows up to eight arbitrary characters in the salt, which means any given password can map to 2 ^ 64 different hashes. It is this expanded salt that fixes crypt()'s most glaring problem.

Re:triple crypt lie DES

They have a database of all possible hashes.

No they dont. They have the hash of some 50.6 million unique "passwords".

Still

[mugnyte]

Even so, using a 10 character input of about 72 possible input chars, isn't 207 billion still only like .0000055% of the total search space?

So that 20000 * 80minutes gives ~1% of the space cracked?
2000000 * 80 minutes = 304 years to fully close the space.

With a perfect distribution, the mean of about 150 years seems like a long time.

Someone please check my assumptions here.

Re:Still

There isn't a unique hash value for every possible password... that's the way hashes work.

Re:Still

[Detritus]

You're assuming that the passwords are random. They aren't. Even with rules like a password must include upper-case characters, numerals and punctuation, they are not even close to being random.

Re:Still

[djtack]

perl -e 'print 72**10/207000000000*80/60/24/365'

I get 2,753 years out of this calculation (I think you lost a zero somewhere)... But expecting users to chose passwords like that is probably unrealistic. Even one weak password could compromise a system, even if all the others had really strong passwords.

Re:Still

[ottffssent]

That's assuming a random password which is an indefensible assumption. I have one or two computer-generated random passwords that I've memorized, but the majority of my passwords are pseudorandom at best. Most people don't use long passwords, and in any event their information content is rather less than 6 bits per character.

I think 8 charaters long, at closer to 4 bits per character is a more reasonable assumption. Sure, it won't get *all* passwords, but it will get the vast majority.

Re:Still

[Zork+the+Almighty]

As I understand it, they searched the output space. Hash functions typically hash multiple inputs to the same value. In a cryptographic hash these multiple values can not be determined in any inexpensive way.

Re:Still

[iamdrscience]

What!?!?!? How did the parent get modded up so high? Are people that unaware of how hashes work?

A hash is a digest of a piece of data, as such there is more than one possible password for every password hash.

207 Billion hashes is a substantial portion of the possible hash values.

No offense meant to the parent poster, you can't know everything and I suppose this is more obscure than a lot of things, but I'm really really surprised this got modded up like it did.

Re:Still

Even more pessimistic: 62 possibilities and 8 characters

62^8 / 207 billion => 1054 or ~0.1% of the space.
That doesn't even account for the ~1000 salts which reduces that to ~0.0001%. (Is this veiled M$ fud against competitors' security?)

Re:Still

Hmm. I want to say thanks for the enlightenment, but I'm finding the words hard to come out. Can you give us some of the actual math on the % that 207B really is?

Re:Still

[mugnyte]

So assuming hashes are 0.001% of the text, I come up with 100 days. Reading that the tables are kept, we're talking about 100 days to form a full hash table and crypt() is dead ?

PS no offense taken. My crypto skills are in the basement, but I enjoy learning. I think people wanted the comment to mod up to get answered, that's all.

Re:Still

~25%

Re:Still

[vondo]

Not really. From the crypt manpage there are 7.2e16 possible vales. 2e11 is about 1/300,000 of the possible space. I wouldn't call that substantial, really.

7e16 is of the same order of magnitude as an 8 character password using a combination of letters, numbers, and a few symbols.

Re:Still

[vondo]

And it's not clear to me that 5e7 (the number of passwords they tried), not 2e11 isn't the right number to compare with 2e11.

Re:Still

[coyote-san]

crypt() truncates input at 8 characters. Hashes can use arbitrarily long input, but crypt() uses a variant of the DES algorithm and has an 8 byte block length.

Meanwhile the number of possible characters is actually 95 characters - the control characters and DEL (0x7F) are not available. So the total search space is 4096 * 95^8 or 27.2e18, including salt.

But as others have pointed out most people don't pick good random passwords[*]. A good multilingual dictionary may have 100k words, and you can try 500 variations on each word if you have 207 billion possibilities (including salt). That 500 variations can cover dropped vowels, o->0 mappings, etc.

[*] What's a good password? Hint: mine recursively computes the MD5 digest of random data and prints out a few dozen candidates with the right mix of upper & lower case, numbers and symbols. I can usually find at least one that's fairly mnemonic but still totally immune from dictionary attacks.

Re:Still

[^MB^]

hummmm, i would beg to differ with the 'iamdrscience' post.
You are thinking about normal computer science hashes not cryptographic hashes.

207 billion is a very small portion of the possible hash relations.

I worked on a project similar to this, a distributed password cracker.

They calculated 50million passwords and 4096 salts this gives ~207Billion hashes.

There are ~7.32*10^14 possible passwords (quick approximation) with the 4096 possible salts.
That gives ~2.99*10^18 possible hashes.

I think the author of the other post was thinking there would be a lot of collisions.
There are 2^64 possible permutations of the DES 'cipher text' which gives ~1.8*10^19 possible 'cipher text' final state.

This means there are six times as many theoretical hashes as there are actual password hashes.
That and the nature of the DES algorithm would make colusion not very likely.

Anyway back to the point... 207 billion hashes would be 2.07*10^11.

2.07*10^11/2.99*10^18 = .000007%

This is NOT a substantial portion of the search space.

-Nick

*cipher text is refering to the initial 64 zeros cipher text used in the DES password encryption.

Re:Still

[bucky0]

Wait, I'm confused. Are you saying that if I hash the same data twice, I won't necessarily get the same hash. Or do you mean that there isnt a unique password for every hash, which would make more sense.

Re:Still

That there isn't a unique password for every hash. If the same password came out with multiple hashes then that would eliminate the usefulness of uses hashes to disguise passwords.

Re:Still

[NegativeK]

You're assuming that the passwords are random.

Not that this really has any relevance as a later poster pointed out, but you assume that passwords _aren't_ random. I make a few 6x6 tables, and roll dice (then burn the tables and grind up the ashes.) _GOD_ I'm a nerd.

P.S.: It also has the benefit of me knowing how to type the password in, but not what it is without some serious thought. Can't go around telling it to people, can I?

Re:Still

[Trejkaz]

In fact, restricting passwords so they have to satisfy certain conditions almost makes them less random. It certainly reduces the number of hashes you have to compute.

Re:Still

[Rich0]

But how many bits are in the hash output?

I don't care if you picked the impossibly-difficult 5&4!/3%A as your password. If the password hello gives you the same hash that will work just as well.

Remember - while the number of passwords is large, many passwords are indistinguishable as far as the algorithm goes. Of course, to figure out which ones those are requires brute-forcing the entire passwordspace. However, finding one workable password for each hash is sufficient to make crypt worthless...

Ironic advice

[baadfood]

For a book called Applied Cryptography. Perhaps he should have called it Applied Cipherology. Applied Ciphering? Applied Cipherography? I think ill just stick with "crypt", thanks.

Getting there...

[Jhan]

I may be mistaken, but I thought crypt() used 56 bit DES encryption. They can brute-force 207e9 hashes per 80 minutes, but the total key space is about 72e15 (2^56).

This means that the key space will be exhausted in ((2^56/207e9)*80)/60/24/365.24 years, which is about 52 years.

I do agree that this is still a little too close for comfort. Fortunately no-one I know is still using classic crypt() for password protection.

Re:Getting there...

I assume they are only checking for hashes of alphanumeric keys which is a smaller search space.

Re:Getting there...

[tep-sdsc]

Funny, we did this work almost a year ago, and someone finally notices :-(

Yes, this is a very small part of the total theorectical key space.

But its exactly the part of the space that is most "interesting"; this is the part that will most likely be searched by an attacker AND the part that is most likely to have a real, user-selected password.

The original goal (years ago) was to allow us to verify that our users weren't using passwords that would be likely to be found by an attacker.

Yes, passwords are *supposed* to be stored in shadow files that are not accessible, except by root, but in practice, it is often discovered out in the Real World, especially at larger multi-vendor sites, that user password hashes are copied between machines, stored in databases, and in general available to an attacker who does not yet have root.

These are the same sites that often can't or haven't converted to md5() hashes, as they have older legacy OSes that don't do md5(). Note that even though Sun "supports" md5() hashes, they don't support them everywhere and it certainly isn't seamless. Don't get me started about AIX. Linux and the *BSD folks are way ahead of most of the commercial UNIX variants.

As for the scalability, read the whole paper. We used the largest single machine at SDSC, but its rather dated in terms of crypt() performance. A distributed.net-style project using typical home machines would win, IF you could get a thousand or so people to cooperate.

The Terabytes of storage in a single filesystem didn't hurt in the sort/merge phases either.

Personally, I'm a Kerberos fan :-)

Re:Getting there...

[randombit]

A distributed.net-style project using typical home machines would win, IF you could get a thousand or so people to cooperate.

OR build a crypt() cracker into the next Blaster. :) Much easier and faster, I would think.

Deep Throat

thats how I read the subject too.

So much for longer passwords being more secure?

[doormat]

I remember back in high school I had created a bunch of accounts on my linux box and used some program to try and decipher the passwords. 1-4 charecter passwords were found in 30 minutes (on my blazing-fast-at-the-time 200MHz Pentium 1), 5 charecter passwords took 2 days, 6 charecter passwords took... well, forever more or less. I figured at the time, a 7 charecter password would be sufficient forever (at least for my life time), but I guess not. Now I use 10 charecter passwords for most of my stuff... Do I need to move to 15 charecters? A passphrase instead of a password?

Re:So much for longer passwords being more secure?

[MikeCapone]

Now I use 10 charecter passwords for most of my stuff... Do I need to move to 15 charecters? A passphrase instead of a password?

I'm not expert, but it seems that the problem is that the actual password can be substituted by the hash of said password.

Usually it is easier to find the password than the hash, but with such brute-force available... Well, the lenght of your password may be irrelevant.

I may be misunderstanding the situation, though. Somebody correct me if I'm wrong.

Re:So much for longer passwords being more secure?

Get a Iris scanner eh?

Re:So much for longer passwords being more secure?

[Aneurysm]

With a password hash, all hashes generated are of the same length. Therefore someone bruteforcing the hash will take the same amount of time no matter what the password is. A longer password though may save you from a dictionary attack, especially passphrases, as it greatly reduces the chance of a brute force dictionary crack finding your password.

Re:So much for longer passwords being more secure?

With standard crypt(), only the first 8 characters of the password are used.

Re:So much for longer passwords being more secure?

[thedillybar]

Well, for starters, you should avoiding telling people the length of your password...

Re:So much for longer passwords being more secure?

[SunBug]

It isn't that the hash can be substituded for your password, but that with this database, they're able to map the hash to every single possible password. So, in order to brute-force a password, you use the list of passwords *known* to generate the hash, and try all of them until you get a match.

Of course, to make this of any use, you'd have to have access to the hash, which is difficult.

Re:So much for longer passwords being more secure?

Actually, any of the passwords which map to the same hash as the original password would be valid. This is because the database they are creating is basically a giant password file. A password program simply checks that the hash of the password is equal to the stored hash of the password. A password program never stores what the user considers to be the real password, but in reality, all passwords which map to the same hash are equally valid because of the fact that they map to the same hash.

Re:So much for longer passwords being more secure?

Here's how it usually works:

When the password is first set a hash is generated from the plain text password. The hash is then stored. Hopefully the hash itself is longer than the password and this is usually the case. If not, you can have the case where two different passwords generate the same hash.

When a user wants to authenticate against the auth mechanism, the user will key in a password. The password is hashed and then compared against the hash stored on the system. If they match then access is granted.

So you couldn't put an actual password into a hash field and expect it to work.

Most password systems also add a two character salt value stored at the beginning of the hash. This is only there to provide a little more randomness.

How the dictionary system works is interesting. It precomputes all possible hashes for all possible passwords. Most will use the systems password restrictions to restrict the number of possible passwords. For example, characters must be 6-12 characters in length, consisting of upper and lower case characters and symbols. High ASCII characters are generally not allowed. They will also add in the salt value. After a few days of processing (generally going through dictionary phrases and then incrementing character by character) you will have a large database of hashes.

Next, try to find the password hash table. On some systems the hash is available publicly. On any recent ones it requires special permissions. Then it's just a matter of looking trough the hashes and finding one that you've precomputed. Look up the hash and its corresponding plaintext and you have the password.

There are other ways of getting the hash. Some authentication systems sent the hash over the network without encrypting the hash itself. Sniff the network and you could get the hash. Sometimes the hash was encrypted but with a weak algorithm such as a secret key that never changes. You could sniff the encrypted password then decrypt to reveal the hash. Then lookup the hash in your table.

Re:So much for longer passwords being more secure?

[SunBug]

yeah, you're absolutely correct! I completely forgot about that little caveat with hashes.

Re:So much for longer passwords being more secure?

[chochos]

well if you're using crypt() to encrypt your password, then only the first 8 characters are used, the reset is ignored. But from what I've read here, some Linux distros use MD5 now.

Re:So much for longer passwords being more secure?

[mkh]

You'll get a bunch of solid information about this stuff and more by studying the Diceware FAQ. Highly recommended.

Re:So much for longer passwords being more secure?

[martinde]

Right, but you don't bruteforce the hash itself, right? You generate every possible hash you can and hope one matches. This guy is saying he can generate all 6 char hashes in a reasonable amount of time, but not for more chars than that...

Re:So much for longer passwords being more secure?

[Daniel]

So, in order to brute-force a password, you use the list of passwords *known* to generate the hash, and try all of them until you get a match.

I don't see why you'd need more than one -- the only thing the password file stores is the hash, so two passwords with the same hash should be considered "identical". I think.

Daniel

Re:So much for longer passwords being more secure?

[Old+Wolf]

What the poster meant (as I read it anyway) was:

There's only N possible one-character passwords, (N = the number of usable-for-password characters in the character set, = 256) so one-character passwords could be brute-forced in an instant, by using the method of calculating the hash for all 1-character passwords, and looking up the candidate hash in that list.

Incidentally, does this mean it will help your password to include uncommon characters (eg. control codes, high ascii) in the hope that brute-force programs will limit themselves to alphanumerics to save time?

Re:So much for longer passwords being more secure?

[doorbot.com]

I see recommendations here on /. to take a phrase, such as "News For Nerds. Stuff That Matters." and convert this into a password using the first (or last) letter. So you might end up with: "N4n.stM." and this is a "good" password.

Why not just use the whole phrase? It's easy to remember a sentence, such as "I wish I could remember these long passwords." Sure, that's a lot to type, but it's easily long enough to avoid brute force attacks, and while there are whole words in it, there are far more combinations of words than just characters (how many words are in the English language). Even if you just count words that one might use in a day (let's say 1000), there are far more combinations of those words than could be achieved by letters and numbers alone.

Granted, you need an operating system that supports longer passwords, but Linux and Windows (and MacOS X?) support this, so I would guess that most Slashdot readers are covered.

Re:So much for longer passwords being more secure?

[hopews]

The paper said that the crypt algorithm strips off the high bit, so no, this wouldn't help at all. In fact, most of the collisions they found were due to high bits being set.

Re:So much for longer passwords being more secure?

[SunBug]

You're absolutely right (and an AC corrected me earlier). I left my thinking cap off when I posted. Mea culpa.

Re:So much for longer passwords being more secure?

[shfted!]

If you're curious, an average consumer machine today is capable of cracking 3DES passwords less than 7 characters in less than a day with Jack the Ripper.

how about...

[frodo+from+middle+ea]

Open Sesame..

Give it some time

[appleLaserWriter]

Wait a year or three and this kind of computing power will be available in game consoles in bedrooms across america.

Too Late

[sirReal.83.]

I've already rooted all your boxen and converted them to a worldwide Beowulf cluster.

Time to crack some pr0n passwords...

they fear the /. effect

[PxT]

Heheh... the paper actually talks about them putting a searchable front-end to the results online but then says they decided not to, in part due to the "dreaded 'slash-dot' effect". Nice.

Re:they fear the /. effect

[jc42]

the paper actually talks about them putting a searchable front-end to the results online but then says they decided not to,

Well, that's a disappointment. In the past, when the monthly announcements that crypt has been broken appear, I've generally responded by sending them my /etc/passwd entry and asking them to tell me my password. So far, nobody has ever done so.

If these guys could tell me my password given the encrypted string from the 2nd field, then I'd be impressed. Until then, I'll just take it as another entry in the very long list of claims that crypt has been broken.

But who DIDN'T see this coming?

Passwords limited to 8 characters. Salts limited to 2 characters. Not exactly a lot of combinations to complicate the brute-force attack now, are there?

The moral to this story is: SHA-1.

Re:But who DIDN'T see this coming?

[lcde]

The use of brute-force attack offends me and reminds me of my prison days.

:D

Why bother with the force...

[bunhed]

when you have access to the brute. Sheesh!

You missed the point

The DEFAULT is still DES/crypt. Why not change it?

Re:You missed the point

[AKAImBatman]

The DEFAULT is still DES/crypt. Why not change it

Because Sun guarantees that every piece of software ever written for Solaris will continue to work in new versions. Some would say that they're penalizing the rest of us for those few users still using 10 year old programs. And yet, there's something to be said for "working out of the box".

You're paying your Unix admins anyway. You might as well have them do something more useful than playing NeTrek all day while the system happily chugs along.

Re:You missed the point

[dlippolt]

as far as i'm concerned, sun's pam configuration and flexible login setup only applies to solaris 9 and above. after trying to come up with a sitewide md5 solution i found solaris 8 to be terribly difficult to work with. dont get me started on their broken ldap libraries.

several datacenters i work with independently only offer solaris 8 so "why aren't you using the latest sun distro's" falls on my deaf ears. the huge body of vendor supplied software which calls for solaris 8 just makes it worse.

nis implementations that pass these crypt values around the network just makes keeping them inaccessible to users a nightmare.

crypt-for-passwords is one of those "standard unix" methodologies that needs to have already died a horrible death. the original title of this topic was hopefully appropriate.

Re:You missed the point

[Eraser_]

So Sun is doing what Intel/Microsoft does?

At least apple knows when to cut users off. Even classic apps are being furiously killed off, let alone 68k. Oh yeah Duke3d and commander keen runs on my friends Athlon 2ghz with windows XP. In FreeBSD/Linux you can kill off support for older processors than you want to support easily, but the cludge is there in hardware still. Go 80386!

Re:You missed the point

[AKAImBatman]

But my point still holds. Sun wants to maintain backward compatibility. Period. That's separate from suck-add implementations of the PAM authentication method. And you're lucky. Last time I administrated Solaris boxes (other than my home workstation), I was stuck with Solaris 7. Trust me, that hurt.

nis implementations that pass these crypt values around the network just makes keeping them inaccessible to users a nightmare.


I feel your pain. That's going to be a difficult one to solve though. How does a user authenticate on a network if they can't pass their hash? One could add public key encryption on top of the authentication protocol, but one slip up in key management and the whole deck of cards collapses. After all, how long will it be until we see a worm that uses distributed power to begin generating all possible MD5 hashes? A daunting task to be sure, but certainly not beyond the current state of computing power.

Re:You missed the point

[AKAImBatman]

That's separate from suck-add

LOL! Seems I've developed a new swearing lingo. :-)

Re:You missed the point

bah, your just all batman wacky...

Re:You missed the point

[kylemonger]

After all, how long will it be until we see a worm that uses distributed power to begin generating all possible MD5 hashes? A daunting task to be sure, but certainly not beyond the current state of computing power.

The MD5 hash space is 2^128. To store the texts that generate all possible hashes you would need 2^128 multipled by the space required for each corresponding text. That is well beyond the storage capacity of all the disks spinning on the planet today. 2^128 is a really big number. If the whole surface of the Earth were covered with 250 GB disks (including the oceans) you'd still be short of necessary storage space by a factor of at least 10^20.

Forget about brute-forcing MD5.

Re:You missed the point

[utlemming]

I've been brute forcing my MD5 on my machine now for the past 6 hours, and frankly, I will be suprised if and when it gets broken.

Re:You missed the point

[dknj]

chmod 700 /var/yp

-dk

Re:You missed the point

[SnowZero]

You mean "go 8086", since real mode is still there ;)

Re:You missed the point

[SnowZero]

there's something to be said for "working out of the box".

There's even more to be said for "reasonably secure out of the box". However you're right about most Unix admins being cluefull enough to know to always fix it. It'd be nice if Debian changed their default though, they have far less of an excuse.

Re:You missed the point

[larien]

Funny, I managed to set up pam_smb to authenticate via Samba some years back under Solaris 2.6, 7 and 8 quite happily. It needed a few tweaks in a couple of places, but once it was set up, it worked perfectly well for me.

How are they storing the results?

And now the important question,
are they storing it in MySQL or Postgres???

Re:How are they storing the results?

are they storing it in MySQL or Postgres???

Excel ofcourse. if you run out of space just create an extra file.

Only 50 million passwords

[vondo]

Those 207 billion hashes come from only 50 million possible passwords. Using only 10 letters (no upper case) and 8 characters gives 100 million passwords. Bumping the letter pool up to 75 (52 letters, numbers, a few symbols) give you 1E15 possible passwords.

Moral of the story: Pick a good password.

Re:Only 50 million passwords

[ftzdomino]

Computing the entire 7.2e16 values (man crypt) should take about 52 years. Assuming Moore's law, this drops to about 7.2 years.

How many years will it take?

[pbug]

Will it take for such a thing to be done with (put in your favorite encryption scheme). Dictionary attacks will become easier everyday because computing power and hard drive space are becoming more abundent. Is the answer just to move to a bigger set of prime number each time computing power get bigger or to move to a another type of encrytption scheme all together well only time will tell.

What did I miss?

[skintigh2]

Are crypt() secret keys limited to certain characters?

If so, change it.

If not, 8 bytes = 64 bits = 2^64 keys = 18.4 quintillion

270 billion in 80 minutes means 18.4 quintillion keys would take 14,296 years.

Pardon me if I don't quake in my boots yet.

Re:What did I miss?

[Cramer]

crypt() uses a 56bit key (it's "DES") and a 12bit salt. So there are 2^56 x 4096, or 2^68, possible hash inputs and outputs (minus a handfull of collisions.)

That's a total of, roughly, 295,147,905,179,352,825,856 (295 billion billion) possibilities. Personally, I don't have a few petabytes sitting idle for the purposes of lookups. (however, I've dreamt of doing this for nearly 15 years... to be able to choose what one's password will be in the visible password file.)

Re:What did I miss?

[Daverd]

Come on now. A lot of the 256 ASCII characters can't possibly be used for passwords. Many of the others, nobody would want to use anyway. Do you want a DEL (127) or a Backspace (8) in your password? How about a null character (0)? How would you even type that? Realistically, I'd say that crypt() can already support as many characters as anyone would use.

Re:What did I miss?

[randombit]

Are crypt() secret keys limited to certain characters?

Yup (this is described in the paper). You get (at most) 8 characters of 7-bit ASCII, cause DES has a 56-bit key (plus 8 parity bits which are completely ignored). Of course it's hard to type \001 into a keyboard, so it's actually a bit less than 2^56. Anyway, changing the upper limit doesn't help that much, even if you modified it (somehow) to use 8-bit characters, the basic algorithm (25 iterations of DES) is just too quick to compute on a modern machine. The MD5 crypt() [common on Linux and *BSD] uses 1000 iterations, which is not bad, but is less than ideal. The OpenBSD Blowfish-based crypt() is very good, because it's very slow. Especially good as it uses up lots (~4K) of memory, which makes a custom hardware cracker quite expensive, which was actually one of the goals of the old crypt() as well (it's just that hardware has caught up with it, and then some).

Re:What did I miss?

[skintigh2]

"Do you want a DEL (127) or a Backspace (8) in your password? How about a null character (0)? How would you even type that?"

Same way you type 127.0.8.1

Re:What did I miss?

[raytracer]

You missed the fact that secret keys aren't uniformly distributed. In fact, it is certain that they are very sparsely distributed.

My luggage combination

1 2 3 4 5 6. Dammit, they already hacked my password!

Re:My luggage combination

1 2 3 4 5... That sounds like the combination an idiot would have on his luggage!

salt and recursive crypt

[goombah99]

They have a database of all possible hashes. Your scheme would mean that an attacker would have to do three lookups, instead of one.

No its not that simple. If it were just a database lookup then simply increasing the size of the salt a million fold would be all that was neccessary to foil any pre-computed attack. The important point in this article is that they it only takes 80 minutes to compute the crypts given the salt.

thus one way to defeat this is to hide the salt as follows. The attack requires stealing the hashed password file. Each entry will be of the form

SALT, HASH_code

since the salt is given they could run their computer for 80 minutes and test 209 billion inversions of the hashcode. However if the stored item were instead: SALT2, crypt( SALT1, crypt(passwd)) then you would have to crack the first one to get the salt for the second. now iterate this.

Re:salt and recursive crypt

Just out of curiosity, how would you authenticate the users? (That is, given a password, how do you determine whether that password matches?)

Since you only get SALT2 in the encrypted hash, you can't do the crypt(passwd) step (because that actually is "crypt(passwd, SALT1)").

Re:Be very careful

[thedillybar]

Have 576 cracked shouldn't worry you unless you have older encrypted data using that.

Confidential data being sent across the Internet should be looked at even more closely. Using an encryption method that is considered secure today may not be enough.

You may get lucky and not find anyone patient enough, but someone could very easily snoop the encrypted data, wait 5 (or 10) years, and crack the encryption scheme on his/her personal computer.

The tougher the encryption, the more time before they will be able to crack it. Eventually, however, it will be easily cracked. Just like anything else, there are pros and cons. You need to decide which encryption level will benefit you the most (processing power/time required to encrypt/decrypt VS amount of time before it's crackable).

crypt(3) cracking.

[thisissilly]

so how fast could they do it with 10 1k uniprocessor machines? or 20 $500 machines?

If you are interested, you can take a look at a paper I wrote (back in 1997) on the power of cracking with ten 200MHz Pentium Pro machines.

That's what I like to see...

[dmccartney]

From the article:

In cases where two sets of options produced insignificantly different speeds, a physical binary decision device (U.S. quarter coin) was flipped to determine which would be used.

That had to be fun for them to write up.
I am going to go convert two of my physical binary decision devices into a cup of coffee.

Re:That's what I like to see...

[Michael+Woodhams]

I once found something in a computer room that I applied a label to: "Emergency manual hard reset device."

It was a metre long monkey-wrench.

Re:That's what I like to see...

I am going to go convert two of my physical binary decision devices into a cup of coffee.

I can't wait for the spam blaring ``Get your binary decision devices - only 19.99 Don't be fooled! zicxvy cpvob''

Storage.

[Greger47]

Using SDSC's prodigious computing facilities, they precomputed 207 billion crypt() hashes in 80 minutes.

Yes, yes, but where did he store them?

/greger

Re:Storage.

Right here

Re:Storage.

They used some proprietary storage devices.
But at 2.3TB maximum storage space needed, you can figure that for couple of thousand $ you can get more than enough IDE disks to do that (at $266 for ~300GB)

And this is without compression. The computational resources to do all this are really not that massive.

"Physical Binary Decision Device"

[Isao]

A quarter.

Re:"Physical Binary Decision Device"

[jake_eck]

a.k.a. "two bit computer"

Re:"Physical Binary Decision Device"

[Laplace]

Oh yeah, a quarter. High roller; fat cat throwing your money about. A penny works just as well for me.

Cheating the Crypto?

[suwain_2]

I'm really not all that familiar with the inner workings of cryptography, but it seems like it'd make sense to do more system-specific hashing. (Not in all cases, of course.)

For example, I was looking at the MySQL tables on a site I run, and realized that my password hash there is the same as on other boxes I have accounts on. For example, 5f4dcc3b5aa765d61d8327deb882cf99 is the MD5 sum of "password," anyone with access to a set of passwords could simply skim through looking for this and other well-known hashes.

In many cases, wouldn't it make a fair amount of sense to use machine-specific algorithms for generating password hashes? It could even be something simple, like taking the hash of "$hostname-$username-$password". You could generate all the hashes you wanted, but if you didn't know my username and the hostname, the hash would end up being different. The end result is that, even though I (insecurely, I know) use the same password (and often, the same username), I would have a different password hash on each machine; you'd have to know all three fields before you could brute-force my password.

Is there something I'm overlooking? This idea seems like it'd work out really well; I can't possibly have just described some revolutionary new idea, though.

Re:Cheating the Crypto?

[DukeyToo]

You're overlooking the random salt value, which is different on each machine, or even the same machine for different accounts. So, generally you would have a hash of "$salt-$password".

The problem mentioned with crypt() is that the $salt value is very small (1.5 bytes), thus making dictionary attacks feasible. If MySQL is not using salt values, then they risk similar attacks.

Re:Cheating the Crypto?

No, you've just discovered recommended practices, that's all ;)

Assuming the hash itself can't be attacked (i.e. there's a weakness in the hash that lets you know when one password is "close" to another password), there's still a lot of ways to attack a hash.

The first is to run a dictionary attack on it. Solution: disallow dictionary words. The second is to look through all the hashes for multiple users with the same hash (thus the same password). Solution: incorporate the username into the salt so that two users with the same password have different hashes. Lastly, incorporate some "site identifier" in the hash so that the same username/password combo results in different hashes on different systems.

And the last thing is: don't let people get at your hashes. Treat them as if they were passwords.

Oh yeah--and none of this applies to crypt()--because your salt space is so limited, you can't put a username and site id in there. It's better (albeit still crappy) to just choose a random set of two characters and prepend it to the resulting hash. Which is what crypt() does.

on OS X

[VValdo]

In Jaguar (OS X 10.2) and earlier, type:

nidump passwd .

In Panther (10.3+) it will not show the hashes, and I believe a different algorythm is used anyway.

W

Re:on OS X

[AKAImBatman]

Ouch, that does indeed work. Glad my Mac has no remote services installed...

Re:on OS X

[Permission+Denied]

nidump passwd .

In Panther (10.3+) it will not show the hashes, and I believe a different algorythm is used anyway.

In 10.3, the netinfo entries contain a reference to a file and this file contains the hashed password. Of course, the file is readable only by root. I was pretty vocal about this problem so I'm glad to see it fixed. Each user has their hash stored in a separate file, which I guess could be useful. At least it cuts down on pointless parsing.

The hash algorithm used is apparently MD5, but they don't store the hashes in the usual textual MD5 representation. I guess they really hate parsing.

Even more fun was if you used netinfo for network authentication, all hashes for all users on the network were available to the world, not just authenticated users. This meant you had to restrict access to your netinfo server to an IP range to avoid advertising your hashes to the Internet. Thankfully they started deprecating netinfo network authentication in 10.2, but this was recommended practice with 10.1 Server.

Re:on OS X

That sounds a little like what Openwall Linux (OWL) does. Your shadow file turns into a tree of files, and each user owns their own piece of it. Access to the tree happens with sgid shadow if I remember correctly. The point is that things like passwd and chfn are no longer suid root.

I think they managed to get the whole system working without suid root binaries, and that's without things like capabilities. It sounds pretty good to me.

Re:on OS X

[Permission+Denied]

The hash algorithm used is apparently MD5

Correction: the hash algorithm is not MD5. I heard someone mention MD5 and assumed they were correct without checking, but the hashes are actually much longer than MD5. The hashes are encoded in some subset of ASCII but are much longer than ascii-encoded MD5 hashes. I cannot find the code in Darwin where this is done, assuming this was publically released (which it definitely should be). I'm very curious and google turns up nothing, so if anyone knows, I would appreciate it.

Just what is being crtiqued?

[i_r_sensitive]

Sounds more like a stinging indictment of weak passwords than crypt().

Reading the article there is no way that teracrack is going to deal with a strong password, the hash won't be present in it's table.

Regardless of algorithm, the weak passwords will allways be the first to fall. We can all stop using crypt() and start using md5 hashes, but the same techniques can be applied again, and again the first passwords to fall will be the weak ones.

I hate to sound like a Luddite, but technical problems aren't allways best fixed with more technology. The best use of teracrack that I can see, is the same use that it's predecessor had, to identify weak passwords and identify them to the user and admin to ensure that this core problem is addressed.

Re:Just what is being crtiqued?

no no no no !

you are not the only one to make the same mistake. in fact all post i have read so far make the same mistake as you do.

common sense would dictate that using a longer password would make it harder to being cracked/bruteforced. But in the case of mapping all hash values, IT IS IRRELEVANT.

Passwords are NOT stored on the machine, only their hash. Now, as many people wrongly pointed out, hash values have many many collisions (2 different password resulting in the same hash). As I have said before, since the original password is not saved, the password-check routine will only compare both hashes together (entered hash with valid hash). this means that there is no need to save all the different passwords mapping unto the same hash (all the collisions), you only need to save one of them, because when the password-check routine will be invoked, they all return the same hash. this implies that using a longer password (read: 100 character password) is TOTALLY IRRELEVANT to this type of attack. While it is true that they most likely did not map all the hashes to at least one password, they pretty much covered almost all of the hashes, meaning no longer how long is your password, it will not protect you from bruteforcing-type of attacks.

-marton stromgald

Re:Just what is being crtiqued?

[i_r_sensitive]

RTFA, they did not compute all possible hashes, they computed all common hashes from common dictionary attacks.

ok, quick...

So that's something on the order of 5 TB of data just to store the hashes? Ok, so we need about 5,000 volunteers to host a gig of the hash data each and a standard that addresses how to look up the host that holds each piece of the data just so we can search the system. Unless of course you know of someone willing to volunteer a system that can search through 5 TB of data in a reasonable timeframe. How many systems can even hold that much in memory?

Re:Proof that this was MEANT to happen! :-P

[Tony+Hoyle]

Zombies, demons, cyrpt, etc.

Were all the original unix inventors Goths?

Re:Proof that this was MEANT to happen! :-P

[OldCrasher]

Not Goths, but if you had lived in Murray Hill, NJ at the time (the AT&T Getto) you might have wanted for this type of excitement!

Remark upon hearing about the SDSC was ....

[OldHawk777]

This is just hearsay from a very recent OPEN-DOOR Washington meeting.

"THANK Goad, PRAISE Ollie, GORY-B2 Yoho-Way, .... We have the keys to paradise. The ultimate knowledge that comes from having access to all knowledge is ours. Yippidy-dippidy-doodaa we control all the world now including the slums, sluts, and slackers of the Internet Kingdom. Now we get the needed Linus brain transplant half for John and half for Don (zombies need brains, dead men don't) should make US twice as smart". //GW//

That's not how it's done...

[Duncan3]

And yet key loggers and social engineering are still exactly as fast and effective as they were when they were invented...

Think of the children, Moore's children!!!

not a new concept, but a new practical limit

[sir_cello]

Not a new concept, but novel given the use of modern computing resources.

I (and probably others, I claim no novelty, only an inventive step :-) wrote software in 1991/1992 to do this: unfortunately sun4 MP's and about a gigabyte of disk were the best we had.

Rather than precompute the entire crypt() space, we precomputed the space for well known words (and combinations of those words with different prefix and suffix), because for any individual word, there are only 32 [I think from memory - 5 bits?] combinations that it can crypt to given the random salt that was possible.

Because of available disk space, we couldn't store the entire precomputed output: so we chose to only store the first N bits of it. This was configurable. I cannot remember the exact figure - sure I could dig the code up out of an old CDROM archive :-). The output was also stored in bitwise numerical order - matching divide/2 matching very fast.

So the password cracker would then mmap() the couple of gigabyte file, then easily find (or not find) a candidate prefix. If it found the prefix, it ran a few trial crypt()'s to ensure an exact match. In practice, because of the lack of diversity in passwords, there were few false candidate matches: so the password cracker had some extremely large hundreds/millions of equivalent cracks per second as a result of mostly just not finding comparisons, and a few trial runs for succesful targets (I think the running rate of the other two popular crackers at that time was about 100K cracks/second).

Anyway - that was a long time ago - fun and games as a student. I still have the source code :-).

Re:not a new concept, but a new practical limit

[sir_cello]

My memory is better now, plus I read the document. There are 4096 possible combinations of password. I still forget the other details. I know that /. is not forgiving either ...

Crypt was in "games"

[twenex]

In the Bell Labs UTS Ninth Edition (V9 Unix) released in 1986, the crypt command was moved to manual section 6, games, along with trek, bridge, boggle, etc. Crypt (the lib in section 3) still existed, however.

Re:Crypt was in "games"

[Slashamatic]

Crypt the utility used something similar to the enigma machine. crypt() the library was based on a modified des.

Re:Crypt was in "games"

[twenex]

You know, now you mention it, I think you're right. 1986 was a long time ago.....

Re:Crypt was in "games"

[raytracer]

In the Bell Labs UTS Ninth Edition (V9 Unix) released in 1986, the crypt command was moved to manual section 6, games, along with trek, bridge, boggle, etc. Crypt (the lib in section 3) still existed, however.

That's because the two items (crypt(1) and crypt(3)) utilize entirely different algorithms. The crypt(3) library is of course your everyday average DES, which as this thread notes, has gotten a bit long in the tooth. The crypt(1) command however was an entirely different algorithm based upon the idea of a rotor machine. It only has a single rotor however, which makes cracking it pretty darned easy, probably _way_ simpler than the original German 3 rotor enigma machine. The implementation that is still distributed in FreeBSD (/usr/src/usr.bin/enigma) is from the Crypt Breaker's Workbench, a near automated cracking utility for this code.

Cracking ordinary DES isn't a game quite yet, but it's certainly not the best choice for a password scheme.

Another breakthrough.

[grazzy]

I have calculated the time it will take any of these guys behind this paper to pick up the hotest lady in any given bar at any given time. The results are astounding: infintite.

Encryption and Big Brother

[lisany]

Its stories like this that remind us that Big Brother would chew through any encryption a user might have.

"Oh, 2048 bits? *yawn* We'll have the results for you in a month."

Score -1, wrong

[wirelessbuzzers]

A symmetric key is twice as hard to brute-force for every bit you add. Nobody "brute-forces" asymmetric (public) keys by trying all possible keys; rather, they try to reverse the mathematical process used to construct the public key from the private one. In the case of RSA, this is multiplication, so you have to factor a number. Currently, the fastest public method to do this is the Multiple Polynomial Number Field Sieve; to make something twice as hard with this, you have to add something like 0.3 to the cube root of the number of bits.

RSA keys (and elliptic curves, and DH keys) are much more likely to be severely weakened by improvements in mathematics than say Blowfish or Rijndael keys. If someone improves the method to reduce the constant in the exponent of the NFS (which would probably be extremely difficult), the 1024-bit RSA key could fall easily; otherwise, even Moore's law gives it only a decade or so to live.

Re:Proof that this was MEANT to happen! :-P

Where were they when we started calling things "master" and "slave" ?

I'd take them seriously

[Wee]

I've been to SDSC a bunch of times (it's across campus from where I work). One time when I was there about two years ago, Tom Perrine gave me and a friend a tour of their datacenter. Towards the back, there are two big (and I mean BIG -- like "room-sized") tape libraries. In fact, it's the world's largest tape library. The servers that act as the cache for the libraries are in racks which run about 25 feet long. It's pretty impressive.

One of the libraries' uses was a project by a research guy there who aimed to store every possible combination of 8-character ASCII strings. I forget exactly how much storage space it took up, but it was quite a bit more than what you'd expect just from doing the numbers (they might have been storing metadata or something as well, I don't remember). Anyway, I do remember asking what they intended to do with the data: They wanted to use these to compute password hashes so they could crack passwords in near real-time. It looks like they finally got around to do it.

I haven't yet read their paper so I don't know if they used this data or not, but I'd believe them if they say they've computed all the crypt()-able hashes. Hopefully they'll put up a search interface so you can break your own password. They've got the computing horsepower to spare...

-B

Nice to see...

[CatOne]

A 1.7 GHz celeron blows doors off an E10K.

And it's like 1% the cost, too!

mirror of pdf

mirror of pdf

Bah.

[Trejkaz]

0 GOTO 10

password reuse ...

It becomes relevant if the attacker has (limited) physical access to your machine.

Lab-Computer :
1. Insert bootdisk ...
2. Reboot ...
3. cp /etc/shadow on bootdisk
4. crack hash on a convenient machine

Even then, this wouldnt matter much if the password were unique to the machine.
However people are lazy and reuse passwords. (The recent Debian breach was very likely due to a reused password that was intercepted on another machine.)
So after getting the root password from this lab machine, I can go on and check if it does also work on the server I have no physical access to.

The solution is, of course, to never use the same password twice, or at the very least, to not use the same password on your servers and publicly accesscible lab machines.

However, I might not only retrieve root's password, but also user's passwords that might be reused on another machine. So, unless you can enforce non-reuse of all your user's passwords, you better protect them the best possible, even after root was compromised.

(BTW : I could install a password logger, so if you dont detect the compromise fast, protecting the hashes is useless.)

Re:password reuse ...

[Krach42]

1. Insert bootdisk
2. install rootkit

Boom, skip the whole process of cracking /etc/shadow.

On the local machine the root password is actually pretty useless, since it will generally be easier to find a bypass than the root password.

I follow this policy, by disabling the root account on any machine that I can, and using "sudo" to do my root work. My friend demonstrates this by having a very stupid and simple password for root.

True, it's possible someone might be able to "accidentally" grab the /etc/shadow file, but it's probably easier to find a hole elsewhere that will get you root without a password than to grab /etc/shadow and crack the password. Even if it's easy.

Again, same friend's computer, another friend got on it, booted up to grub, entered the right commands to get the system to start up in single-user mode, and grabbed his /etc/shadow, and cracked his root password. He then laughed at my friend who had made the pasword saying, "I thought you were so smart about security, but you used a password that falls to a very simple dictionary attack?" And he just responded, "You already had root to get the password, so who cares what the password was?"

Now, the real truth is password reuse... you're right on the button there, and need to protect the passwords of users, who may be contacting your computer from elsewhere. This is how many script kiddies "walk" their way into high-security areas. Coincidence, and password reuse.

I've taken to using a set of passwords, where each is a seperate level of access to my life. One password is used for websites, where I cannot guarentee that they're even using something other than plain text passwords, so generally all my slashdot/macslash/signine passwords are all the same. Then on my home computers, my passwords are the same, but different from webpages, and my school passwords are all the same/related but only used there.

At least I feel safe, but I had someone hack me before, without the root password.

Just on a poke guess....

[Kjella]

Based on the fact that we're somewhere around breaking RSA-576 and RC5-72. If we assume proportionality:

576 (asymmetric) / 72 (symmetric) = 8
1024 (asymmetric) / x (symmetric) = 8 => x=128

So I'm guessing it's about 2^(128-72) = ~10^16 times safer. Which should be enough for a while too, but not quite that long.

Kjella

P2P?

[Trejkaz]

Why don't we just build the gigantic reverse lookup table into a P2P network? I mean, we already have a mechanism for searching for hashes, the content of each of the 'files' could just be the original password used to generate the hash.

Dying

[RedHat_Linux_Man]

Looks like its the crypt for crypt() I couldn't resist, someone had to say it.

307 billion crypt hashes!?!

[El]

Damn! That must take more memory to store than the average slashdotter's mp3 and porn collections combined!

Well...

Maybe if they were running Gentoo it would have taken 60 minutes instead. :-)

Re:Proof that this was MEANT to happen! :-P

[Wyzard]

Must've been. Look at the terminology for processes: parents have to wait for their children to die and then reap them, so they don't become zombies.

It's actually "daemon", not "demon", but that reminds me of a funny story. You know how when an email bounces, the returned message often comes from "mailer-daemon" at whatever domain your message was addressed to? Back when I was in high school, I once heard a teacher who was checking his mail exclaim, "mailer demon???", clearly thinking (at least until he read the text of the bounce message) that some sort of devilish creature was interfering with the delivery of his email.

Or even easier...

[Trejkaz]

Simply walk out the building with the entire mainframe!

woo hoo! slashdotted again! =)

[kendoka]

We are bad@$$! I want a t-shirt that says, "I've been slashdotted." How much geek-cachet would that have? =)

I wrote the MD5 based crypt() for a reason...

[phkamp]

Back in 1994 I wrote the MD5 based crypt() which it seems almost everybody has adopted from FreeBSD by now: *BSD, Linux/GLIBC, Cisco and appearantly even Solaris.

The important properties of a good crypt() algorithm are still:

1. Input password is not length or charset restricted.

2. The algorithm is complex enough to not lend itself easily to hardware implementations (FPGAs etc).

3. The Salt is big enough that precomputing dictionaries is not feasible.

You will notice that apart from #1, these are not quantified, DES-based crypt() fulfilled #2 and #3 back in its days, but no longer does so. In a similar way, some day we will declare my MD5 based password scrambler as failing one or both of those criteria because password scrambling is not a case of finding "the" algorithm and putting a checkmark in the box, it needs to on periodically evaluated and improved every decade or so.

That is why I put the $1$ prefix on my MD5-based crypt(), so that you can update to a better algorithm when you need to. OpenBSD has already added a couple of stronger SHA based algorithms ($2...) and more can be added in the future.

In the absense of any other "IANA" for this, I would appreciate if you would register your "magic strings" with me so we don't have collisions.

If you're still using DES-based crypt(), switch to MD5 based crypt() now. Don't wait any longer, you are already 9 years late (IMO).

It's even "free as in free beer" :-)

Re:I wrote the MD5 based crypt() for a reason...

[Darren.Moffat]

Yes Solaris does have it. When I integrated it into Solaris (along with help from Alec Muffett & Casper Dik) we made it a pluggable framework by building on the data format you created - thank-you for having the foresight to use the $ char as a "magic" switch.

Details of the pluggable framework with a policy that allows for automigration on password change are available here: crypt.conf and policy.conf

Solaris source code is NOT needed to add new algorithms all code that uses crypt(3c) should continue to work. Code that changes passwords should use crypt_gensalt(3c) to create the salt.

Re:I wrote the MD5 based crypt() for a reason...

god bless phk
md5 crypt > des crypt
phkmalloc > dmalloc
pkh > *

Re:I wrote the MD5 based crypt() for a reason...

[jonabbey]

Solaris source code is NOT needed to add new algorithms all code that uses crypt(3c) should continue to work.

That's presuming that the code is using the new generalized crypt functions, yes? I would assume that older code would be prone to having custom code to extract the salt from the hash, hash the plaintext, and do the comparison. That salt extraction would obviously not be portable to md5Crypt if it had been done in a naive fashion.

I would expect modern Solaris code that uses PAM modules for authentication would work, though.

Re:I wrote the MD5 based crypt() for a reason...

[Dr.Ruud]

Phil Zimmermann says this about MD5:

"The message digest algorithm used by older versions of PGP is the MD5 Message Digest Algorithm, placed in the public domain by RSA Data Security, Inc.

MD5 is a 128-bit hash algorithm. In 1996, MD5 was all but broken by a German cryptographer, Hans Dobbertin. Although MD5 was not completely broken at that time, it was discovered to have such serious weaknesses that no one should keep using it to generate signatures. Further work in this area might completely break it, allowing signatures to be forged.

If you don't want to someday find your PGP digital signature on a forged confession, you might be well advised to migrate to the new PGP DSS keys as your preferred method for making digital signatures, because DSS uses SHA as its secure hash algorithm." [page 234 of the pdf which comes with PGP 6.5.1. int]

Re:I wrote the MD5 based crypt() for a reason...

[phkamp]

While there has been raised some doubt about how hard it is to produce collisions in MD5-like algorithms, I still don't think anybody has publized a single collision in the actual MD5 algorithm and certainly not a same-length collision.

MD5-crypt() is iterative in various fancy ways (see the source), so your chances of exploiting a single known MD5-collision to trespass that way are still zero.

You would need a very significant weakness in MD5 before it would help you against MD5-crypt().

There is a difference between being prudent and paranoid, if Phil really said that, it sounds like he's on the wrong side of the line.

Poul-Henning

Re:I wrote the MD5 based crypt() for a reason...

[Dr.Ruud]

PZ's text is also on page 45 of IntroToCrypto.pdf

Re:I wrote the MD5 based crypt() for a reason...

[lemonjelo]

For those interested in the gory details, A Future-Adaptable Password Scheme by Neils Provos and David Mazieres goes into great detail about the approach taken with OpenBSD. I don't know about the others out there today but one of the nice things with this approach is that the number of rounds can be increased as processors become faster. On each machine one can choose how much processing time should be taken at a login prompt essentially.

Re:I wrote the MD5 based crypt() for a reason...

[Darren.Moffat]

The function signature, and return values for crypt(3c) did not change.

For salt generation, ie on password change, a new API crypt_gensalt(3c) was added. All places in Solaris (there was actually only 2 of them, one in pam_authtok_store.so the other in rpc.nispasswdd) were changed to use crypt_gensalt(3c) instead of manually generating the old to char salt.

Yes anything using PAM for authentication and password change works without change. We highly recommend the use of PAM rather than calling crypt(3c) directly.

heh

[Trejkaz]

You're lucky, to me the whole article was a bit cryptic.

man fork

The loop of the parent process will execute exactly once. It will execute one more time in the child, thereby making it a parent and terminating it too. How can you call that "as many children as possible"?
And what do you mean by "each program forks as many children as possible and then exits" ? When, "then"?

Re:man fork

I assume the poster meant something more like:

while (fork() != -1);

Whether it really is a better forkbomb, I don't know. I prefer a payload myself.

Now available for holiday shoppers:

[stienman]

"Using SDSC's prodigious computing facilities, they precomputed 207 billion crypt() hashes in 80 minutes

and are now offering the results on DVD for only $19.99! Call now, operators are standing by!

-Adam

felony?

All slashdot members: 3. The reckless disruption or denial of services to any authorized user (Class 4 felony = 2.5 years/$150,000).

storm in a teacup

[jethroT]

Practically this doesn't change anything. Crack was available for a long time, and any cracker who gets access to a password file has the time to run crack on it. If it takes a day or two usually doesn't matter at all. In the end a password is dead if crack can find it, otherwise not.

crypt collision (was Re:A testament to crypt()

Actually, the words were "$C4U1N3$" and "SEEKETH." (note the "." in the second). Also note these are with a hash of "1/"; I spent some time confused with they didn't match with a hash of "Ch", which is what I thought you were implying. So you'd see "1/ChERhgHoo1o" in a password file.

$ perl -le 'print crypt "SEEKETH.","1/"'
1/ChERhgHoo1o
$ perl -le 'print crypt '"'"'$'C4U1N3R"'"',"1/"'
1/ChERhgHoo1o

Where is the Torrent!!

[Kent+Recal]

Can't they set up a torrent?
Someone bring me that file, I pay for the 300 DVD-Rs
+ shipping!

Fine

while (fork() || !fork())

Death to crypt()! Long live stupid passwords!!!!

[Proudrooster]

As long as people continue to use easy to guess passwords and protocols like POP3 which send clear text passwords, it just doesn't matter what algorithm you use to encode or encrypt passwords. It's just another example of the screen door on the submarine with the really expensive titanium lock.

Mark my words boy, and mark them well "SECURITY IS AN ILLUSION!" When is the last time you changed your password?

Impenetrable crypt()gram

[God+Hates+Liberals]

Ahhh wh111o n333eeded cr5421ypt an%%yway?

Re:Yes.

[Lord+Bitman]

Don't you understand how computers WORK?

We don't need no stinkin' teraflop boxes !

How to crack a (user) account with a 386SX machine in 5 minutes... :-)

Mail to: cluelessstudent@uni.edu
From (spoofed): sysadmin@uni.edu
Reply-to: (some obscure e-mail address - preferably not hotmail or yahoo, because of possible limitations on the degree of cluelessness of the target student)

Text: "Your account has been compromised. Ugly gruesome child porn trading, nuclear weapon smuggling, MP3 downloading, Al Qaeda financed Elbonian hackers have exploited the nfs system to remotely mount the storage device containing the shadow password file(BOFH DRONE MODE ON for a few lines). Please change your password to "12345678" AS SOON AS POSSIBLE. Failure to do so may result in widespread damage to the computers, exclusion from university, seven-digits fines, lifelong emprisonment and various kind of gory sexual diseases."

Plus details about how to change their password.

Obviously the problem with this attack is that it can not be used as a root exploit (well except maybe in some specific organizations...)

Technologies come and go. Social engineering remains. Never underestimate the power of Mighty Cluelessness.

Well....

[Snaller]

(PDF, HTML version via Google).
..., then we know that there is at least one thing Google can't do.

what if my hard password has an easy equivalent?

[ectoraige]

I just had a thought.
Given the nature of hashes, where it is possible for more than one input to result in the same hash, wouldn't it be really annoying if my password of
'Th!$,1sA]T0&gh(Pa^S$WoRd~9' came to the same hash as 'secret'.

Are there any statistical or other methods which can be employed to determine the likelyhood of your strong
password matching a simple one>

Re:Proof that this was MEANT to happen! :-P

[Tony+Hoyle]

Deliberate misspelling :)

Years ago someone told me that they spelled it daemon because the fundamentalists went nuts when they tried to spell it demon. No idea of the truth of that though.

USENIX -login: has a summary

[Frisky070802]

I just received the 12/03 issue of the USENIX ;login: member newsletter, and it has a writeup on this paper, plus many other articles in a special issue on security.

Unfortunately, it doesn't go online for about a month, and even then, you'll need a member password to view it online, but I imagine enough /. readers have access to ;login: to make it worthwhile to point this out.