I'm writing a novel. It doesn't really focus on Jow Forums stuff, but the plot needs one or two details to be correct.
Can 10+ digit passwords actually be cracked? Or would you essentially need to spy on the user until they enter the password (with keylogging, packet analysis)? Even then, there are some passwords that ask for specific numbers or letters from the sequence of the password, third, seventh, tenth, for example, and ask for a different set the next time. That would necessitate something like a month of spying, and that assumes the order of the sequence can actually be reconstructed.
What I'm asking boils down to this: how advanced is consumer cryptography?
And as a follow-up, how do I hack into the mainframes, and are fingerless gloves essential to the process? Will I need sunglasses to stop the green text from blinding my eyes when it projects onto my face?
>Can 10+ digit passwords actually be cracked? Depends on hashing algorithm. Some garbage like md5 can be brutforced pretty fast. If that password is a normal word/phrase, even with modification like p4as$w0rd it also can be brutforced with dictionary pretty fast for any algo.
Easton Bennett
Forgot to add - this is about restoring hash, not about bruteforcing login. You can"t bruteforce into os since it has delay on incorrect attempts.
Asher Russell
im currently running hashcat at home, 10 chars is a bit long, but it shouldnt take too much time, especially if the algorithm is old
Evan Wilson
restoring a hash is completely possible, used hashcat on my 1080 using the password list from the linkedin hack and unlocked secured pdfs i needed for work in ~15mins.
idk what kind of timeframe your characters are working with, and i'd say unless you get familiar with the tools yourself you should stray away from in depth details to reduce looking like a fool, but if you're gonna have the password written out in the book make sure its dictionary attackable, so a word with leetspeek and altcaps maybe with numbers and or symbols on the end, very easy to crack. "Ba53b41L17!" would probably be crackable within an hour with the right dictionaries and filters, idr if they're called filters but its regular expressions that can replace L's with 1s and alternate caps and shit like that.
Adrian Torres
also try to pick an older well known algo, skein256 is not a good choice if you want the characters to crack the password, too new. md5 is too easy and no one uses it, sha-1 is probably a good choice but most services also salt their hashes, what are your characters actually trying to get into? also no one uses mainframes anymore, i can sense thats a joke but please dont put that in your story, theyre number crunchers exclusively
This is how password cracking usually goes: You find a hole in the service you're trying to hack and find a database table of users and passwords. - If the password is saved in plaintext, there you go - If the password is encoded, for example in base64, decode it - if the password is hashed but not salted, run a dictionary attack against it. Or if you have password hints available, find out if other users have the same hash and compare hints. You also limit your guesses to what the site requires for passwords: "must containt numbers and special characters etc etc" - You know a weakness in the crypto that'll let you reverse the hashing (you're basically NSA) Dunno about salted hashes.
And how password stealing usually goes: - You snoop the user's network and the user sends their password without SSL. - You operate a network and force users to accept your SSL certificates so that you can do the above even if the user is using SSL. - You infect the user's machine with a keylogger. - You find a security hole in the service that lets you inject a keylogger to the login page. - You've done any of the above to obtain a password, now you can try it on other services the user has accounts on. An email account should let you reset passwords on most other services.
Hudson Stewart
Passwords only start to get safe around 16 characters or more. If you have access to the machine.
Over the internet you can easily limit thr passwprd attempts. And it all goes way too slow to brute force non-standard passwords.
Lucas Sullivan
>Even then, there are some passwords that ask for specific numbers or letters from the sequence of the password As in: >Enter your password (with an "x" in the third position)? I can't think of a good way to implement this that wouldn't drastically weaken the security of the password. Is accurate, with the exception that if the database isn't salted I'd attack it with rainbow tables
Brandon Price
Google was recently hacked because you could get into the system through an open proxy they used for employers.
Nicholas Johnson
*employees The guy submitted the bug report though. So nothing was stolen.
Nicholas Wood
Lol. This is fucking genious. They are literally getting retards to build a password database for them.
Thomas Morales
You can read the js code. It is all only in your browser.
And there are so many leaked databses on torrents that nobody have need to "steal" addition passes like this.
Brandon Flores
>Can 10+ digit passwords actually be cracked? Depending on the salting and hashing used, the computing power used for cracking, and the time spent on the crack, yes.
Juan Garcia
It would be interesting to do a meta-analysis of hashing algorithms. You usually see "it would take 10,000 years of CPU time to crack this hash", but it's likely that after a decade someone will have come up with a better attack, and at some point quantum computing screws up everything. What I'm saying is, a brute force attack might take forever, but before a brute force attack completes, someone will invent a way to go faster than brute force. So I'm curious how do you go from something like into "This password stored with a modern hash will probably be broken in N years"
Nolan Torres
MD5 can be cracked with rainbow tables. For AES you need a keylogger, or physical access to the target's RAM. You can try sniffing the packets directly from the target's internet connection, for example hijacking the target's ISP emitter, or using a wifi sniffer like the ones that Google vans use to collect data from your neighborhood's wifis, but it can be still useless if the connection is encrypted, like with a VPN. You would need to find what encryption method the VPN uses and then try to find a solution for that. There is also SSL but it isn't as secure as people think, once you find the key that the certificate used, you can decrypt it easily, if the certificate owner left the keys somewhere on the server which the target is connecting to, you only need to find them. Also this is how small sites comply with police's investigations, they hand over the famous SSL keys. Help yourself with wikipedia and stackoverflow to find the technical details about the things mentioned above.
William Cooper
There are also wireless CPU sniffers, the isreali police made one in 2014 or 2015, it analyzes the changes in temperature around the air of the CPU or something like that, it was tested through a brick wall with around 2 meters distance in between, if I remember well.
Carter Ross
If you have the password hashes from a database or harddrive you can use rainbow table (a database of hashes of common passwords) or if you guess the password is [a-zA-Z0-9_-$#@] hashcat will crack it using CPU or grapcs card.
If it's a network passwork nmap scripting can attempt to brute force.
If its a website with get queries like google you can use tools that test for sql injection vulnability (rare these days) if its a cgi website you can try shell script injection.
James Thomas
How to crack any password 101
>Find password holder >Apply choloform rag >Toss in van >Apply pliers until password is cracked
Henry Peterson
The old fashioned method
Austin Hill
This sounds like 100% bullshit
Jose Rogers
I'm sure they can detect computers by thermal imaging. I don't see what that has to do with cryptography, though. It doesn't get you much further than "yep, he's got a laptop."
Oliver Wilson
>light up the stove >"sheit boys he got a computer hacking into our mainframe, breaching unit activate!"
Gavin Bennett
eprint.iacr.org/2014/190.pdf Somethink like that works by looking at the timing of when a CPU is working full power and when it isn't. Proper implementations actually run dummy ops to prevent this kind of side-channel and other timing attacks
