From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from minnie.tuhs.org (minnie.tuhs.org [45.79.103.53]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id 5ac28a05 for ; Sat, 5 Oct 2019 17:50:01 +0000 (UTC) Received: by minnie.tuhs.org (Postfix, from userid 112) id DE77F9BCC1; Sun, 6 Oct 2019 03:49:59 +1000 (AEST) Received: from minnie.tuhs.org (localhost [127.0.0.1]) by minnie.tuhs.org (Postfix) with ESMTP id E221D9B8F0; Sun, 6 Oct 2019 03:49:41 +1000 (AEST) Authentication-Results: minnie.tuhs.org; dkim=pass (1024-bit key; unprotected) header.d=kilonet.net header.i=@kilonet.net header.b="A4rPcGI5"; dkim-atps=neutral Received: by minnie.tuhs.org (Postfix, from userid 112) id C16F99B8F0; Sun, 6 Oct 2019 03:49:40 +1000 (AEST) Received: from p3plsmtpa07-04.prod.phx3.secureserver.net (p3plsmtpa07-04.prod.phx3.secureserver.net [173.201.192.233]) by minnie.tuhs.org (Postfix) with ESMTPS id 3CD79948D7 for ; Sun, 6 Oct 2019 03:49:40 +1000 (AEST) Received: from medusa.kilonet.net ([72.69.223.115]) by :SMTPAUTH: with ESMTPA id GoBXixPiwNgL6GoBXicRku; Sat, 05 Oct 2019 10:49:39 -0700 Received: from [199.89.231.101] (ender.kilonet.net [199.89.231.101]) by medusa.kilonet.net (8.14.8/8.15.1) with ESMTP id x95HncVD007184 for ; Sat, 5 Oct 2019 13:49:38 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kilonet.net; s=default; t=1570297778; bh=4hTBdhfWLhGn379zT1COZGBdEqiR0Aynb+7NXOlcB3M=; h=Subject:To:References:From:Date:In-Reply-To; b=A4rPcGI5lGyQ86GquWoSeVwN2PemgBVx3neENiA8JuDyWQmxklFHvhpvEFdY3gWNU oOeH4mIQH+tHIR57nA4hRfPARWDygLV4lESXNWe73GeD23RZ1kjPVMfOVq0RUXJQ6I 0GmiU2bXB00EbmBWhJOWlA3IH9drYRl3mWBGxjh0= To: tuhs@minnie.tuhs.org References: <6dceffe228804a76de1e12f18d1fc0dc@inventati.org> <20191005172944.GI20298@localhost> From: Arthur Krewat Message-ID: Date: Sat, 5 Oct 2019 13:49:27 -0400 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0 MIME-Version: 1.0 In-Reply-To: <20191005172944.GI20298@localhost> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-CMAE-Envelope: MS4wfG724mNpnHUOqf7O7N/M8dZRjb4j7bIveMCpRkoUtihwAAUSFrQcdBn73jFDlEEWapuuyIDxUX99ydWIkkUk47vV5kpAg+0vMSvWrRSgbzVcyXExQ2qh KloqMQYt+uGM+3rWgVM5NVwMAk2ON6ZVEv0kRhuoI4qKjquATwsPbl22V3T4g0MjcU3dYk44hfQBpw== Subject: Re: [TUHS] Recovered /etc/passwd files X-BeenThere: tuhs@minnie.tuhs.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: The Unix Heritage Society mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: tuhs-bounces@minnie.tuhs.org Sender: "TUHS" I cracked a root password for a certain system, back in the ARPANET days. If memory serves, it was 5 characters. I was able to get my hands on the crypt() source, and figure out that the first part of it was intentionally "lengthy" and it just pre-computed a bunch of stuff on purpose. At least, that's my memory of it at the time. I was able to separate that precompute part, and then loop through all combinations further down the crypt() function. Made it a lot faster. Was able to crack a 5-character password in less than a week (or maybe it was a few days) on a VAX-11/750. Of course, it was a simple password consisting of lower-case alpha and no numerics. I think the first letter of the password was "b" which helped a lot ;) Nowadays, run hashcat on an HPC cluster and you can break a lot of stuff... art k. On 10/5/2019 1:29 PM, Michael Kjörling wrote: > On 3 Oct 2019 18:51 +0000, from finnoleary@inventati.org (Finn O'Leary): >> password was something interesting like './,..,/' (it was entirely >> punctuation characters, was around three different characters in total, and >> was pretty damn short). > I'm a bit late to the party here (it's been a crazy week for me and > I'm only just now starting to catch up), but don't forget that hashed > Unix passwords back then were limited to eight bytes (actually I > believe the hard limit was 64 bits' worth of password, so if your > system used less than 8 bits per character, you could theoretically > cram more _characters_ into the password, but not more _entropy_, > which topped out at 2^64 no matter what you did, and in practice a > fair bit less because you wanted to be able to type it in). > > Of course, this wasn't a problem in practice when even just hashing a > single candidate password took noticable fractions of a second. At 100 > ms per hash, while you could exhaustively search the lower > alphanumerics four characters space within about two days (my > calculator says 1.944 * 86400 seconds for that) if you could hog the > computer for everyone, by the time you got to six characters the same > search would take almost 7 years, and eight characters the better part > of 9000 years (assuming you kept running it on the same hardware for > the duration). > > Adding uppercase A-Z alongside lowercase a-z and 0-9 increases the > exhaustive search time even for the four characters password space to > about 17 days at 100 ms per hash. So with no additional information > for an attacker, even a [a-zA-Z0-9]{4} password was tolerably secure, > and a [a-zA-Z0-9]{5} one was more than good enough if you changed it > once a year (would take about three years to crack at 100 ms/hash). > > William Cheswick mentioned 8e9 hashes per second. While that sounds > low for good ol' Unix crypt() to me, at that rate, an exhaustive > search of [a-z0-9]{8} would take about 353 days, again according to my > calculator. [a-z0-9]{4} would finish in about 18 seconds. My _guess_, > without having looked up current numbers, is that these figures are at > least some two orders of magnitude too high given modern hardware. > Just look at EFF's good ol' Deep Crack. > > I wasn't really around much at the time, but if _The Cuckoo's Egg_ is > to be believed, the bigger problem was that people in general weren't > any better at choosing good passwords (or keeping them secret) back > then than they are today. That honestly wouldn't particularly surprise > me. Technology advances, but people remain largely the same? >