Nmap Development mailing list archives
Re: Gawker hacked: Another trove of password data
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Tue, 14 Dec 2010 01:15:04 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 13 Dec 2010 05:26:11 +0000 Brandon Enright <bmenrigh () ucsd edu> wrote:
On Sun, 12 Dec 2010 17:07:15 -0800 or thereabouts Fyodor <fyodor () insecure org> wrote:It looks like they are probably using crypt(), but I'm not certain. The readme.txt says it is DES based and only allows up to 8 characters, and the hashes are 13 chars long, so it seems like crypt().
[...]
Brandon wrote
[...]
Unfortunately for us, both of these hashes are salted and pretty slow. bcrypt() is so slow it makes cracking and exercise in futility. I don't think we will be able to crack a big enough percentage of them to use them as a source of statistics.
Just as a follow-up note, even though they are using bcrypt() as well as crypt(), every account that has a bcrypt() hash also has a crypt() hash. Of course this is as dumb as Microsoft's choice to store LM and NTLM hashes at the same time. There are 748081 users with crypt() hashes and 195178 of those also have bcrypt() hashes. With crypt(), there's a chance we'll crack enough of these to use them for password statistics. Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) iEYEARECAAYFAk0GxR8ACgkQqaGPzAsl94JLeACfZB5chqep7x2PraT67MQOSj51 0vcAn2LFcjnurivXC6pAvJq+Cy6jWz7q =wChd -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Gawker hacked: Another trove of password data Fyodor (Dec 12)
- Re: Gawker hacked: Another trove of password data Brandon Enright (Dec 12)
- Re: Gawker hacked: Another trove of password data Brandon Enright (Dec 13)
- Re: Gawker hacked: Another trove of password data Matthew Finkel (Dec 13)
- Re: Gawker hacked: Another trove of password data Henri Doreau (Dec 16)
- Re: Gawker hacked: Another trove of password data TeĆ³filo Couto (Dec 16)
- Re: Gawker hacked: Another trove of password data Brandon Enright (Dec 13)
- Re: Gawker hacked: Another trove of password data Brandon Enright (Dec 12)
- Re: Gawker hacked: Another trove of password data Brandon Enright (Dec 16)
- Re: Gawker hacked: Another trove of password data Florian Roth (Dec 17)
- Re: Gawker hacked: Another trove of password data Brandon Enright (Dec 17)