nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: gmail security is a joke

From: Rich Kulawiec <rsk () gsp org>
Date: Wed, 27 May 2015 16:20:33 -0400
On Wed, May 27, 2015 at 01:51:35PM -0400, Barry Shein wrote:

Getting a copy of the database of hashes and login names is basically
useless to an attacker.


Not any more, if the hash algorithm isn't sufficiently strong:
        
        25-GPU cluster cracks every standard Windows password in <6 hours
        http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/

Quoting:

        "Gosney used the machine to crack 90 percent of the 6.5 million
        password hashes belonging to users of LinkedIn."

Consider as well that not all attackers are interested in all accounts:
imagine what this system (or a newer one, this is 2.5 years old) could
do if focused on only one account.

And of course epidemic password reuse means that cracked passwords
are reasonably likely to work at multiple sites.

And even if passwords aren't reused, there have now been so many
breaches at so many places resulting in so many disclosed passwords
that a discerning attacker could likely glean useful intelligence
by studying multiple password choices made by a target.  (We're all
creatures of habit.)

---rsk
Previous By Date Next
Previous By Thread Next

Current thread: