Vavada - это онлайн-казино, предоставляющее широкий выбор азартных игр, включая слоты, рулетку, блэкджек и другие. Vavada привлекает игроков разнообразными бонусами и акциями.

I Swear I’ll Get This Post Written By the Time I Crack Your Password

Posted on by Georgia Weidman

When did password cracking get so hard? Remember LM hash? Obsolete since Windows NT, until Windows Vista it was on by default for backward compatibility. Even back in the day an external hard drive easily had enough room for a full set of rainbow tables and generating them only took a few days at most, depending on your computer speed. That is to say, brute forcing was actually possible. Even your moderately security conscious types who actually paid attention to complexity rules could fall victim to a password attack if their account was on any machine with LM hashes turned on.

Now it’s all NTLM hashes in the Windows world, and frankly brute forcing NTLM just isn’t feasible for your average me. The basic weaknesses in LM hashes such as 7 character chunks and all caps are no longer present. I was going to write some sort of analogy for how much space you would need to store just rainbow tables for alpha numeric characters with a maximum length of 10, but it started to give me a headache and I stopped. This leaves me with the word list option, to make an educated guess about what the password might be over and over again until either I am successful or I get a job as a street musician.

It’s been 15 years since Hackers the movie came out, and love, sex, secret, and god, won’t get you as far as they used to in password guessing. On a domain and even locally, administrators can set complexity and length requirements for passwords. Additionally user awareness is up. No doubt Password1 will still get you a few accounts within an organization, but more users, particularly the IT people, the ones with administrator accounts, are moving to the $frdh$OI!6G@ side of the spectrum (The downside of this of course is that $frdh$OI!6G@ is probably on a post-it somewhere). With letter, number, and symbol rainbow tables, I could crack $frdh$OI!6G@ in LM hash effortlessly, but it’s not going to be in any wordlist anywhere.

So why do I want to crack your password anyway? Password hashes are pretty well protected. If I can get the hashes, chances are I’ve successfully compromised the machine in question. However the one thing no hashing algorithm or security policy can fix is a user’s propensity to use the same password for multiple accounts. If I have the plaintext of your password for one machine or domain, it is very likely I will be able to authenticate on another.

It seems like dumping hashes isn’t as exciting as it used to be. I guess someone is doing something right.