[Beowulf] Password mining
Robert G. Brown
rgb at phy.duke.edu
Fri Feb 1 16:42:26 PST 2019
On Fri, 1 Feb 2019, Jonathan Engwall wrote:
> Hello,Just the other night I saw an article about crypto theives breaking
> passwords based on many people using the same password.
> The idea being to access many accounts at once. Did anyone else see this?
> My bank says they might be having a system wide error.
There is an ancient Unix/Linux application called "crack" (it's still in
at least Fedora, if not all the rest). At this point it is usually used
by sysadmins to run on their password file to detect terrible passwords
when users pick easily crackable ones. One part of the (rather
intelligent -- written by generations of mostly-white hat wizards)
program checks for common passwords, unchanged passwords (like
changeme), and then runs the entire dictionary(s) with all reasonable
permutations of things like S -> 5, E -> 3, L -> 1.
This works great for cracking password files with the encrypted strings,
but network cracking is a bit more complex. There one doesn't have the
encrypted passwords and most interfaces where you can enter a password
only take X attempts and then do anything from lock down the account to
shut down the entry window for X seconds. They also are s l o w. So
one can test only a tiny handful of passwords before being flagged,
blocked, shut out, and so on. Hence (I'm sure) they concentrate on only
the most likely of stupid possibilities -- your own name, your own name
backwards, your birthday. Crack actually allows you to generate
statistics over time so you can identify the "best of the worst" lists.
Here's one:
https://en.wikipedia.org/wiki/List_of_the_most_common_passwords
rgb
> Jonathan Engwall
>
>
Robert G. Brown http://www.phy.duke.edu/~rgb/
Duke University Dept. of Physics, Box 90305
Durham, N.C. 27708-0305
Phone: 1-919-660-2567 Fax: 919-660-2525 email:rgb at phy.duke.edu
More information about the Beowulf
mailing list