[Beowulf] Password mining

Robert G. Brown rgb at phy.duke.edu
Fri Feb 1 16:42:26 PST 2019

On Fri, 1 Feb 2019, Jonathan Engwall wrote:

> Hello,Just the other night I saw an article about crypto theives breaking
> passwords based on many people using the same password.
> The idea being to access many accounts at once. Did anyone else see this?
> My bank says they might be having a system wide error.

There is an ancient Unix/Linux application called "crack" (it's still in
at least Fedora, if not all the rest).  At this point it is usually used
by sysadmins to run on their password file to detect terrible passwords
when users pick easily crackable ones.  One part of the (rather
intelligent -- written by generations of mostly-white hat wizards)
program checks for common passwords, unchanged passwords (like
changeme), and then runs the entire dictionary(s) with all reasonable
permutations of things like S -> 5, E -> 3, L -> 1.

This works great for cracking password files with the encrypted strings,
but network cracking is a bit more complex.  There one doesn't have the
encrypted passwords and most interfaces where you can enter a password
only take X attempts and then do anything from lock down the account to
shut down the entry window for X seconds.  They also are s l o w.  So
one can test only a tiny handful of passwords before being flagged,
blocked, shut out, and so on.  Hence (I'm sure) they concentrate on only
the most likely of stupid possibilities -- your own name, your own name
backwards, your birthday.  Crack actually allows you to generate
statistics over time so you can identify the "best of the worst" lists.
Here's one:



> Jonathan Engwall

Robert G. Brown	                       http://www.phy.duke.edu/~rgb/
Duke University Dept. of Physics, Box 90305
Durham, N.C. 27708-0305
Phone: 1-919-660-2567  Fax: 919-660-2525     email:rgb at phy.duke.edu

More information about the Beowulf mailing list