Early versions of the free/open Unix variant BSD came with password files that included hashed passwords for such Unix luminaries as Dennis Ritchie, Stephen R. Bourne, Eric Schmidt, Brian W. Kernighan and Stuart Feldman.
Leah Neukirchen recovered an BSD version 3 source tree and posted about it on the Unix Heritage Society mailing list, revealing that she was able to crack many of the weak passwords used by the equally weak hashing algorithm from those bygone days.
Dennis MacAlistair Ritchie’s was “dmac”, Bourne’s was “bourne”, Schmidt’s was “wendy!!!” (his wife’s name), Feldman’s was “axlotl”, and Kernighan’s was “/.,/.,”.
Four more passwords were cracked by Arthur Krewat: Özalp Babaoğlu’s was “12ucdort”, Howard Katseff’s was “graduat;”, Tom London’s was “..pnn521”, Bob Fabry’s was “561cml..” and Ken Thompson’s was “p/q2-q4!” (chess notation for a common opening move).
BSD 3 used Descrypt for password hashing, which limited passwords to eight characters, salted with 12 bits of entropy.
Descrypt limits passwords to just eight characters, a constraint that makes it all but impossible for end users to choose truly strong credentials. And the salt Descrypt uses provides just 12 bits of entropy, the equivalent of two printable characters. That tiny salt space makes it likely that large databases will contain thousands of hash strings that attackers can crack simultaneously, since the hash strings use the same salt.
Jeremi M. Gosney, a password security expert and CEO of the password-cracking firm Terahash, told Ars that Descrypt is so weak and antiquated that one of his company’s 10-GPU Inmanis appliances (price: almost $32,000) could besiege a Descrypt hash with 14.5 billion guesses per second (the rigs can be clustered to achieve faster results). The speed of just one rig is enough to brute force the entire Descrypt keyspace—which, due to practical limitations, was about 249 in 1979—in less than 10 hours, and even less time when using cracking tools, such as wordlists, masks, and mangling rules. This site will also crack a Descrypt hashe for as little as $100.
Re: [TUHS] Recovered /etc/passwd files [Leah Neukirchen/The Unix Heritage Society mailing list]
Forum cracks the vintage passwords of Ken Thompson and other Unix pioneers [Dan Goodin/Ars Technica]
(via Four Short Links)
A spokesperson for the Facebook-owned WhatsApp says the company has fixed a security vulnerability that let hackers take control of the messaging app by way of a malicious GIF.
Last month, a developer called Axi0mx released an Iphone crack called Checkm8, which attacks a defect in the Ios bootrom, a low-level piece of code that has not been successfully attacked since 2010. The bootrom is read-only, making its defects effectively unpatchable, short of removing the chip and swapping it for one with more robust […]
Nature’s li’l hackers break into security contractor’s van
Whoever said you’d never need math to succeed in life clearly never sat down at a high-stakes poker table. When it comes right down to it, poker is a winnable game no matter where you play it – as long as you play the odds. There are time-honored strategies for playing those odds, tested by […]
Clearly there’s a booming market for CBD out there, as more people discover the relief from pain and stress that it can bring. But not everyone uses it the same way, and that’s why cannabidiol products from Common Ground are gaining ground with consumers – not just because they’re one of the most trusted sources […]
Good designers know that a picture can be worth more than 1,000 words. It can also be worth a fair paycheck if you find the right image. That’s why you might want to take advantage of these premium stock photo services, both offering access to thousands of original pics and both on deep discount this […]