Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 21 Aug 2015 23:13:20 +0200
From: Albert Veli <albert.veli@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: Anyone looked at the Ashley Madison data yet?

Nope, it's not 5 character minimum. I did an experiment on the 1000 first
hashes yesterday. One of the passwords was 123.

On Fri, Aug 21, 2015 at 6:21 PM, JimF <jfoug@....net> wrote:

> On Thu, 20 Aug 2015 06:15:00 -0500, François <francois.pesce@...il.com>
> wrote:
>
> Hello guys, @JokFP here.
>>
>> I've got ~300 passwords cracked after 12 hours using single mode cracking.
>> It's not great, but I'm really not spending much CPU money on it.
>>
>
> Here is a quick 'survey'.  I simply took the first 265k hashes, and
> and started a forked check using just a few passwords.  One thing
> is obvious, 5 byte password length is minimum (I have validated this
> by logging into the AM site, and it is 5 char min).
>
>
> 1 908g 0:17:07:12 DONE (2015-08-21 10:49) 0.01473g/s 0p/s 2.635c/s
> 2.635C/s password
> 2 932g 0:17:07:12 DONE (2015-08-21 10:49) 0.01512g/s 0p/s 2.631c/s
> 2.631C/s 12345
> 6 944g 0:17:07:12 DONE (2015-08-21 10:49) 0.01531g/s 0p/s 2.630c/s
> 2.630C/s 123456
> 3 59g 0:17:07:12 DONE (2015-08-21 10:49) 0.000957g/s 0p/s 2.639c/s
> 2.639C/s qwert
> 4 0g 0:17:07:12 DONE (2015-08-21 10:49) 0g/s 0p/s 2.642c/s 2.642C/s asdf
> 5 38g 0:17:07:12 DONE (2015-08-21 10:49) 0.000616g/s 0p/s 2.638c/s
> 2.638C/s asdfg
>
> This data is about 60% done (should be 28-29 hours total).
>
> So I would expect 1500 from each:  password 12345 123456
> That is about 2% or so, just for those 3 passwords.
>
> I also saw lots of cracks in -single mode. However, the first thing that
> should be done, even prior to -single, is to simply test the exact user
> name against just the hash.  -single tests quite a bit, and there is a TON
> of GECOS data which could be built for this leaked file for a single mode,
> but bcrypt-12 is SOOOOOO slow.
>
> They are smart at AM, that they used such a strong key stretched hash.
> That should reduce the broken logins to only users stupid enough to
> use data that -single cracks, or passwords in the top of the top
> list.  Now, someone could easily target a single account, and then all
> bets are off. The speed is still slow, but a dedicated attack with
> enough CPU will break many targeted accounts. And since all the user
> info was leaked, wow!  Angry wives should be able to get in if they
> want to and know how to use tools.  Glad I have nothing to worry about
> myself from that site.
>
> One thing I have also seen, is it may be best to do a -fork and
> OMP_NUM_THREADS=1 when using -single mode, since it keep the number of
> candidates and targets minimized. All work will be against only the hash
> that 'should' get the work done for it  (up to a point).  This hash is
> SO slow, that every option to try only the RICHEST set of candidates has
> to be done.
>

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.