List items
Items from the current list are shown below.
Blog
9 Dec 2016 : Cracking PwdHash #
On Wednesday Graham Rymer and I presented our work on cracking PwdHash at the Passwords 2016 conference. It's the first time I've done a joint presentation, which made for a new experience. It was also a very enjoyable one, especially having the chance to work with such a knowledgeable co-author.
The work we did allowed us to search for the original master passwords that people use with PwdHash. Passwords which are used to generate the more complex site-specific passwords given to websites, and which may then have been exposed by recent password leaks in hashed form. We were surprised, both by the number of master passwords we were able to find, and the speed with which hashcat was able to eat its way through the leaked hashes.
Running on an Amazon EC2 instance, we were able to work through the SHA1-hashed LinkedIn.com leak by generating 40 million hashes per second. In total we were able to recover 75 master passwords from the leak, as well as further master passwords from the Stratfor.com and Rootkit.com leaks.
Feel free to download the paper and presentation slides, or watch the video captured during the conference (unfortunately there's only audio with no video for the first segment).
Here are a few of the master passwords Graham was able to recover from the password leaks.
I'll leave it as an exercise for the reader to decide whether these are sensible master passwords or not.
The work we did allowed us to search for the original master passwords that people use with PwdHash. Passwords which are used to generate the more complex site-specific passwords given to websites, and which may then have been exposed by recent password leaks in hashed form. We were surprised, both by the number of master passwords we were able to find, and the speed with which hashcat was able to eat its way through the leaked hashes.
Running on an Amazon EC2 instance, we were able to work through the SHA1-hashed LinkedIn.com leak by generating 40 million hashes per second. In total we were able to recover 75 master passwords from the leak, as well as further master passwords from the Stratfor.com and Rootkit.com leaks.
Feel free to download the paper and presentation slides, or watch the video captured during the conference (unfortunately there's only audio with no video for the first segment).
Here are a few of the master passwords Graham was able to recover from the password leaks.
| Domain | Leaked hash | Password |
|---|---|---|
| Stratfor | e9c0873319ec03157f3fbc81566ddaa5 | frogdog |
| Rootkit | 2261bac1dfe3edeac939552c0ca88f35 | zugang |
| Rootkit | 43679e624737a28e9093e33934c7440d | ub2357 |
| Rootkit | dd70307400e1c910c714c66cda138434 | erpland |
| 508c2195f51a6e70ce33c2919531909736426c6a | 5tgb6yhn | |
| ed92efc65521fe5074d65897da554d0a629f9dc7 | Superman1938 | |
| 5a9e7cc189fa6cf1dac2489c5b81c28a3eca8b72 | Fru1tc4k3 | |
| ba1c6d86860c1b0fa552cdb9602fdc9440d912d4 | meideprac01 | |
| fd08064094c29979ce0e1c751b090adaab1f7c34 | jose0849 | |
| 5264d95e1dd41fcc1b60841dd3d9a37689e217f7 |
I'll leave it as an exercise for the reader to decide whether these are sensible master passwords or not.
Comments
Uncover Disqus comments