flat assembler
Message board for the users of flat assembler.

Index > Heap > what kinda password should we use now?

Author
Thread Post new topic Reply to topic
sleepsleep



Joined: 05 Oct 2006
Posts: 8903
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
http://securityledger.com/new-25-gpu-monster-devours-passwords-in-seconds/

Quote:

In a test, the researcher’s system was able to churn through 348 billion NTLM password hashes per second. That renders even the most secure password vulnerable to compute-intensive brute force and wordlist (or dictionary) attacks. A 14 character Windows XP password hashed using NTLM (NT Lan Manager), for example, would fall in just six minutes, said Per Thorsheim, organizer of the Passwords^12 Conference.


Quote:
In June, Poul-Henning Kamp, creator of the md5crypt() function used by FreeBSD and other Linux-based operating systems was forced to acknowledge that the hashing function is no longer suitable for production use - a victim of GPU powered systems that could perform “close to 1 million checks per second on COTS (commercial off the shelf) GPU hardware,” he wrote. Gosney’s cluster cranked out more than 70 times that number - 77 million brute force attempts per second against MD5crypt.
Post 05 Dec 2012, 13:04
View user's profile Send private message Reply with quote
JohnFound



Joined: 16 Jun 2003
Posts: 3500
Location: Bulgaria
JohnFound
Longer passwords and modern slow to be computed hashes is the answer. Well designed system is still far from "easy to hack" IMHO.

Of course rubber-hose-cryptanalysis can crack every hash and every password without GPUs and super computers. Razz
Post 05 Dec 2012, 13:39
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
TmX



Joined: 02 Mar 2006
Posts: 821
Location: Jakarta, Indonesia
TmX
The longer, the better. Make sure to use the combination of upper & lower cases, numbers, non alphanumeric characters.

And I think it would be better not to rely on password itself. Probably by also using biometrics or smartcard, for example.
Post 05 Dec 2012, 13:49
View user's profile Send private message Reply with quote
JohnFound



Joined: 16 Jun 2003
Posts: 3500
Location: Bulgaria
JohnFound
Ah, you suggest us to force the hacker to use a chopper instead of rubber hose? Very Happy
Post 05 Dec 2012, 14:01
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
AsmGuru62



Joined: 28 Jan 2004
Posts: 1409
Location: Toronto, Canada
AsmGuru62
Good password does not use anything from dictionaries.
Something like that: 7gA-!5@jQ9!s&tyS (<-- that has to be copy/pasted into password box!)

What is most disturbing is that with that many hashes per second the collisions are possible: it may not be your
exact password, but it has the same hash and your account is cracked!
Post 05 Dec 2012, 14:12
View user's profile Send private message Send e-mail Reply with quote
uart777



Joined: 17 Jan 2012
Posts: 369
uart777
Z77 encryption algorithm, not easy to hack (rol 3 confuses hackers)...

Code:
; $$$$$$$$$$$$$$$ Z77 ASM LIBRARY $$$$$$$$$$$$$$$$
; *************** SUNGOD SOFTWARE ****************
; ?????????????????? CRYPT.INC ???????????????????

; a basic encryption scheme that features
; password protection and is customizable
; for greater security

; randomize all bits

macro b.encrypt {
rol cl, 3         ; rotate bits left 3
xor cl, 10101010b ; jumble bits
not cl            ; invert
}

macro b.decrypt {
not cl            ; invert
xor cl, 10101010b ; jumble bits
ror cl, 3         ; rotate bits right 3
}

; randomize all bytes. e: 1=encrypt, 0=decrypt

function crypt, p, n, e
locals i
let eax=[p]
.loop [i]=0 to [n]
  let cl=[eax]
  .if [e]
    b.encrypt
  .else
    b.decrypt
  .end
  let [eax]=cl, eax++
.endl
endf

; xor all bytes with unique password

function crypt.p, p, n, password
locals i, ps
let eax=[p], [ps]=[password]
.loop [i]=0 to [n]
  @@:
  let cl=[eax],\
  edx=[ps], [ps]++, ch=[edx]
  .if not ch
    let [ps]=[password]
    jmp @b
  .end
  xor cl, ch
  let [eax]=cl, eax++
.endl
endf

; randomize then xor with password

macro encrypt p, n, password {
crypt p, n, 1
crypt.p p, n, password
; <... edit ...>
}

macro decrypt p, n, password {
; <... edit ...>
crypt.p p, n, password
crypt p, n, 0
}    


Think you can hack my personal data? Think again Smile
Post 05 Dec 2012, 18:52
View user's profile Send private message Reply with quote
matefkr



Joined: 02 Sep 2007
Posts: 1291
Location: Ukraine, Beregovo
matefkr
we should use password wich is changing depenindg on point in time.
Post 05 Dec 2012, 19:21
View user's profile Send private message Reply with quote
uart777



Joined: 17 Jan 2012
Posts: 369
uart777
matefkr: Yes, but it's difficult to crack when you apply this algorithm first:

Code:
rol cl, 3         ; rotate bits left 3 
xor cl, 10101010b ; jumble bits 
not cl            ; invert    
Post 05 Dec 2012, 19:24
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
/me can't tell if uart777 is trolling... or insanely high.
Post 05 Dec 2012, 20:11
View user's profile Send private message Visit poster's website Reply with quote
OzzY



Joined: 19 Sep 2003
Posts: 1029
Location: Everywhere
OzzY
We need a combination of voice, eyes iris, finger print ON THE EXACT ORDER.

For example, my password could be:

1) Left hand thumb finger print.
2) Right eye iris.
3) Right hand thumb finger print.
4) Left eye iris.
5) Spoken word "FASM" with a custom voice only me can do.

Anyone who show different finger prints, different iris, different word or different voice timbre or even different order of presentation is invalid password.

Try to crack that now! Very Happy
Post 05 Dec 2012, 23:49
View user's profile Send private message Reply with quote
HaHaAnonymous



Joined: 02 Dec 2012
Posts: 1180
Location: Unknown
HaHaAnonymous
[ Post removed by author. ]


Last edited by HaHaAnonymous on 28 Feb 2015, 22:12; edited 2 times in total
Post 05 Dec 2012, 23:58
View user's profile Send private message Reply with quote
uart777



Joined: 17 Jan 2012
Posts: 369
uart777
f0dder: You're funny! Smile How am I trolling if I post useful code? My only intention is to HELP ASM programmers Smile
Post 06 Dec 2012, 02:58
View user's profile Send private message Reply with quote
asmhack



Joined: 01 Feb 2008
Posts: 431
asmhack
Code:
1a^B2# ;- A simple 6 char pass.    

Code:
qwerty ;- Your pass.    

Code:
1a^B2#heartk0rE$!:/ ;- A gpu rdy pass..    

Code:
http://board.flatassembler.net/post.php?mode=editpost&p=150557 ;- A pass you can't recall xD    
Post 06 Dec 2012, 04:15
View user's profile Send private message Reply with quote
Coty



Joined: 17 May 2010
Posts: 546
Location: &#9216;
Coty
OzzY wrote:
We need a combination of voice, eyes iris, finger print ON THE EXACT ORDER.

For example, my password could be:

1) Left hand thumb finger print.
2) Right eye iris.
3) Right hand thumb finger print.
4) Left eye iris.
5) Spoken word "FASM" with a custom voice only me can do.

Anyone who show different finger prints, different iris, different word or different voice timbre or even different order of presentation is invalid password.

Try to crack that now! Very Happy


> Sore throte, wont log in
> blood shot eyes from flu/hangover/lack of sleep/being high, wont log in
> sand some wood via handsander, too much friction weres down your fingerprints detail... wont log in...

Have fun Wink
Post 07 Dec 2012, 16:39
View user's profile Send private message Send e-mail Visit poster's website AIM Address Reply with quote
Enko



Joined: 03 Apr 2007
Posts: 678
Location: Mar del Plata
Enko
If Eyes, fingers nor voice works; rectum recognition system should have a chance!
(only if your not constipated)

Definetly a good idea for bizarre spy movies Wink
Post 07 Dec 2012, 21:30
View user's profile Send private message Reply with quote
OzzY



Joined: 19 Sep 2003
Posts: 1029
Location: Everywhere
OzzY
Anything that increases in security will have an impact in usability.

I didn't say it would work all the time. I said it was secure. Very Happy
Post 08 Dec 2012, 17:37
View user's profile Send private message Reply with quote
Goplat



Joined: 15 Sep 2006
Posts: 181
Goplat
uart777: If you think this method is strong, how about posting a text file encrypted with it and letting us try to crack the password/contents? Smile
Post 09 Dec 2012, 16:48
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.