![]() ![]() This means that 24 million (~16%) were passwords that didn't correspond to a pattern that he was able to deduce. In the end, he was able to crack over 122 million passwords out of the 146 million hashes he started with. Most of the blog post is the technical details of the settings he used for the cracking programs to have them look for various patterns to find passwords. The hashing programs can be given instructions of what patterns to try so that he doesn't have to specify "flower1", instead he tells the program "look for 'flower' followed by from one to 4 digits" He combines patterns with dictionaries too, so he might try "flower" out of the dictionary and then try flower1, flower2, etc. ![]() To try every possible combination of letters, numbers and symbols in a password would be very slow, so he uses a process where he tries to predict patterns that he thinks are likely. The rest of the article explains the various ways he used two cracking tools (oclHashcat-plus and John the Ripper) along with his graphics accelerator card to perform the cracking process. He discusses some preparation of the raw hash files to make them a little easier for the next work. ![]() The first paragraph or so (before the "Dealing with the hashes" heading) are just the summary of what he was trying to accomplish: Determine the password that corresponds to each of the hashes he had obtained from a publicly posted file of 144 million hashes. You can't do this just against a website login directly, someone has to have already stolen the hash list from the site. If you take a guess, hash it, and it matches some hash you already had, it means you now know what password produces that hash and can use it to log in. "Cracking Hashes" or "Cracking Passwords" - The process of making guesses of possible passwords, hashing them, and then seeing if they match an existing hashed value. If it matches, they know you typed in the password correctly. When you try to log in, you type in your password, they hash it, and compare to the hash they have on file for you. (Technically there are other non-one-way definitions of hashes, but everything you see here is talking about one-way hashes, such as MD5, SHA1, SHA256, etc.) Often, websites and the like will store your password as a hash instead of storing the real password. ![]() You can't go directly backwards and convert the hashed value back into its original. Prerequisite Knowledge: Hash - A method to convert a string into a random-looking string. (I left out some details since you want the layman's explanation) ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |