Originally posted by Sysman
View Post
-
Even that has been addressedOriginally posted by NickFitz View Post
It gets worse when the guy starts using GPU processing. Worth a read.One issue becomes apparent: about half the file has had the first 5 characters zeroed out. This is discussed at ycombinator. Atom has released a version of his Hashcat password cracker to deal with this. John-the-Ripper apparently also has published a patch for this.
...
So let's try the other file containing the corrupted hashes using the updated Hashcat feature on the other file, containing all the zeroed-out hashes.
As you can see, this straight dictionary lookup results in 688-thousand passwords being cracked, or about one fifth of all the zeroed hashes.Leave a comment:
-
They need some rather large rainbow tables to do that.Originally posted by Doggy Styles View Post
On the other hand one of the reports I read last week cited a >30 GB (compressed size) set of tables out there somewhere.
I have a feeling that checksums will give collisions so that my-extravagantly-long-password will give the same checksum as something-shorter.
Details of the LinkedIn Hash Brute-Force
LinkedIn was using the SHA-1 digest for passwords, so the folks looking to reverse the passwords are using the following brute-force to match the posted hash:
echo -n "password" | openssl dgst -sha1
If you want to determine if your password was in one of the dumps, that's how. Match the SHA-1 hash that was generated from that sequence against one in the dump, and your password was in that dump.
...
And SHA-1 is intended to be fast to calculate; it's not a good general choice for hashing passwords.
And the GPU-based attacks are gonzo fast, based on the timestamps on some of the follow-up postings related to the original password dumps.Leave a comment:
-
Hairy arsed bloke isn't there any moreOriginally posted by doodab View Post
Anyone heard from him? Is he OK? His fanclub miss him!Leave a comment:
-
I only really use it for finding people with comedy names. I see MF really has taken a job in the states:
randy gaylord profiles | LinkedInLeave a comment:
-
They can just look it up.Originally posted by OwlHoot View PostMy linkedin password is about 30 characters long now, with numbers, symbols, upper & lowercase etc.
I'd like to see hackers figure out that one with a dictionary search
Leave a comment:
-
My linkedin password is about 30 characters long now, with numbers, symbols, upper & lowercase etc.
I'd like to see hackers figure out that one with a dictionary search
Leave a comment:
-
Does doodab use halfwit@hotmail.com then?Originally posted by Diver View PostYou can't now
I knew your email address so I simply hijacked your accountLeave a comment:
-
wtf? really? I already reset my password.Originally posted by doodab View Post
I think I will sign in and delete my account you ******* half witted protomonkeys.Leave a comment:
-
Security is paramount
The security of your account is very important to us at LinkedIn. As a precaution, we disabled your password, and advise you to take the following steps to reset it. If you reset your password in the last two days, there is no need for further action.
1. Type www.linkedin.com/settings directly into your browser
2. Type in your email address and press Sign In, no password necessary
3. Follow the on-screen directions to reset your password
I think I will sign in and delete my account you ******* half witted protomonkeys.
Leave a comment: