Reply to: Self 'salting' your same password across different sites

No you missed the point. You're trying to compare someone hacking his neighbours wifi with someone being able to do a brute force of the NTLM key space at length 8 within 12 hours. You do that when you're pen testing organisations, not trying to hack your neighbours wifi. A use case would be identifying weak passwords as part of a security audit so that you can force the user to reset them.

The use case you presented can be done using backtrack and a good word list.

You missed the point. Anyone with a will to do this can rent a service for a few bucks.

You don't need an outlay of thousands to get cracking, so many are at it.

Thanks for the link, but I decided about a decade ago that 8 character passwords were too vulnerable.

Lol, how much do you think Cloudcracker costs to run as a going service.

The chap I linked to built the box himself and has it running in his office.

And far cheaper than $12K. How I cracked my neighbor's WiFi password without breaking a sweat

Definitely wrap your modem in tinfoil, and take the phone jack out when not in the house.

Pedantic mode - what you're suggesting isn't technically 'salting'.

I would recommend taking a look at the following blog entries:

You expect me to remember that? Part 1
Profiling your hashlist, and targeting with mask attack.

Chap has built a machine, Project Erebus, that is capable of cracking the whole key space for any upper, lower, special, or digit password at length 8 for NTLM within 12 hours. Details are on the website above. It only cost around $12K - so it doesn't cost much to crack passwords these days.

Those things you suggest are fairly simple, but I'd always figured these automated systems relied on the fact people don't do this and pick the easiest fruit. After all it probably multiples by a significant factor how many different hashes you'd need in your table.

Have you got any links to back up the claim the nasty people do this kind of stuff as standard? No doubt as/if people get better at passwords, they would start having to to get good results

Unfortunately it's a commonly-known practice. It's as predictable as the way most people capitalise the first letter of their password and add an increasing integer suffix each month (e.g., "Password1", "Password2") when they're forced to set a 'new' password with an enforced 'complexity policy' by corporate IT network administrators.

Similarly, people think they're being clever when they '5ub5t1tute' predictable letters for numbers in passwords. In reality, it's such a common tactic that most penetration testers have rainbow tables already pre-calculated with those sorts of substitutions built in, so if they get a hold of your hash it's easy to crack single words obfuscated in that way.

And finally, it's amazing how many websites out there still aren't using best practice, and are storing the plaintext of a password rather than its hash/cyphertext. It only takes one of those sites to be compromised or to have dishonest or disgruntled staff, and if you've been predictable about how you've set passwords across sites that can reveal how to access more sensitive sites that you care more about, such as your bank or e-mail.

One of the best ways to safeguard each site is to condense them into a short, easily-memorable, relevant-to-site phrase. E.g., for the Tesco site above you might have "WhereIGetMyShopping". If you want to add extra security against brute force attacks using the likes of rainbow tables, you could also add a non-alphanumeric character after the second or third word (so it appears in an unpredictable place in the string, but a place that is easily- memorable to you). You can do that by holding down 'Alt' and typing a four-digit number (maybe a memorable date such as '1066', or just something that makes an easily-memorable pattern on the numeric keypad), then letting go of Alt. That'll insert some rarely-used Greek or Symbol character, making brute-force attacks all but impossible. The key thing, though, is that using those methods gives little away about the passwords you use on other sites ("MyGodಠಠTheirWebDesignIsAwful" for JobServe, and "BunchOf■RobbingBastards" for your bank).

I use a different username and password for all websites.

Username generated with the likes of Username Generator - Random Username Generator

Password generated with a small program I wrote myself, although there are password generator websites out there. Password is a load of random crap including punctuation symbols.

It's an approach thats been around for a long time, and yes in principle it is a good idea. However the bad guys take this into account and will use common patterns to modify rainbow tables and other brute force source files to include common website names and variations. "mypasswordcuk" is probably safe as it's pretty low profile in the scheme things and unlikely to figure on the list of varations to be tried, "mypasswordebay" or "mypasswordpaypal" is probably less so. Unique, strong passwords that dont share a format are still the safest for the sites you really care about.

I use something similar. As i am a member of numerous forums and messageboards, remembering numerous passwords can be a nightmare, so i add a 3 letter salt to the password indicating the site, e.g. this one is cuk.

I do not use it for anything that can be used to steal my identity (facebook, twitter, email, banking etc).

I have forwarded your post onto the central Russian crackers society. They said you will be safe to use it this week - but by next week they will have closed the loophole.