recentpopularlog in

kme : cracking   18

SHA-1 collision attacks are now actually practical and a looming danger | ZDNet
should switch to (in order of preference):

* BLAKE2b / BLAKE2s
* SHA-512/256
* SHA3-256
* SHA-384
* Any other SHA2-family hash function as a last resort

"...unless they're storing passwords! In which case, they should switch to (in order of preference):

* Argon2id with memory >= 32MiB, >= 2 rounds, and >= 2 parallelism
* scrypt / yescrypt with memory >= 32 MiB, >= 4 rounds, and >= 1 parellelism
* bcrypt (for PHP devs, password_hash() and password_verify() does the trick)
* PBKDF2-SHA512 with 85,000 iterations as a last resort

"But SHA1 should no longer be used anymore. No excuses," Arciszewski
sha1  cracking  crypto  hashing  algorithms  advice 
may 2019 by kme
FSU technology cracks, fixes passwords - Florida State University News
Currently, the most common password generation method is based on a set of rules. For example, existing technology advises users to create passwords with a minimum of eight characters and contain a capital letter and/or special symbol.

This method may seem effective; however, these rules can make passwords difficult to remember.

“Two components to a strong password are to make it easy to remember and hard to crack,” Aggarwal said. “If our system can successfully crack a password, it will propose a password similar to the one submitted but with slight format variations, making it easier to remember.”
password  security  cracking 
may 2017 by kme
Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331” | Ars Technica
In fact, there's almost nothing preventing crackers from deciphering the hashes. LivingSocial used the SHA1 algorithm, which as mentioned earlier is woefully inadequate for password hashing. He also mentioned that the hashes had been "salted," meaning a unique set of bits had been added to each users' plaintext password before it was hashed. It turns out that this measure did little to mitigate the potential threat. That's because salt is largely a protection against rainbow tables and other types of precomputed attacks, which almost no one ever uses in real-world cracks. The file sizes involved in rainbow attacks are so unwieldy that they fell out of vogue once GPU-based cracking became viable. (LivingSocial later said it's in the process of transitioning to the much more secure bcrypt function.)
hacking  cracking  security  passwords 
january 2015 by kme
Passware Password Recovery Kit Forensic
Supposedly this broke TrueCrypt (on a Firewire drive)
bruteforce  cracking  password  recovery  forensics  sofware 
december 2013 by kme

Copy this bookmark:





to read