How Complex Passwords Get Cracked (and lifehacking poetry, 3D printing disc keys, peer to peer disaster management)

Good article on cracking complex passwords. In a nutshell, clever intuition on the part of the password-cracking-machine operator and advanced guessing strategies make cracking seemingly-secure passwords quite possible.

Everything from “tmdmmj17” to “Sh1a-labe0uf” and “qeadzcwrsfxv1331” got cracked, using techniques like automatically substituting numbers for letters and concatenating words from different “password dictionaries” of commonly used passwords.

Before someone goes and quotes “horse battery staple” at me: the experts cite the concatenating “combinator attack” as one way to attack those kinds of passwords.

I’d also note that any password based on a visualized image is BAD: among other reasons, when you try to translate image into password a year from now, you may not remember the exact “translation rules” you originally used. (The quoted cracker mis-remembered it as “batteryhorsestaple.”) The strongest password in the world is no good if you get locked out.

Lifehacking and poetry:

I was staring at a poem and I realized something — the rhythmic interruption of poetry may represent a kind of brain wave entrainment, putting the reader or listener into a lightly altered state of consciousness “synced” to that of the poet who wrote it. This would in turn reinforce the poet’s intent.

There’s a fair degree of research suggesting this actually works: the Bulgarian/”European mystery school”-derived “suggestopedia” enhanced-placebo super-learning system used rhythmic interruptions of sentences combined with Baroque music (Vivaldi) to produce extremely rapid/effective learning.

Oddly enough “suggestopedia” was parodied in an episode of The Prisoner (“The General”) two years before the technique was publicly known in the West.

3D printing disc keys:

It looks like I missed another update on the 3D printing keys thing… back in 2011 they were already as far as 3D printing keys for disc (Abloy-style) locks — in this case the Abus Plus. As it turns out the tolerances can be much sloppier for disc lock keys, because the rounded sidebars will push the discs into place as long as you get it mostly right.

Peer to peer disaster management:

Some of you may have heard about the widespread flooding in Europe. The residents of Dresden came up with a neat solution to keeping the waters at bay… turn it into a city-wide party! Everyone grabs a beer and hangs out making new friends until the sandbag truck shows up, at which point beers get put down and sandbags are filled and placed like mad until the supplies are gone. Party resumes.

Same goes for people who need help getting themselves and their belongings out of flood-threatened zones… social media pages sprang up for them to post their needs, and within an hour trucks of helpers would just show up and do the job. Presumably if things got more extreme ham radio types would step up to replace the Internet.

(Corporations, on the other hand, did their part elsewhere by promising “unbureaucratic help” and then requiring flood victims to present proof of absolutely everything.)

It’s worth noting that Dresden as a city is uniquely qualified in disaster management even by destruction-heavy German historical standards: the WWII firebombing and near total destruction of the refugee-packed city by US and British forces evidently left a lasting memory of how to go about dealing with extreme adversity.

Sources, some in German:

” We asked three cracking experts to attack the same list Anderson targeted and recount the results in all their color and technical detail Iron Chef style. The results, to say the least, were eye opening because they show how quickly even long passwords with letters, numbers, and symbols can be discovered.[…]

Early in the process, Steube couldn’t help remarking when he noticed one of the plains he had recovered was “momof3g8kids.”

“This was some logic that the user had,” Steube observed. “But we didn’t know about the logic. By doing hybrid attacks, I’m getting new ideas about how people build new patterns. This is why I’m always watching outputs.”

The specific type of hybrid attack that cracked that password is known as a combinator attack. It combines each word in a dictionary with every other word in the dictionary. Because these attacks are capable of generating a huge number of guesses—the square of the number of words in the dict—crackers often work with smaller word lists or simply terminate a run in progress once things start slowing down. Other times, they combine words from one big dictionary with words from a smaller one. Steube was able to crack “momof3g8kids” because he had “momof3g” in his 111 million dict and “8kids” in a smaller dict.

“The combinator attack got it! It’s cool,” he said. Then referring to the oft-cited xkcd comic, he added: “This is an answer to the batteryhorsestaple thing.”

What was remarkable about all three cracking sessions were the types of plains that got revealed. They included passcodes such as “k1araj0hns0n,” “Sh1a-labe0uf,” “Apr!l221973,” “Qbesancon321,” “DG091101%,” “@Yourmom69,” “ilovetofunot,” “windermere2313,” “tmdmmj17,” and “BandGeek2014.” Also included in the list: “all of the lights” (yes, spaces are allowed on many sites), “i hate hackers,” “allineedislove,” “ilovemySister31,” “iloveyousomuch,” “Philippians4:13,” “Philippians4:6-7,” and “qeadzcwrsfxv1331.” “gonefishing1125” was another password Steube saw appear on his computer screen. Seconds after it was cracked, he noted, “You won’t ever find it using brute force.”

%d bloggers like this: