Wow they have the decency to include their tools and scripts for all to use. Most researchers are too uptight to share outside the academic and corporate world. Keep up the good work!

11:30 --> facebookpassword , youtubepassword , passwordmanagerpassword XD

"Take everything I say with a grain of salt." - I see what you did. Ha....... ha..... ha..... Professional Comedy.

Pausing on some of those passwords being churned out can be quite comical

You know what's hilarious? Defcon is full of federal agents.

I am astonished to find that my password would be in that last 5%. Random numbers, letters (caps and lower case) and symbols. Of course I do write mine down to keep track of them: in a notebook that never leaves my flat and I leave the old passwords in it as well as the updates so have fun!

I love all these arbitrary rules about how a strong password should look that people post in the comments. What a good password needs is sufficient entropy. How you get that entropy-whether by randomly generating a password composed of all printable ASCII characters, or by stringing together a list of 5 or 6 randomly chosen nouns, all in lowercase-is absolutely irrelevant.

This just HAS to be the brother of Andy Weir (author of The Martian). Not only the face but even the style of talking is really similar :D

I love that the video has had the chapters/timestamps added :)

Matt, good presentation! Have you received your PHD yet?

any body know if he updated this talk

So....IT weakness requires all the customers, employees and guests to support it....and how many compromises a day require a change with no benefit in reality?

drinking game: take a shot every time he says "go ahead and"

It depends on how the passwords are hashed. If its made using md5(salt+pass) john should be able to crack it without any custom modules. Read the documentation on the openwall website.

is it misspelled as well?

#1 Development excuse for slacking of: compiling >Hey! Get back to work! >COMPILING! >Carry on

interesting talk, and he seems like a really cool dude

"Dude, we have a Dell." LOL

It is easy to crack something than to fix it.This explain why research are still focusing on how to create an efficient and secured password. The speaker gave many links to allow anyone to further their knowledge on the subject.

Well, when did he attribute?

If the salting is done properly and the password is strong its hard. Its not impossible but requires good hardware and a lot of time.

Good talk (:

... he took his laptop to defcon?

Before the PW requirements, i used to us the PW 543216. No one finds it but it would be easy to crack it though.

Just wondering if anyone knows how to crack a MD5 that has salt in it?

I never used JtR, but I have used a program called barswf which can only attack plain md5 hashes just as the speaker did in his first attack. On my home built 6 core amd computer (~$1000 cost to build), I could perform 300+ MILLION hash attempts per second. If you get a high end graphics card for around $400-700, you could blow that number out of the water by FAR. I don't remember the exact number, but it was in the billions. HashCat does well for salted ones. I could get 90%+ in less than a day

Nice video

Oh great, apparrently I needed to change my passwords 2 years ago. :P

props, he is very smart.

i like my system more than md5(md5(password).salt).... it's something like 200xmd5(md5(200xmd5(password.hardcodedsalt)).salt)) not the exact values and the hardcoded salt is only visible in the code that generates the hashes. I don't know if it is an overkill(might be) or something that can be easylly hacked but anyway it is almost 400++ md5 you have to do for every password and that takes time if you have any suggestions i would love to hear them

I don't understand one thing though. You take random words and MD-5 hash them and compare them to the users saved password. But in order to do this you have to have the HASH file first right?! How do you get the /etc/passwd file? I assume first you need to break into the OS and then you get the /etc/passwd file where all the HASHES are. But when you already has root privileges on an OS in order to copy this passwd file, why would you need to crack the user's passwords?? I don`t get it.

You don't necessarily need to crack it, "just" find a collision.

time to change my passwords

this made me think of why websites that give you a checklist for your password are bad and work against you cuz instead of people having random passwords they have a password designed based off a certain of rules bad guys just has to follow those rules so he knows if there is atleast ine capital let or atleast one number and usually people add the numbers to the end of the iriginal password and capitaluze the first letter or change letters like e to a 3 or for to 4

To be uncrackable(at least until AES-512 encryption becomes mainstream) you need a 20+ character password, generated by a password generator, not by your brain.

I'd be concerned about the webhosting sites administrator accounts and their passwords

Cool story bro..

Since people reuse the same password everywhere, I suggest them to actually use a few, one for their emails, one per bank and one for the rest of the non-important, non-financial associated stuff. Atleast if something is compromised it will not compromise everything. I think it is a good start.

I'm confused. This "research" seems to mostly be collections of traditional wisdom from 15-20 years ago when I was working on password cracking (mostly as a tool for validating that users had selected strong passwords, which is an interesting job because you're not TRYING to succeed, just to verify that you can't succeed easily). Anyway, probabilistic approaches to brute-force were all the rage back then. Did everyone just forget what we learned?

The real question is whether a quantum computer would be better at cracking passwords vs a AL algorithm.

What if my password is Japanese words?? Arigato1! for example or konichiwa!4 etc.

my password in uncrackable, it's qqqqqqqq

Does anyone have any good password managers to recommend.

lol'd at the title so hard just now

Ive actually made a rainbow table creator that uses sockets to give work to an army of slaves to do hashing

Some of these passwords are top tier lulz

5:28 "Water is Wet"

so....users have tools to powerful for their understanding.....and users and IT are blamed instead of poor management choices for tools or staff.

great

Some passwords cant be cracked in our lifetime or a hundred lifetimes if they are strong with at least 8 character sets, even with todays fastest number crunchers it would take thousands of years, the speaker has intentionally left out key steps on how he actually attempted to crack the passwords, he left very important things out actually.

i have a 11 gb wordlist, is it enough?

Time to go change all my simplistic passwords lol

ah ha sudir agarwal an Indian guy :) damn we are everywhere !

I didn't even noticed it had lisp.

Did you know that if you accidentally typed your KZfaq password in the comments, some googly algorithm will automatically turn it into asterisks for you for protection For example my password is ************

Accidently clicked on this to watch but what ever.

my resolution must be weak. What does it say on the chicken's body?

But how does he tackle the salt? Was I not paying enough attention here? There shouldn't be any limit besides reasonable cost to profit of storing a unique salt of length n for a user. Or does everyone use completely shit salts?

Haha, that dude just trolled you.

He can't help it, why not tolerate it?

this guy sounds like a south park character

13:00 "NVIDEA"? It's nvidia

1:45 He totally stole that comic from xkcd

average password length = 7.2

38 here :P

Same here Thane... until he said something... and even now i do not notice it.... CANAIDIANSURFER and 9022920, if you are here for the info, you wont notice it at all.

Without those so called "pigs" you wouldn't have much at all.

I can make a 1 character password that will never be hacked and it's so simple

เรียนรู้ใหม่ที่ไม่เคยเห็น

a salt

XKCD is licensed under a Creative Commons Attribution-NonCommercial 2.5 License, which he did not break. Fuck off?

learn how people create passwords ? HAHAHA mine is a randomly generated string of numbers lower case and uppercase letters and symbols. and to be sure, its 15 caracters long xD

dont disregard otherwise good info because of the motivations of the researcher. maybe you were just being funny, because this was otherwise a great video.

it would be so easy to protect the users of website logins even if they had weak passwords. every user creates his account at some year, some day, some hour, some second. most websites actually already log this information. so what the website needs to do is take dumb-users password, i.e. "password" and attach that account-creation timestamp in a long-winded, strongly cyphered manner to the users password. all the user additionally has to do is select the date he created the account from a row of date-oriented dropdown-menus next to the password field. so he needs to get this information via email when he creates the account. that way the passwords would be utterly long, but not for the user who still just enters "password" while the website adds the strings of the coded timestamp to that weak password automatically after the date was selected (if the date attachment is made long winded and strongly cyphered). much less likely to get cracked in little time by dictionary approaches or brute force. EDIT: or even simler, just let the user choose an encryption algorithm himself by selecting a picture that resembles the encryption algorythm, while only the company knows which picture does what (i.e. klicking on a picture of a green tree, which adds an MD5 string, or a red ball which represents some other encryption system, etc). all he needs to remember is the picture he likes the most. alternatively the user could use a file as a key to upload, i.e. a picture from his computer, to serve as an encryption by using the file MD5-sum for instance. it really doesn't have to be complicated for the end-user, only the system behind it, what the website itself does with it should make it uncrackable.

HOW exactly do you become a hacker and not a script kiddie? Do you need to master programming languages?

Oh, BTW: If you want to completely avoid having this guy's approach ever work on your passwords, just take two common words and the name of the site. Split the site name in half and put the first half into the middle of the first word and the second half into the middle of the second word. Add one bit of punctuation after the nth letter (3-5 works out well) and you're done. "fiyotr;ewinubedy" is just "fire" + "windy" with "youtube" in it plus a semicolon, but strategies like his will choke on it

You mean his IQ is a 100 times higher? That's awesome. :-)

Makes me feel better about my password being AssP3%$6fRrOdw8, use it for all my accounts :D (not really but it's not half bad)

hashed with a thalt?

Oh, man, this talk is so old. It's funny how far has everything advanced since 2011 in password security. Also the advent of cryptocurrency probably made him stop wasting his CPU cycles only on password cracking.

He's probably 100x smarter than you.

A good password should be like this: It should NOT contain relevant words to any dictionary in any language. Use capital and small letters combined with numbers and special characters. It should be DIFFERENT from the passwords you already use for other things. Having a 'master' password is a very BAD idea. It should have at least 12 characters ( they usually recommend 6-8, but just go for 12 or more). Make it as RANDOM as you can think of. Do NOT tell it to anyone ( it's a password, damn it ! ) Don't write it down on your phone or computer or anywhere. Store it in your brain =)).

great