{"id":16995,"date":"2012-12-07T12:34:45","date_gmt":"2012-12-07T10:34:45","guid":{"rendered":"https:\/\/mamchenkov.net\/wordpress\/?p=16995"},"modified":"2012-12-07T12:34:46","modified_gmt":"2012-12-07T10:34:46","slug":"the-passwords-are-officially-obsolete","status":"publish","type":"post","link":"https:\/\/mamchenkov.net\/wordpress\/2012\/12\/07\/the-passwords-are-officially-obsolete\/","title":{"rendered":"The passwords are officially obsolete"},"content":{"rendered":"\n

Slashdot is reporting the story<\/a>:<\/p>\n

a cluster of five, 4U servers equipped with 25 AMD Radeon GPUs communicating at 10 Gbps and 20 Gbps over Infiniband switched fabric. Gosney’s system elevates password cracking to the next level, and effectively renders even the strongest passwords protected with weaker encryption algorithms, like Microsoft’s LM and NTLM, obsolete. In a test, the researcher’s system was able to generate 348 billion NTLM password hash checks per second. That renders even the most secure password vulnerable to compute-intensive brute force and wordlist (or dictionary) attacks. A 14 character Windows XP password hashed using LM for example, would fall in just six minutes<\/p>\n

[…]<\/p>\n

Gosney’s cluster cranks out more than 77 million brute force attempts per second against MD5crypt.<\/p><\/blockquote>\n

One of my favorite comments to the story<\/a>:<\/p>\n

So now that passwords as a system is officially broken, can we please move on to something better? Something that wasn’t invented to allow soldiers standing watch in the middle of the night to tell their mates from their enemies, but is actually designed for computers?<\/p><\/blockquote>\n

Solutions? \u00a0Well, for remote connectivity, I’ve been using SSH with key-based authentication. \u00a0For the websites, Google seems to be leading the 2-way authentication progress, with a combination of password and a one-time code via SMS. \u00a0These aren’t perfect, but they seem to be better than just a password.<\/p>\n\n","protected":false},"excerpt":{"rendered":"\n

Slashdot is reporting the story: a cluster of five, 4U servers equipped with 25 AMD Radeon GPUs communicating at 10 Gbps and 20 Gbps over Infiniband switched fabric. Gosney’s system elevates password cracking to the next level, and effectively renders even the strongest passwords protected with weaker encryption algorithms, like Microsoft’s LM and NTLM, obsolete. … Continue reading The passwords are officially obsolete<\/span><\/a><\/p>\n\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"_links_to":"","_links_to_target":""},"categories":[1,62],"tags":[1633,200],"keyring_services":[],"class_list":["post-16995","post","type-post","status-publish","format-standard","hentry","category-general","category-technology","tag-passwords","tag-security"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":18004,"url":"https:\/\/mamchenkov.net\/wordpress\/2013\/04\/14\/wordpress-passwords-and-brute-force\/","url_meta":{"origin":16995,"position":0},"title":"WordPress passwords and brute force","author":"Leonid Mamchenkov","date":"April 14, 2013","format":"link","excerpt":"WordPress passwords and brute force From the man himself: Here\u2019s what I would recommend: If you still use \u201cadmin\u201d as a username on your blog, change it, use a strong password, if you\u2019re on WP.com turn on two-factor authentication, and of course make sure you\u2019re up-to-date on the latest version\u2026","rel":"","context":"In "All"","block_context":{"text":"All","link":"https:\/\/mamchenkov.net\/wordpress\/category\/general\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":22389,"url":"https:\/\/mamchenkov.net\/wordpress\/2014\/08\/15\/tek-security-groups-password-repository\/","url_meta":{"origin":16995,"position":1},"title":"Tek Security Group’s Password Repository","author":"Leonid Mamchenkov","date":"August 15, 2014","format":"link","excerpt":"Tek Security Group's Password Repository In this repository you will find helpful authentication brute forcing files. These files include known password defaults, usernames, common and specialized dictionaries, etc.","rel":"","context":"In "All"","block_context":{"text":"All","link":"https:\/\/mamchenkov.net\/wordpress\/category\/general\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":16815,"url":"https:\/\/mamchenkov.net\/wordpress\/2012\/10\/08\/microsoft-takes-password-security-to-the-next-level\/","url_meta":{"origin":16995,"position":2},"title":"Microsoft takes password security to the next level","author":"Leonid Mamchenkov","date":"October 8, 2012","format":"link","excerpt":"Microsoft takes password security to the next level I've spotted this link somewhere online, and I think this is funny. Error Message: Your Password Must Be at Least 18770 Characters and Cannot Repeat Any of Your Previous 30689 Passwords The solution is, as always, obtain the latest service pack.","rel":"","context":"In "All"","block_context":{"text":"All","link":"https:\/\/mamchenkov.net\/wordpress\/category\/general\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":29074,"url":"https:\/\/mamchenkov.net\/wordpress\/2018\/12\/10\/php-password-exposed-helper-function\/","url_meta":{"origin":16995,"position":3},"title":"PHP – Password Exposed Helper Function","author":"Leonid Mamchenkov","date":"December 10, 2018","format":false,"excerpt":"Password Exposed Helper Function is a tiny PHP library that helps checking user passwords against the Have I Been P0wned website API. This is quite common new functionality on many websites and services (see GitHub, for example), which is now available as a quick composer dependency for your PHP projects.","rel":"","context":"In "All"","block_context":{"text":"All","link":"https:\/\/mamchenkov.net\/wordpress\/category\/general\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/mamchenkov.net\/wordpress\/wp-content\/uploads\/2018\/12\/password-exposed.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/mamchenkov.net\/wordpress\/wp-content\/uploads\/2018\/12\/password-exposed.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/mamchenkov.net\/wordpress\/wp-content\/uploads\/2018\/12\/password-exposed.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/mamchenkov.net\/wordpress\/wp-content\/uploads\/2018\/12\/password-exposed.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/mamchenkov.net\/wordpress\/wp-content\/uploads\/2018\/12\/password-exposed.png?resize=1050%2C600&ssl=1 3x"},"classes":[]},{"id":11412,"url":"https:\/\/mamchenkov.net\/wordpress\/2008\/11\/01\/passwords-are-like-women\/","url_meta":{"origin":16995,"position":4},"title":"Passwords are like women","author":"Leonid Mamchenkov","date":"November 1, 2008","format":false,"excerpt":"I don't know if this was posted by someone else somewhere else before (probably it was), but that's what I came up with yesterday, while explaining our password policy to one of the (male) colleagues. Passwords are like women: you should have as many of them as you can you\u2026","rel":"","context":"In "All"","block_context":{"text":"All","link":"https:\/\/mamchenkov.net\/wordpress\/category\/general\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":14486,"url":"https:\/\/mamchenkov.net\/wordpress\/2011\/02\/28\/lastpass-xss-vulnerability-found-is-it-a-big-deal\/","url_meta":{"origin":16995,"position":5},"title":"LastPass XSS vulnerability found. Is it a big deal?","author":"Leonid Mamchenkov","date":"February 28, 2011","format":false,"excerpt":"Via DownloadSquad I found out that a cross-site scripting (XSS) vulnerability was found in LastPass - an online password management service. \u00a0The problem was reported to LastPass and they seem to have fixed it before the information went out public. \u00a0What remains now is the question of how bad is\u2026","rel":"","context":"In "All"","block_context":{"text":"All","link":"https:\/\/mamchenkov.net\/wordpress\/category\/general\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_sharing_enabled":true,"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/posts\/16995","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/comments?post=16995"}],"version-history":[{"count":0,"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/posts\/16995\/revisions"}],"wp:attachment":[{"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/media?parent=16995"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/categories?post=16995"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/tags?post=16995"},{"taxonomy":"keyring_services","embeddable":true,"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/keyring_services?post=16995"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}