Early versions of the free/open Unix variant BSD came with password files that included hashed passwords for such Unix luminaries as Dennis Ritchie, Stephen R. Bourne, Eric Schmidt, Brian W. Kernighan and Stuart Feldman.
Leah Neukirchen recovered an BSD version 3 source tree and posted about it on the Unix Heritage Society mailing list, revealing that she was able to crack many of the weak passwords used by the equally weak hashing algorithm from those bygone days.
Dennis MacAlistair Ritchie’s was “dmac”, Bourne’s was “bourne”, Schmidt’s was “wendy!!!” (his wife’s name), Feldman’s was “axlotl”, and Kernighan’s was “/.,/.,”.
Four more passwords were cracked by Arthur Krewat: Özalp Babaoğlu’s was “12ucdort”, Howard Katseff’s was “graduat;”, Tom London’s was “..pnn521”, Bob Fabry’s was “561cml..” and Ken Thompson’s was “p/q2-q4!” (chess notation for a common opening move).
BSD 3 used Descrypt for password hashing, which limited passwords to eight characters, salted with 12 bits of entropy.
Descrypt limits passwords to just eight characters, a constraint that makes it all but impossible for end users to choose truly strong credentials. And the salt Descrypt uses provides just 12 bits of entropy, the equivalent of two printable characters. That tiny salt space makes it likely that large databases will contain thousands of hash strings that attackers can crack simultaneously, since the hash strings use the same salt.
Jeremi M. Gosney, a password security expert and CEO of the password-cracking firm Terahash, told Ars that Descrypt is so weak and antiquated that one of his company’s 10-GPU Inmanis appliances (price: almost $32,000) could besiege a Descrypt hash with 14.5 billion guesses per second (the rigs can be clustered to achieve faster results). The speed of just one rig is enough to brute force the entire Descrypt keyspace—which, due to practical limitations, was about 249 in 1979—in less than 10 hours, and even less time when using cracking tools, such as wordlists, masks, and mangling rules. This site will also crack a Descrypt hashe for as little as $100.
Re: [TUHS] Recovered /etc/passwd files [Leah Neukirchen/The Unix Heritage Society mailing list]
Forum cracks the vintage passwords of Ken Thompson and other Unix pioneers [Dan Goodin/Ars Technica]
(via Four Short Links)
For decades, it was a commonplace in western business that no one could afford to ignore China: whatever problems a CEO might have with China’s human rights record could never outweigh the profits to be had by targeting the growing Chinese middle-class.
Proof-of-concept supply-chain poisoning: tiny, undetectable hardware alterations could compromise corporate IT
A little over a year ago, Bloomberg stunned the world with a report that claimed that Chinese intelligence services had figured out how to put undetectable, rice-grain-sized hardware implants into servers headed for the biggest US cloud and enterprise IT firms, and that when some of the victims discovered this fact, they quietly ripped out […]
How can a single, ill-conceived law wreak havoc in so many ways? It prevents you from making remix videos. It blocks computer security research. It keeps those with print disabilities from reading ebooks. It makes it illegal to repair people’s cars. It makes it harder to compete with tech companies by designing interoperable products. It’s even been used […]
Hey, we love Netflix and Hulu, but let’s face it: The whole setup doesn’t exactly encourage active viewing. For all the binge-watching we’ve done, it’s tough to expand our horizons or learn anything new – except for how many episodes of “The Office” it takes to make us fall asleep. It was only a matter […]
Still using elbow grease to clean the sinks, tubs and other grimy surfaces around your house? Save your elbows, and some time. If you’ve got a power drill, the RevoClean® 4-in-1 Drill Brush Cleaning Kit will instantly turn it into a professional scrubber that can tackle any stain on any surface. Attach the 4″ nylon […]
Need data storage? Join the club. It may still seem like the wild west out there, and for many companies, it’s a tough choice between security and accessibility. Luckily, there’s a platform that gives you a lot of both: Polar Backup Cloud Storage. Whether you’re a busy private citizen or managing valuable company data, Polar […]