Mamoulian War Posted July 4, 2013 Posted July 4, 2013 The ars article more addresses that people create poor passwords. It also says that when a site uses weak hashing algorhytms, they can harvest relative secure passwords with the help of databases on previously harvested weak passwords. Sent from my Stone Tablet, using Chisel-a-Talk 2000BC. My youtube channel: MamoulianFH Latest Let's Play Tales of Arise (completed) Latest Bossfight Compilation Dark Souls Remastered - New Game (completed) Let's Play/AAR Europa Universalis 1: Austria Grand Campaign (completed) Let's Play/AAR Europa Universalis 2: Xhosa Grand Campaign (completed) My PS Platinums and 100% - 29 games so far (my PSN profile) 1) God of War III - PS3 - 24+ hours 2) Final Fantasy XIII - PS3 - 130+ hours 3) White Knight Chronicles International Edition - PS3 - 525+ hours 4) Hyperdimension Neptunia - PS3 - 80+ hours 5) Final Fantasy XIII-2 - PS3 - 200+ hours 6) Tales of Xillia - PS3 - 135+ hours 7) Hyperdimension Neptunia mk2 - PS3 - 152+ hours 8.) Grand Turismo 6 - PS3 - 81+ hours (including Senna Master DLC) 9) Demon's Souls - PS3 - 197+ hours 10) Tales of Graces f - PS3 - 337+ hours 11) Star Ocean: The Last Hope International - PS3 - 750+ hours 12) Lightning Returns: Final Fantasy XIII - PS3 - 127+ hours 13) Soulcalibur V - PS3 - 73+ hours 14) Gran Turismo 5 - PS3 - 600+ hours 15) Tales of Xillia 2 - PS3 - 302+ hours 16) Mortal Kombat XL - PS4 - 95+ hours 17) Project CARS Game of the Year Edition - PS4 - 120+ hours 18) Dark Souls - PS3 - 197+ hours 19) Hyperdimension Neptunia Victory - PS3 - 238+ hours 20) Final Fantasy Type-0 - PS4 - 58+ hours 21) Journey - PS4 - 9+ hours 22) Dark Souls II - PS3 - 210+ hours 23) Fairy Fencer F - PS3 - 215+ hours 24) Megadimension Neptunia VII - PS4 - 160 hours 25) Super Neptunia RPG - PS4 - 44+ hours 26) Journey - PS3 - 22+ hours 27) Final Fantasy XV - PS4 - 263+ hours (including all DLCs) 28) Tales of Arise - PS4 - 111+ hours 29) Dark Souls: Remastered - PS4 - 121+ hours
alanschu Posted July 4, 2013 Posted July 4, 2013 You're right it does. The problem, of course, is that by creating weak passwords, it compromises the integrity of better hashing systems, as they now have libraries of commonly used poor passwords that they can brute force attempts with to help crack the hashing algorithm. The best encryption system in the world doesn't save people from using "123456" as their password and having it compromised.
Mamoulian War Posted July 4, 2013 Posted July 4, 2013 (edited) Yup, but with better system, there is much lesser chance, that your more complex password could be compromised even with these big databases. The Ars article was only about success of breaking MD5 with these tables. I would really like to know, how successful would be these guys with harvesting complex passwords in newer SHA-3, RIPEMD or Skein hashing. The only reason why lot of companies are still using weak algorithms is to save processing power of their servers... Which is stupid... Edited July 4, 2013 by Mamoulian War Sent from my Stone Tablet, using Chisel-a-Talk 2000BC. My youtube channel: MamoulianFH Latest Let's Play Tales of Arise (completed) Latest Bossfight Compilation Dark Souls Remastered - New Game (completed) Let's Play/AAR Europa Universalis 1: Austria Grand Campaign (completed) Let's Play/AAR Europa Universalis 2: Xhosa Grand Campaign (completed) My PS Platinums and 100% - 29 games so far (my PSN profile) 1) God of War III - PS3 - 24+ hours 2) Final Fantasy XIII - PS3 - 130+ hours 3) White Knight Chronicles International Edition - PS3 - 525+ hours 4) Hyperdimension Neptunia - PS3 - 80+ hours 5) Final Fantasy XIII-2 - PS3 - 200+ hours 6) Tales of Xillia - PS3 - 135+ hours 7) Hyperdimension Neptunia mk2 - PS3 - 152+ hours 8.) Grand Turismo 6 - PS3 - 81+ hours (including Senna Master DLC) 9) Demon's Souls - PS3 - 197+ hours 10) Tales of Graces f - PS3 - 337+ hours 11) Star Ocean: The Last Hope International - PS3 - 750+ hours 12) Lightning Returns: Final Fantasy XIII - PS3 - 127+ hours 13) Soulcalibur V - PS3 - 73+ hours 14) Gran Turismo 5 - PS3 - 600+ hours 15) Tales of Xillia 2 - PS3 - 302+ hours 16) Mortal Kombat XL - PS4 - 95+ hours 17) Project CARS Game of the Year Edition - PS4 - 120+ hours 18) Dark Souls - PS3 - 197+ hours 19) Hyperdimension Neptunia Victory - PS3 - 238+ hours 20) Final Fantasy Type-0 - PS4 - 58+ hours 21) Journey - PS4 - 9+ hours 22) Dark Souls II - PS3 - 210+ hours 23) Fairy Fencer F - PS3 - 215+ hours 24) Megadimension Neptunia VII - PS4 - 160 hours 25) Super Neptunia RPG - PS4 - 44+ hours 26) Journey - PS3 - 22+ hours 27) Final Fantasy XV - PS4 - 263+ hours (including all DLCs) 28) Tales of Arise - PS4 - 111+ hours 29) Dark Souls: Remastered - PS4 - 121+ hours
alanschu Posted July 4, 2013 Posted July 4, 2013 Yup, but with better system, there is much lesser chance, that your more complex password could be compromised even with these big databases. The Ars article was only about success of breaking MD5 with these tables. I actually felt that the article was more about how stuff like MD5 is still used, despite not being very secure. There IS a benefit to the tougher encryption algorithms, in that the number of searches you can make gets slowed drastically, but if the hashing algorithm gets cracked, then the issue become moot. Having said that, the hash function for MD5 encryption given wasn't cracked either (otherwise they'd have had a 100% success rate), and it's a good bet that the ones they aren't able to crack are the good passwords. The tougher hash algorithms keep the less than awesome passwords safer, because it just takes more time to brute force the system.
AwesomeOcelot Posted July 4, 2013 Posted July 4, 2013 (edited) If the numbers are right, and they could only manage 8 billion guesses a second with MD5, one 9 character password would take years to crack if it had symbols, lowercase, uppercase, and numbers. Even if they used a 8 GPU homebrew cracking box, that's stills months to crack one password. If they're using best practices with a properly hashed and salted password e.g. SHA512crypt, with a mucher higher work-factor making for 2000 guess per second on one GPU (according to the Ars article) only the short passwords (less than 6 characters), passwords in a dictionary, lowercase passwords, and the ones that substitute letters with numbers or symbols e.g. "p4$$word" would take weeks or less, the rest would take months each. Memory-hard functions in hashing are designed to make cracking impractical by making the cracker use larger amounts of memory, so they're forced to use the memory I/O, limiting parallel computation. So using a 8 GPU setup or cloud cracking array wouldn't be as much benefit and designing a cracking box would be more expensive as I think now crackers (and bitcoin miners) go for the most compute per $, generally means multiple low-mid graphics cards. With memory-hard functions it creates a bottleneck for that kind of setup. Edited July 4, 2013 by AwesomeOcelot
sorophx Posted July 4, 2013 Posted July 4, 2013 you're talking about bruteforcing. but that's not how they crack these passwords 1 Walsingham said: I was struggling to understand ths until I noticed you are from Finland. And having been educated solely by mkreku in this respect I am convinced that Finland essentially IS the wh40k universe.
AwesomeOcelot Posted July 4, 2013 Posted July 4, 2013 (edited) you're talking about bruteforcing. but that's not how they crack these passwords Yes, I was, and they did use brute forcing and dictionary attacks first. They were using hybrid attacks but that still involves brute-forcing, just of a smaller space, they're still doing lots of guesses so memory-hard and work-factor still comes into play. With hybrid attacks the time can be shorter depending on the entropy of the password or whether the password uses a ruleset the cracker is using. Edited July 4, 2013 by AwesomeOcelot
AwesomeOcelot Posted July 5, 2013 Posted July 5, 2013 Found a quote from Tim Schafer's AMA on Reddit: The truth is I always act as if I didn't have to worry about profits, had all the money in the world, and no technical limits. Maybe that's why my games are considered "niche," why they go over budget, and why my programmers have to work so hard. So basically, I'd be doing exactly what I'm doing right now!
Malcador Posted July 5, 2013 Posted July 5, 2013 (edited) Well, good to see he'll learn from his experience. Edited July 5, 2013 by Malcador Why has elegance found so little following? Elegance has the disadvantage that hard work is needed to achieve it and a good education to appreciate it. - Edsger Wybe Dijkstra
Bester Posted July 5, 2013 Posted July 5, 2013 (edited) I once had a DB with passwords that were hashed like this: md5(md5(pass) + salt) or some same ****. Used GPU to bruteforce. Could bruteforce any password that was 8 signs long (big or small letters, with numbers and punctuation) in under 2 days. Of course if I wanted to find as many passwords as possible from a huge DB, I'd use a base of common passwords and that'd go much much faster, I'd get like 10000+ accounts/day. GPU is so quick. Like 1000 times faster than CPU in this matter. Edited July 5, 2013 by Bester IE Mod for Pillars of Eternity: link
AwesomeOcelot Posted July 5, 2013 Posted July 5, 2013 I once had a DB with passwords that were hashed like this: md5(md5(pass) + salt) or some same ****. Used GPU to bruteforce. Could bruteforce any password that was 8 signs long (big or small letters, with numbers and punctuation) in under 2 days. Of course if I wanted to find as many passwords as possible from a huge DB, I'd use a base of common passwords and that'd go much much faster, I'd get like 10000+ accounts/day. GPU is so quick. Like 1000 times faster than CPU in this matter. It would take under 10 days going at the rate they said they were going in the article (8 billion guesses a second) with one GPU to search the 8 sign password's space. I don't think the nested md5 hash would do anything, and the salt isn't to prevent brute forcing.
Bester Posted July 5, 2013 Posted July 5, 2013 Surely it adds operations, and by that doubles the required time. IE Mod for Pillars of Eternity: link
pmp10 Posted July 5, 2013 Posted July 5, 2013 Surely it adds operations, and by that doubles the required time.If the operation is fast to begin with that hardly matters. And depending on the algorithm using double hashing may actually weaken your protection.
ManifestedISO Posted July 5, 2013 Posted July 5, 2013 Not once in nine months have I heard mention that Project: Eternity could become a "long-running" franchise. Until now. Which is why I'm posting. Now. Regardless of how well Project Eternity does beyond the contributions of its backers, however, there are already plans to begin work on an expansion after the completion of the first game. All Stop. On Screen.
Lexx Posted July 5, 2013 Posted July 5, 2013 No surprise, really. It's their own ip and if it sells good, there is no reason not to make more games. It's really what Kickstarter is all about for developers, imo. "only when you no-life you can exist forever, because what does not live cannot die."
alanschu Posted July 5, 2013 Posted July 5, 2013 I'm pretty sure they had indicated that they'd love to do more going forward.
Tigranes Posted July 5, 2013 Posted July 5, 2013 It was mentioned very early on that they'd like to do this. All good, I say. Let's Play: Icewind Dale Ironman (Complete) Let's Play: Icewind Dale II Ironman (Complete) Let's Play: Divinity II (Complete) Let's Play: Baldur's Gate Trilogy Ironman - BG1 (Complete) Let's Play: Baldur's Gate Trilogy Ironman - BG2 (In Progress)
Orogun01 Posted July 5, 2013 Posted July 5, 2013 Not once in nine months have I heard mention that Project: Eternity could become a "long-running" franchise. Until now. Which is why I'm posting. Now. Regardless of how well Project Eternity does beyond the contributions of its backers, however, there are already plans to begin work on an expansion after the completion of the first game. Extra! Extra! Developers have hopes and dreams. Read all about it! I'd say the answer to that question is kind of like the answer to "who's the sucker in this poker game?"* *If you can't tell, it's you.
Zoraptor Posted July 5, 2013 Posted July 5, 2013 Not once in nine months have I heard mention that Project: Eternity could become a "long-running" franchise. Until now. Which is why I'm posting. Now. Regardless of how well Project Eternity does beyond the contributions of its backers, however, there are already plans to begin work on an expansion after the completion of the first game. You could pay a whole extra $20 (?) to get the expansion as part of the kickstarter, so it's not exactly been sprung on people. Though it needs the fulfilment/ redemption method(s) to be up and running to actually, well, redeem it. There's also been a fair bit of talk about whether or not any sequel to PE would use KS, which was a pretty strong indicator it would be a 'franchise'.
ManifestedISO Posted July 5, 2013 Posted July 5, 2013 You could pay a whole extra $20 (?) to get the expansion as part of the kickstarter, so it's not exactly been sprung on people. Though it needs the fulfilment/ redemption method(s) to be up and running to actually, well, redeem it. There's also been a fair bit of talk about whether or not any sequel to PE would use KS, which was a pretty strong indicator it would be a 'franchise'. Oh, yes, I see it now. I opted to add-on a black Obsidian T-shirt, instead of the expansion pack. Probably because I knew I could always download the latter, but may never get a chance to own the former. See ... forgetting things can be like a free bonus when you remember them! 1 All Stop. On Screen.
Humanoid Posted July 6, 2013 Posted July 6, 2013 I think they were also going to do an Obsidian shop to sell various knickknacks like the shirts, hats, mugs, cookbooks and minivans, so I doubt the shirt is a one-off either. L I E S T R O N GL I V E W R O N G
Bester Posted July 6, 2013 Posted July 6, 2013 Plus if they do a sequel, they won't have to adapt unity from scratch, create rules, etc. Just make content. Easy. IE Mod for Pillars of Eternity: link
AGX-17 Posted July 6, 2013 Posted July 6, 2013 (edited) So I guess the OUYA has the car parking simulation market cornered. And that's about it. Edited July 6, 2013 by AGX-17
rjshae Posted July 6, 2013 Posted July 6, 2013 Plus if they do a sequel, they won't have to adapt unity from scratch, create rules, etc. Just make content. Easy. Mmm... mostly. They'll still need to add higher level spells and capabilities. I'll bet there's also a temptation to expand the base system, perhaps with new races, classes, or what have you. "It has just been discovered that research causes cancer in rats."
Recommended Posts