Ars was briefly hacked yesterday; here’s what we know

Readers, please change your passwords.

Read the whole story

 

[Aye-ess-four-hundred]

There is also the slight possibility that this entire hack is a fabrication that then gave the managers a fictitious basis to email everyone who has ever made contact with this site, to then thrust a bogus ambiguous aftermath upon us. Ads = $$$.

 

[ChrisSD]

Kharnellius[/url]":2x58refi]Will you post on the main page? I didn't see any article warning people. I was hesitant to believe the email as I was worried it was a spoof. Then I get to Ars and there is no mention of it.

This exact article was stuck at the top of the main page for a day. And it's still on the main page if you're willing to scroll down a bit.

 

[Dark Steve]

WpgGuy[/url]":3msw1bt2]You're not a mass media publication, you've got a technical audience.

Ars' "technical audience" is surprisingly and depressingly atechnical at times. Just read the first few pages of comments for the first "Taking Email Back" article. It was like every second comment was "Email is hard! Let somebody else do it!" or "Why bother doing it yourself when google gives it to you for free!". People in the forums still make up complaints about Windows 8 years after it's release. Virtually nobody in the comments understood the heartbleed flaw or the LibreSSL preview, but it didn't stop them commenting about it.

MD5=bad is a very easy concept to remember, even if you don't understand why or when MD5 can still be useful. Salting is a very easy concept to understand, even if the concept doesn't scale in people's minds. A disproportionate number of people armchair experts in this forum thinks they know more than they do. They're basically imposing idealised concepts over practical realities.

WpgGuy[/url]":3msw1bt2]You should be transmitting technically correct information in your articles.

Ars is transmitting technically correct information in their articles, unfortunately Ars is not a mass media publication, yet they've got a surprisingly technical-illiterate audience.

 

[Dark Steve]

Also, FYI, the mods have been notified about Dolores Haze.

 

[The Master]

Congratulations ars your also a spammer lol

 

[Hapticz]

nxt up, any clue to who this 'crack hacker' is/was? while we dither about how secure this paswd method is, there still remains the 'at largeness' of this intrusion entity/person. easy to say we all are building greater walls around our castles of information (password methods), yet the intruders seek to scale that perimiter by simple exploitation of common human errors and persistence.

 

[Rageset]

Thanks for the heads up.

 

[potato44819]

The Master[/url]":3p2pddtr]Congratulations ars your also a spammer lol

:facepalm:

That's not your spam folder.

 

[The Master]

Modern Major General Thanatos[/url]":9p25uou2]

The Master[/url]":9p25uou2]Congratulations ars your also a spammer lol

:facepalm:

That's not your spam folder.

close enough.. lol

You guys got any specials on Viagra? :lol:

 

[jerrya]

What an incompetent bunch of fucking assholes.

This is why my username and password are unique to every site.
This is why I strongly prefer anonymous speech on the net with no logins required.

Because even the fuckheads who claim to know it all, just turn out to be hugely incapable screwups.

 

[dooza]

All of a sudden all those people making fun of the poor Sony employees aren't so glib.

 

[foxyshadis]

burne_[/url]":2juormqi]

leexgxreal[/url]":2juormqi]
i probably did not need to change my password as not sure how long it would take to get something like Ðlï®cÝ?:Ü«ç?w?ô???Þ¼G2Ä_B®&?EH from MD5 at 2k

You should have attended basic calculus sober and not high as Mount Everest. Then you would have known that your password offers little advantage if none over 'ohbaithooyohf8ohCo9Oix9Eecei0oocho' or 'effect hung noted represent whiskey'.

Sorry, man, dictionary-built passwords have been all the rage for almost 5 years now. Hashcat can easily combine 5 words with and without spaces (and other symbols) as part of its brute force, and that part runs in a tiny fraction of the time that full brute force does. You're thinking 90's here, in the 2010s you need to update your idea of what a good password is.

 

[Stoatwblr]

There's a lot to be said for the security info and most content being held on a machine other than the webserver.

Current $orkplace setup has the webservers regarded as disposable and hackable. There are simply far too many unknowns in most PHP code to trust anything (this doesn't just apply to PHP).

Once you get to that point of view, paranoia dictates that anything which might be sensitive isn't kept on the machines.

The boxes themselves are heavily firewalled both in and out (ie, they generally can't make outbound connections, which stops 'em being used for DDoS etc)

Most content is accessed over read-only network shares - which makes defacing difficult.

User data is held on a LDAP server and the extent of the webserver's security involvement in holding data is to make a query over encrypted link - the LDAP server simply replies to l/p with "no" or "yes + access level"

There's a lot more which can be done but the general gist is that webservers with active content are regarded as a fundamentally weak point which cannot be trusted and as such you ensure the rest of the network and your security information has as little exposure as possible.

 

[ChrisSD]

foxyshadis[/url]":r8pxjled]

burne_[/url]":r8pxjled]

leexgxreal[/url]":r8pxjled]
i probably did not need to change my password as not sure how long it would take to get something like Ðlï®cÝ?:Ü«ç?w?ô???Þ¼G2Ä_B®&?EH from MD5 at 2k

You should have attended basic calculus sober and not high as Mount Everest. Then you would have known that your password offers little advantage if none over 'ohbaithooyohf8ohCo9Oix9Eecei0oocho' or 'effect hung noted represent whiskey'.

Sorry, man, dictionary-built passwords have been all the rage for almost 5 years now. Hashcat can easily combine 5 words with and without spaces (and other symbols) as part of its brute force, and that part runs in a tiny fraction of the time that full brute force does. You're thinking 90's here, in the 2010s you need to update your idea of what a good password is.

To put numbers on it a six word passphrase generated using Diceware (e.g. "shore durer morale scurry neil scene") gives us:

7776⁶ ~= 2 × 10²³ combinations

Which is roughly the same as a password of 13 characters that includes upper and lower case ascii letters plus digits (e.g. "mt5J5xjP4IwX"):

62¹³ ~= 2 × 10²³ combinations

"ohbaithooyohf8ohCo9Oix9Eecei0oocho" is more secure than either:

62³⁴ ~= 9 × 10⁶⁰ combinations

And "Ðlï®cÝ?:Ü«ç?w?ô???Þ¼G2Ä_B®&?EH" is even more secure (lets assume all printable ascii characters + high ANSI = 233 characters):

233³⁰ ~= 1 × 10⁷¹ combinations

All the above are secure enough for a random internet person commenting on a tech blog.

 

[Jim Z]

404[/url]":2wwi3h7s]Between this and Ars manufactured gamergate garbage which has lead to nothing more than racism and bigotry against minority gamers in favor of a female oppression false flag. All i want to know is, How do i delete my account from this cesspool?

1) you can't.
2) leave anyway, please.

 

[Deleted member 441963]

ChrisSD[/url]":2nxoqnqz]
To put numbers on it a six word passphrase generated using Diceware (e.g. "shore durer morale scurry neil scene") gives us:

7776⁶ ~= 2 × 10²³ combinations

Which assumes you know what kind of password you're looking for. If you don't brute force is the only way, and then it's 9.71 x 10⁶¹. And I'm not telling you how many words or in which language my password is.

I assumed the phrase with Ð and Þ was typed on an icelandic keyboard, and that makes for a 95 character space and 2.17 x 10⁵⁹ combinations. Both my examples were supposed to be better than something that looks alien and impossible to type for somebody using an US ASCII keyboard.

foxyshadis[/url]":2nxoqnqz]
you need to update your idea of what a good password is.

My point was that 'Ðlï®cÝ?:Ü«ç?w?ô???Þ¼G2Ä_B®&?EH' looks impressive but isn't any more secure than other passwords. It's fake security.

 

[Vivi The Mage]

Thanks for the heads up, with a lot of sites getting jacked, it's just not that big of a deal IMO. The password I use is different for every site now, and when it comes to stuff that matters, banking, email, encrypted passwords, they're all unique.

 

[mehaase]

DeadMG[/url]":2riw1bjf]Even with an algorithm as weak as MD5, 2048 iterations plus salt isn't too bad.

Actually, that is still pretty bad! Especially for a site like Ars that should know better. There are a lot of people in here who I respect and they are defending this decision, but I'm going to take the other side here. Everybody else is looking at the cost to crack all of the passwords, which is very high if the passwords are salted, but salting is an issue completely orthogonal to the selection of MD5 as the core hash algorithm. The question I'm interested in is what is the cost to crack a single, targeted password?

Some obscure news organization covered a GPU cluster two years ago that could compute 180 billion MD5 hashes per second. The Ars minimum password length is 6 characters (yikes) and I can't remember if it has any password complexity requirements. I'll assume mixed case and alphanumeric just to be charitable. That cluster cracks such a password in about 5 minutes.

An "Ars hash" takes ~2000x longer to compute than a single round of MD5. That GPU cluster can still compute ~90 million "Ars hashes" per second. This stretches 5 minutes into about 7 days.

You might think this sounds reasonable. Seven days is plenty of time to change your password, right? The search doesn't need to be exhaustive, of course. We have a 50% of cracking the password in the first 3.5 days. Also, this assumes no future improvements in GPU ability and/or theoretical attacks on MD5. It also assumes that people actually change their passwords when something like this happens.

When you ask users to create credentials, you become responsible for the stewardship of those credentials. I don't care if they use phpBB (a terribly insecure product, BTW) – Ars should be held to a higher standard!

 

[kriket011]

So, the poorly located backup file" is to blame for all this mess. Thankfully my Ars password is unique for this site and isn't a password I use on other sites.
I don't get all the negative comments about Ars security practices, at least from the forum users. It is after all a login just to post comments, at least mine is, therefore it's not mission critical information that's being protected.
Of course, Ars being an elite tech site, one would expect them to employ best possible security practices, and "poorly positioned backup file" isn't exactly that. But nevertheless, I'm sure they will correct that mistake and not repeat it in the future.
This is really mostly the "PR nightmare" since hacking Ars is more of a trophy feature than anything else. I doubt the hackers will gain anything more than the satisfaction of succeeding to do smth like this to Ars rather than any financial benefits.
I'm not even gonna change my password right away, will wait till they sort things out and only then I shall do it. My Ars userinfo won't get the hackers anything useful even if they crack my password.

Thanks for the heads up anyway.

 

[boondox]

pythagoreanmetronome[/url]":ytgwvnl0]Good lord. This year alone I have had all of my debit cards/credit cards canceled and resent to me by my bank TWICE because of Target and Home Depot, which of course has required that I type in new numbers into tons of various websites and payments... online bills, google play, Ventra for Public Transportation, Digital Ocean, AWS etc etc... and this whole password thing. Ars isn't the only one. I use Last Pass now and even that has turned into such a hassle because any app I want to use on my phone or tablet requires at least two steps of authentication IF the lastpass password is actually synced. My Windows 8.1 password to just log into the desktop is now this 11 character random string that I am always like WTF!!!! It's just annoying to use networked devices now.

What can you do? The internet seemed like a good idea there for about 3 weeks in 1994 and after that it has been a steady stream of disgusting porn, trolls, hacks and a thousand little inconveniences. I am about to go unibomber on this shit.

I kid. Thanks for letting me know. Luckily after the whole Ars thread about how the Dred Pirate Roberts had his silkroad passwords set to his cat's name I learned that I should always have TWO cats and kill one on monthly basis. So I am pretty sure I am hack proof on this one. I just got a new kitten last weekend and his name is id_rsa.pub. Hack THAT! Wait. Crap.

Dude (or dudette)!

Thanks for making me LOL hella hard!

 

[epixoip]

mehaase[/url]":353uo48y]

DeadMG[/url]":353uo48y]Even with an algorithm as weak as MD5, 2048 iterations plus salt isn't too bad.

Some obscure news organization covered a GPU cluster two years ago that could compute 180 billion MD5 hashes per second. The Ars minimum password length is 6 characters (yikes) and I can't remember if it has any password complexity requirements. I'll assume mixed case and alphanumeric just to be charitable. That cluster cracks such a password in about 5 minutes.

An "Ars hash" takes ~2000x longer to compute than a single round of MD5. That GPU cluster can still compute ~90 million "Ars hashes" per second. This stretches 5 minutes into about 7 days.

You are referencing single hash speeds, and failing to account for the impact of salting.

As the owner of the rig you are referencing, I'd highly recommend reading the promoted comments, in which I already addressed this concern.

 

[ricortes]

On the bright side: Visible hack that was part of a dick flopping contest. If intention was to steal passwords and hack bank accounts, we wouldn't have known about it until we started seeing charges on our credit cards.

Just a few odd thoughts. No matter what is done with hacking, there will always be an inside job vulnerability of passwords. Maybe sell the hashed passwords file, maybe install something that echoes the passwords as they are created to a plain text file or web site.

IMHO: It would be better to only have the password active for a session and all passwords randomly generated at the time of attempted login just like the reset password feature here functions. You enter a user name, server sends you an email or text or Siri phones you and says your password is #$@%&.

As someone sort of said, people would use a .jpg if there was unlimited password length. Well, it would be impractical to do that of course, but you could be sent a .jpg of the password.

 

[mehaase]

epixoip[/url]":3k5v7re6]

mehaase[/url]":3k5v7re6]

DeadMG[/url]":3k5v7re6]Even with an algorithm as weak as MD5, 2048 iterations plus salt isn't too bad.

Some obscure news organization covered a GPU cluster two years ago that could compute 180 billion MD5 hashes per second. The Ars minimum password length is 6 characters (yikes) and I can't remember if it has any password complexity requirements. I'll assume mixed case and alphanumeric just to be charitable. That cluster cracks such a password in about 5 minutes.

An "Ars hash" takes ~2000x longer to compute than a single round of MD5. That GPU cluster can still compute ~90 million "Ars hashes" per second. This stretches 5 minutes into about 7 days.

You are referencing single hash speeds, and failing to account for the impact of salting.

As the owner of the rig you are referencing, I'd highly recommend reading the promoted comments, in which I already addressed this concern.

Yes, I am looking at single hashes, and I explicitly said that in the first paragraph of my post, which you didn't include when you quoted me. I read every single word of your first 2 posts in this thread. I also said that I respected the informed points of view in this thread (that was a reference to you and and a few others) but wanted to pose a counterargument.

If there were any factual or mathematical errors in my post that you wish to dispute, please do. But please don't say, "this has all been explained before [hand wave]," as if I couldn't possibly have anything of value to add to this discussion. I wouldn't have posted to a 10+ page thread if I hadn't at least skimmed the first few pages of comments and felt like I had something novel to add.

 

[epixoip]

mehaase[/url]":1hd0l5tc]
Yes, I am looking at single hashes, and I explicitly said that in the first paragraph of my post

Sorry, I must have missed that.

mehaase[/url]":1hd0l5tc]
If there were any factual or mathematical errors in my post that you wish to dispute, please do.

Ok. Your figures are inflated by 50 ~ 200%. PHPass with 2048 rounds isn't ~ 2000x slower than raw MD5 as you reckoned, it's more like 4066x slower than raw MD5.

oclHashcat + R9 290X can pull about 3 MH/s on PHPass single hash brute force, and about 1.5 MH/s on single hash wordlist-based attacks. So with 25x 290X you're looking at 37.5 ~ 75 MH/s depending on the attack, minus ~20% overhead for distributing the workload, so more like 30 ~ 60 MH/s in reality.

To quantify that, that's about five hours just to run through rockyou.txt with d3ad0ne.rule, and 13.6 days to brute force lengths 6-7. And that's with a 25-GPU cluster.

So yeah, it's not mind-numbingly slow, but it's still slow enough that we will be limited in the types and variety of attacks we can run. Any password with even a hint of complexity is fairly safe at those speeds. More than enough time to change your passwords.

 

[somini]

epixoip[/url]":2u5i8rvl]

mehaase[/url]":2u5i8rvl]
Yes, I am looking at single hashes, and I explicitly said that in the first paragraph of my post

Sorry, I must have missed that.

mehaase[/url]":2u5i8rvl]
If there were any factual or mathematical errors in my post that you wish to dispute, please do.

Ok. Your figures are inflated by 50 ~ 200%. PHPass with 2048 rounds isn't ~ 2000x slower than raw MD5 as you reckoned, it's more like 4066x slower than raw MD5.

oclHashcat + R9 290X can pull about 3 MH/s on PHPass single hash brute force, and about 1.5 MH/s on single hash wordlist-based attacks. So with 25x 290X you're looking at 37.5 ~ 75 MH/s depending on the attack, minus ~20% overhead for distributing the workload, so more like 30 ~ 60 MH/s in reality.

To quantify that, that's about five hours just to run through rockyou.txt with d3ad0ne.rule, and 13.6 days to brute force lengths 6-7. And that's with a 25-GPU cluster.

So yeah, it's not mind-numbingly slow, but it's still slow enough that we will be limited in the types and variety of attacks we can run. Any password with even a hint of complexity is fairly safe at those speeds. More than enough time to change your passwords.

Not to mention all that money to get a forum account password.
Unless the Velvet Room is REALLY interesting...

 

[DCRoss]

burne_[/url]":2ytm2lam]
I assumed the phrase with Ð and Þ was typed on an icelandic keyboard [...] alien and impossible to type for somebody using an US ASCII keyboard.

Wanna have a little fun? Using any version of Windows and your US ANSI keyboard, the standard kind with 102 or 105 keys and QWERTYUIOP across the top row, hold down the "ALT" key. Either one, it doesn't really matter, just press it down and hold it there while you do the next step.

Now go over to the numeric keypad (not the row of numbers on the top, the block of 17 keys on the right side with "Num Lock", /, * and - on the top) and type the digits "0208".

Now, release the ALT key. Repeat the same process with the digits "0222".

When you have finished that, you can look up the rules for registering as an alien who can do impossible things in the USA.

 

[mehaase]

epixoip[/url]":359oszzn]

mehaase[/url]":359oszzn]
If there were any factual or mathematical errors in my post that you wish to dispute, please do.

Ok. Your figures are inflated by 50 ~ 200%. PHPass with 2048 rounds isn't ~ 2000x slower than raw MD5 as you reckoned, it's more like 4066x slower than raw MD5.

This is an interesting claim. I had never looked at PHPass source code before today, so I just took a gander. It's about what I expected: a tight loop around the core MD5 algorithm.

$hash = md5($salt . $password, TRUE);
do {
	$hash = md5($hash . $password, TRUE);
} while (--$count);

I don't doubt your claim that this is ~4000x slower than a single MD5 (which means my estimate was off by a factor of 2), but this implies that the PHP implementation has an overhead cost of 100% (compared to an unrolled loop in native code). I'm guessing that memory allocation and string concatenation are probably the most expensive operations. If the same algorithm was implemented in a more efficient language, then the overhead could be reduced drastically.

Out of curiosity, do you know if oclhashcat calls into PHP to crack PHPass or does it have its own native implementation?

oclHashcat + R9 290X can pull about 3 MH/s on PHPass single hash brute force, and about 1.5 MH/s on single hash wordlist-based attacks. So with 25x 290X you're looking at 37.5 ~ 75 MH/s depending on the attack, minus ~20% overhead for distributing the workload, so more like 30 ~ 60 MH/s in reality.

To quantify that, that's about five hours just to run through rockyou.txt with d3ad0ne.rule, and 13.6 days to brute force lengths 6-7. And that's with a 25-GPU cluster.

And this is where I defer to your expertise. I assume that the 290X must be one of the best cards out there for cracking? So how much do you think this technology has improved in the 2 years since you built your cluster, in terms of MH/s/$? And where do you think it will be 2 years from now? Or 10?

That was really my original point. Hardware will get continue to get faster and cheaper and more attacks against MD5 will be announced. PHPass+MD5 isn't tenable in the long run.

Replace PHPass+MD5 with bcrypt (and select a suitable work factor), and then the 25 GPU cluster plummets from 30 MH/s to 30 hashes/s. Or pair it with a suitable memory-hard KDF (and select a large memory requirement) and the GPU cluster can't even compute hashes as quickly as a single x86 core.

Any password with even a hint of complexity is fairly safe at those speeds. More than enough time to change your passwords.

I agree. I don't even feel compelled to change my own password. It's the people who are using the 6 character minimum that I am concerned about. If this was target.com, I'd say no big deal, but come on... this is Ars!

 

[Sc00bz]

ChrisSD[/url]":swoshmj2]To put numbers on it a six word passphrase generated using Diceware (e.g. "shore durer morale scurry neil scene") gives us:

7776⁶ ~= 2 × 10²³ combinations

Not exactly, there's a subsection of passwords in six word Diceware that are really bad passwords. This is less of a problem with six words. Just recently five word Diceware were considered insecure by the person that came up with Diceware, but the problem is they never were secure. 1 in 13757 passwords were easily broken if you didn't assume it was a Diceware password.

To avoid these bad passwords you need to re-roll if the word is less than four letters long; one of the words that are "aaaa", "bbbb", etc.; or words that are just numbers. Also you need to add a delimiter between words such as spaces or camelCase (or the other CamelCase). This leaves you with 5935 words. 5935⁶ ≈ 2^75.2 vs 7776⁶ ≈ 2^77.5. This decreases the key space by a factor of about five, but you are left with only the high quality passwords. It would be nice if someone came up with a list of 7776 words that are at least four letters long and no matter the order of the words you don't form other words (i.e. pass and word is password or "wordspace" could be word and space or words and pace. In the second case, you wouldn't want all those four words in the list but having three of them is fine if they don't do similar with other words in the list). Although this list may not even exist without using long or exotic words that will be annoying to remember.

ChrisSD[/url]":swoshmj2]All the above are secure enough for a random internet person commenting on a tech blog.

Oh yeah.

 

[_code]

Assuming the database it out there, and probably being brute-forced, could i get my password hash, so I can brute-force on my own, to know what really was my password. So that I can change passwords elsewhere.
phpBB for comments with MD5 hashes, atleast it should have been bcrypt, or why even have a database of important user information, why not go for the usual email, name and website form?
Atleast I didn't expect arstech. to be low on defenses. Now the usual way at how I trusted a service to keep my creds. secure is down the drain.
If anyone needs to check their passwords re-usability on all major services here's the code, https://github.com/codesburner/reusable ... eusable.py Don't trust PLAINTEXT, or mild hashes. Don't feed the passwords dumps by using the script in revealing fashion. Do if you know what you are doing.

 

[Sc00bz]

mehaase[/url]":26u8iquj]

epixoip[/url]":26u8iquj]

mehaase[/url]":26u8iquj]
If there were any factual or mathematical errors in my post that you wish to dispute, please do.

Ok. Your figures are inflated by 50 ~ 200%. PHPass with 2048 rounds isn't ~ 2000x slower than raw MD5 as you reckoned, it's more like 4066x slower than raw MD5.

This is an interesting claim. I had never looked at PHPass source code before today, so I just took a gander. It's about what I expected: a tight loop around the core MD5 algorithm.

$hash = md5($salt . $password, TRUE);
do {
	$hash = md5($hash . $password, TRUE);
} while (--$count);

I don't doubt your claim that this is ~4000x slower than a single MD5 (which means my estimate was off by a factor of 2),

I'll cut you off there because you go into crazy town. So with "md5($password)" you can exit after doing 3/4 of the hash because of a meet-in-the-middle. Also "$hash = md5($hash . $password, TRUE);" means you can't precompute the first few rounds of MD5. Also "$hash . $password" is longer than "$password" which means you have to do more work because you can't just assume zeros. This also needs more registers which effects performance. These are just some reasons.

Since epixoip was giving you a real life benchmark and you don't know how password cracking works you should just believe him.

mehaase[/url]":26u8iquj]Out of curiosity, do you know if oclhashcat calls into PHP to crack PHPass or does it have its own native implementation?

Is this a serious question?... No, if it did then it wouldn't run on a GPU also it would get like 100 H/s with just one salted hash.

mehaase[/url]":26u8iquj]

oclHashcat + R9 290X can pull about 3 MH/s on PHPass single hash brute force, and about 1.5 MH/s on single hash wordlist-based attacks. So with 25x 290X you're looking at 37.5 ~ 75 MH/s depending on the attack, minus ~20% overhead for distributing the workload, so more like 30 ~ 60 MH/s in reality.

To quantify that, that's about five hours just to run through rockyou.txt with d3ad0ne.rule, and 13.6 days to brute force lengths 6-7. And that's with a 25-GPU cluster.

And this is where I defer to your expertise. I assume that the 290X must be one of the best cards out there for cracking? So how much do you think this technology has improved in the 2 years since you built your cluster, in terms of MH/s/$? And where do you think it will be 2 years from now? Or 10?

That was really my original point. Hardware will get continue to get faster and cheaper and more attacks against MD5 will be announced. PHPass+MD5 isn't tenable in the long run.

There really isn't anything faster than 290X. There is the GTX 980 which is faster at somethings and slower at others. This is the other high end card on the market. We'll have to wait until mid next year for AMD to defiantly take back the lead.

Current GPUs are 28nm and CPUs are at 14nm. Intel said that we are in the last decade of using silicone. Which probably means Moore's Law will stop. Since GPUs are behind CPUs in fabrication size I would expect that GPUs will get a few more generations on silicone. We'll probably switch to some other technology. This might make a really large leap in computing power. As there are a few things that might get us >50 GHz to THz processors.

So in other words I have no clue , but if you just blindly follow computing power doubles every two years then it's easy. (Also Moore's Law is just that transistor size shrinks in half about every two years. Which basically means twice the computing power.)

mehaase[/url]":26u8iquj]Replace PHPass+MD5 with bcrypt (and select a suitable work factor), and then the 25 GPU cluster plummets from 30 MH/s to 30 hashes/s.

No, bcrypt is much better than phpass but it's not a factor of a million.

mehaase[/url]":26u8iquj]Or pair it with a suitable memory-hard KDF (and select a large memory requirement) and the GPU cluster can't even compute hashes as quickly as a single x86 core.

Currently there is no recommend memory-hard KDF that will be fast enough when written in PHP. There is battcrypt , but I would not recommend using it yet.

 

[Deleted member 192806]

Sc00bz[/url]":18yp0zf9]Current GPUs are 28nm and CPUs are at 14nm. Intel said that we are in the last decade of using silicone. Which probably means Moore's Law will stop. Since GPUs are behind CPUs in fabrication size I would expect that GPUs will get a few more generations on silicone. We'll probably switch to some other technology. This might make a really large leap in computing power. As there are a few things that might get us >50 GHz to THz processors.

I recommend that new saline tech. Gives bouncier answers.

 

[DavidIQ]

_code[/url]":11lx9psy]Assuming the database it out there, and probably being brute-forced, could i get my password hash, so I can brute-force on my own, to know what really was my password. So that I can change passwords elsewhere.
phpBB for comments with MD5 hashes, atleast it should have been bcrypt, or why even have a database of important user information, why not go for the usual email, name and website form?
Atleast I didn't expect arstech. to be low on defenses. Now the usual way at how I trusted a service to keep my creds. secure is down the drain.
If anyone needs to check their passwords re-usability on all major services here's the code, https://github.com/codesburner/reusable ... eusable.py Don't trust PLAINTEXT, or mild hashes. Don't feed the passwords dumps by using the script in revealing fashion. Do if you know what you are doing.

phpBB doesn't store passwords using MD5. This has been stated so many times in this topic that I almost feel bad mentioning it yet again, but feel that it is important enough to mention it, again.

I've changed my password here and forgot it...go figure. So I had to do a password reset. Maybe I'll just keep doing that.

 

[Sc00bz]

Ostracus[/url]":38qdj8lc]

Sc00bz[/url]":38qdj8lc]Current GPUs are 28nm and CPUs are at 14nm. Intel said that we are in the last decade of using silicone. Which probably means Moore's Law will stop. Since GPUs are behind CPUs in fabrication size I would expect that GPUs will get a few more generations on silicone. We'll probably switch to some other technology. This might make a really large leap in computing power. As there are a few things that might get us >50 GHz to THz processors.

I recommend that new saline tech. Gives bouncier answers.

I always mess that up. I can't count the number of times I have messed this up.

 

[epixoip]

mehaase[/url]":3h0kkidg]This is an interesting claim. I had never looked at PHPass source code before today, so I just took a gander. It's about what I expected: a tight loop around the core MD5 algorithm. I don't doubt your claim that this is ~4000x slower than a single MD5 (which means my estimate was off by a factor of 2), but this implies that the PHP implementation has an overhead cost of 100% (compared to an unrolled loop in native code). I'm guessing that memory allocation and string concatenation are probably the most expensive operations. If the same algorithm was implemented in a more efficient language, then the overhead could be reduced drastically. Out of curiosity, do you know if oclhashcat calls into PHP to crack PHPass or does it have its own native implementation?

Well no, oclHashcat certainly doesn't call PHP to crack PHPass, that would not be possible for GPU cracking. oclHashcat kernels are written in OpenCL (AMD) and CUDA (Nvidia), and it has its own heavily-optimized kernel for PHPass.

PHPass might be 2048x slower than raw MD5 in PHP, I don't know. Probably a bit slower than that due to the string concatenation. But the reason PHPass is 4066x slower than raw MD5 in oclHashcat, and not 2048x slower as one might logically conclude, is that there are several optimizations for raw MD5 (and indeed most all raw hashes) that we cannot apply to PHPass. In "oclHashcat speak", these optimizations are:

* Precompute-Init
* Precompute-Merkle-Demgard
* Meet-In-The-Middle
* Early-Skip
* Not-Salted
* Not-Iterated
* Scalar-Mode
* Raw-Hash

In other words, with salted and iterated MD5, we can't take any shortcuts such as pre-computing, partially reversing, and exploiting early-skip checks like we can with raw MD5. And the reason wordlist-based attacks are slower is because we can't take advantage of the zero-byte optimization for short inputs.

mehaase[/url]":3h0kkidg]And this is where I defer to your expertise. I assume that the 290X must be one of the best cards out there for cracking? So how much do you think this technology has improved in the 2 years since you built your cluster, in terms of MH/s/$? And where do you think it will be 2 years from now? Or 10?

Yes, the 290X is currently the best in terms of Perf/$. GPU speed doubles roughly every 4 years (each generation is usually ~25% faster than the last.) We upgrade our clusters about every 12 months.

mehaase[/url]":3h0kkidg]
That was really my original point. Hardware will get continue to get faster and cheaper and more attacks against MD5 will be announced. PHPass+MD5 isn't tenable in the long run. Replace PHPass+MD5 with bcrypt (and select a suitable work factor), and then the 25 GPU cluster plummets from 30 MH/s to 30 hashes/s.

Well no, it wouldn't plummet to 30 H/s. More like 1 KH/s * 25 = 25 KH/s for 08.

But I don't understand why you're so hung up on the use of MD5 in PHPass. In the absence of better pre-image attacks, there's nothing wrong with basing a password hashing function on MD5, as the cryptographic weaknesses of MD5 do not apply to the context of password cracking. Just as bcrypt can run at several KH/s with a low work factor, PHPass supports up to 2^16 iterations. So you can select a suitable work factor for PHPass, too.

Look, no one is arguing that PHPass is better than bcrypt, that would be absurd. But in no way should anyone draw the conclusion that PHPass is a poor password hashing algorithm, especially if your basis for that decision is "because MD5."

 

[epixoip]

Sc00bz[/url]":1fnjgfvw]I'll cut you off there because you go into crazy town.

You're too funny, Steve

 

[Sc00bz]

Just looking at the ID numbers, there are around 465,000 Ars Technica users. There are a lot of nonexistent IDs. Which were probably spam bots. So there might be a lot less. Probably like 400,000.

 

[sraboy]

Maybe it's just me, but I'd appreciate it if a notice about the breach were posted at the top of the front page, or if I got an email. I rarely bother to login to Ars since I don't comment much but I've been a reader for quite a long while. This is far more interesting to me then the current "Top Post" about a couple Kiwis locking themselves in a car and I only knew about it because I'm so bored today that I scrolled all the way down the page to catch up on the last couple day's worth of news.

While I trust phpBB's implementation of MD5 reasonably well and used a unique password on Ars, I don't always do so and Ars shouldn't attempt to ignore that issue just because people are encouraged to use unique passwords.

 

[Rainbird]

sraboy[/url]":2abhkfuu]Maybe it's just me, but I'd appreciate it if a notice about the breach were posted at the top of the front page, or if I got an email.

You did get an e-mail.

 

[epixoip]

Rainbird[/url]":1h6ab70j]

sraboy[/url]":1h6ab70j]Maybe it's just me, but I'd appreciate it if a notice about the breach were posted at the top of the front page, or if I got an email.

You did get an e-mail.

And it was at the top of the page for a day and a half.

 

[Dark Steve]

epixoip[/url]":10a04y7j]As the owner of the rig you are referencing...

Epic burn!

mehaase[/url]":10a04y7j]Yes, I am looking at single hashes, and I explicitly said that in the first paragraph of my post

Why would you present cracking speeds for single unsalted hashes when the passwords were salted and hashed 2048 times?

If there were any factual or mathematical errors in my post that you wish to dispute, please do.

You mean other than the complete disconnect between the hashing of the actual passwords and the oversimplified hashing you presented in your calculations?

mehaase[/url]":10a04y7j]

Any password with even a hint of complexity is fairly safe at those speeds. More than enough time to change your passwords.

I agree. I don't even feel compelled to change my own password.

Then what are you complaining about? If you feel safe enough not to bother changing your password, why are you misrepresenting the site security and claiming Ars should know better? Because some people don't follow best practice and use passwords less than six characters long?