LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-14-2014, 05:16 PM   #16
k3lt01
Senior Member
 
Registered: Feb 2011
Location: Australia
Distribution: Debian Wheezy, Jessie, Sid/Experimental, playing with LFS.
Posts: 2,900

Rep: Reputation: 636Reputation: 636Reputation: 636Reputation: 636Reputation: 636Reputation: 636

Quote:
Originally Posted by Ser Olmy View Post
Let's further assume that the attacker only has to search through half the keyspace before a matching hash is found. He'll then have cracked the password after roughly 730,750,818,665,451,459,101,842,416,358 seconds, which is a little over 23 sextillion years. By then, the hacker will have had to deal with some other pressing issues, such as the heat-death of the universe.
I'm pretty sure even that will be beyond his worry http://www.bbc.com/future/story/2014...the-far-future
 
Old 03-14-2014, 06:06 PM   #17
Shadow_7
Senior Member
 
Registered: Feb 2003
Distribution: debian
Posts: 3,180
Blog Entries: 1

Rep: Reputation: 675Reputation: 675Reputation: 675Reputation: 675Reputation: 675Reputation: 675
The far far future may not be that far if you have all the asic miners in the world creating hash tables for you. Not that they are, but you've got to wonder.
 
Old 03-14-2014, 09:48 PM   #18
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD, Raspbian
Posts: 2,192

Rep: Reputation: 339Reputation: 339Reputation: 339Reputation: 339
One of the assumptions people are making to illustrate that it's next to impossible to crack a password, is that the hash is seeded with a truely random number.

Usually they aren't. Truely random numbers are extremely difficult to come by, and this is an achilles heel for all algorithms.
 
Old 03-14-2014, 10:09 PM   #19
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,458

Rep: Reputation: Disabled
Quote:
Originally Posted by haertig View Post
One of the assumptions people are making to illustrate that it's next to impossible to crack a password, is that the hash is seeded with a truely random number.

Usually they aren't. Truely random numbers are extremely difficult to come by, and this is an achilles heel for all algorithms.
Not really.

Hashes aren't seeded, they are salted. Each piece of data will always generate the same hash with the same salt, that's the whole point of hashing. The strength of a hash lies in the non-reversible nature of the algorithm. No entropy or randomness is required.

The reason salts are used is to prevent direct comparison with existing hashes. If I have a list of passwords and their corresponding hash values in a file, and I later come across the password hash "b036d59cb7f7687a68ba8490b8f57387c785f861" and it turns out it's listed in that file, I will instantly know the corresponding password. If salts are used, one would need one list of passwords and hashes for each possible salt value.

A salt is generated when a password is created or changed and a new hash needs to be generated, and that's an event that happens sufficiently rarely that the accuracy of random generators isn't much of an issue.

But when it comes to generating session keys for symmetric encryption, or key pairs for asymmetric encryption, the randomness of the PRNG is a huge issue. This can be a major problem on embedded systems that need to generate keys when booted for the very first time, since there may not be many sources of entropy available at that time.
 
Old 03-15-2014, 05:44 AM   #20
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,704

Rep: Reputation: 1270Reputation: 1270Reputation: 1270Reputation: 1270Reputation: 1270Reputation: 1270Reputation: 1270Reputation: 1270Reputation: 1270
Quote:
Originally Posted by metaschima View Post
I thought of rainbow tables, but the salt prevents it.
No - it just makes the table much bigger.
 
Old 03-15-2014, 06:04 AM   #21
badbodh
LQ Newbie
 
Registered: Nov 2012
Posts: 4

Rep: Reputation: Disabled
damn ! i can see the rainbows ! (0_0)
 
Old 03-15-2014, 06:14 AM   #22
TheTux
LQ Newbie
 
Registered: Aug 2011
Location: India
Distribution: Red Hat, Ubuntu, Fedora, Cent OS,
Posts: 6

Rep: Reputation: Disabled
Nothing is impossible. Keep changing your passwords and make sure you mix up all the upper and lower letters and symbols when you setup new passwords.
 
Old 03-15-2014, 07:56 AM   #23
Habitual
LQ Addict
 
Registered: Jan 2011
Posts: 8,562
Blog Entries: 13

Rep: Reputation: Disabled
Quote:
Originally Posted by TheTux View Post
Nothing is impossible.
That says it all.
 
Old 03-15-2014, 02:24 PM   #24
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 491Reputation: 491Reputation: 491Reputation: 491Reputation: 491
Quote:
Originally Posted by jpollard View Post
No - it just makes the table much bigger.
So much bigger as to render the attack implausible, but not impossible.
 
Old 03-15-2014, 02:35 PM   #25
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,704

Rep: Reputation: 1270Reputation: 1270Reputation: 1270Reputation: 1270Reputation: 1270Reputation: 1270Reputation: 1270Reputation: 1270Reputation: 1270
Quote:
Originally Posted by metaschima View Post
So much bigger as to render the attack implausible, but not impossible.
Exactly. This was the original reason cracking a DES hash was considered "impossible" in the 70s. The rainbow table was something on the order of 8GB. The larger disk sizes were 300MB. Now disk sizes are 3-5 TB.. but the rainbow tables are in the petabyte range (if not exabyte).. thus making them implausable.

Another attack is the parallel search - if you have a million CPUs to throw at the problem... you likely won't need to keep the results except from the single one that succeeded. But more likely is that there would be a hybrid approach - a lot of different rainbow tables to narrow the search down, then a bunch of CPUS to throw at the remainder.
 
Old 03-15-2014, 07:35 PM   #26
Beryllos
Member
 
Registered: Apr 2013
Location: Massachusetts
Distribution: Debian
Posts: 354

Rep: Reputation: 152Reputation: 152
Choosing a Secure Password (good article by Bruce Schneier)
 
Old 03-15-2014, 07:53 PM   #27
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 491Reputation: 491Reputation: 491Reputation: 491Reputation: 491
As stated in the articles, there is a delicate balance between a good password and a password you can remember.

I say don't worry too much about entropy. Hackers typically don't use entropy-based methods to crack. They use dictionaries, because people use words as passwords.

The password should NOT be a common word, and should include numbers. It should also be easy to remember or reproduce by the user.

EDIT:
I'm wondering about Schneider's advice here:
Quote:
2. Don't bother updating your password regularly. Sites that require 90-day -- or whatever -- password upgrades do more harm than good. Unless you think your password might be compromised, don't change it.

3. Beware the "secret question." You don't want a backup system for when you forget your password to be easier to break than your password. Really, it's smart to use a password manager. Or to write your passwords down on a piece of paper and secure that piece of paper.
Although 90 days is a bit excessive, I think you should change your password once in a while, like every 6 mo - 1 year.

I really dislike the secret questions, it all sounds like a method of rather easily bypassing your password using personal info. You know what I do ? I put in unrelated information into there.

Write passwords on a piece of paper ? Um, no. I'm not doing that. A password safe was a much better idea.

Last edited by metaschima; 03-15-2014 at 08:01 PM.
 
Old 03-15-2014, 07:54 PM   #28
ozar
Member
 
Registered: May 2004
Location: USA
Distribution: Arch Linux
Posts: 415

Rep: Reputation: 82
Smile

Quote:
Originally Posted by prasanta dutta View Post
prasanta7dutta@gmail.comhow to ensure that my Linux password can't be cracked by any user or even superuser
Hello

Use a strong password, never go online with your machine, never install software on your machine that is not known to be safe, and never allow anyone else direct access to your computer. Do those things and you should be good to go, but you never know these days, so no guarantees. For many people, a strong password along with a firewall and perhaps some security software and a bit of common sense in computing is all they use. They then go forward hoping for the best.

Either way, let us know what you end up doing to protect yourself, and how it works out for you.
 
Old 03-15-2014, 09:49 PM   #29
allend
Senior Member
 
Registered: Oct 2003
Location: Melbourne
Distribution: Slackware-current
Posts: 4,601

Rep: Reputation: 1509Reputation: 1509Reputation: 1509Reputation: 1509Reputation: 1509Reputation: 1509Reputation: 1509Reputation: 1509Reputation: 1509Reputation: 1509Reputation: 1509
Choice of a strong password is actually a very difficult thing for a human to do. Humans tend to be predictable in how we use word and digit combinations, which allows password cracking to be very effective, despite the theoretically large entropy space.
I found this to be a very informative article. http://arstechnica.com/security/2013...r-passwords/1/

[edit]My apologies, just realised that this article is linked in the Bruce Schneier article that Beryllos linked in post #26.[/edit]

Last edited by allend; 03-15-2014 at 10:28 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how to get a superuser password? budster13 Linux - Newbie 3 02-08-2011 11:41 AM
forgotten superuser password reset sourabh.sinha Linux - Newbie 5 03-02-2010 08:12 PM
debian root password cracked ahmed gamal Debian 4 02-02-2008 09:25 AM
I forgot my Superuser password on Suse 9.1 phishbone4 Linux - Security 3 07-24-2006 11:20 AM
Loaded Linux, lost login ID and password for superuser? How can I recover? PaulK Linux - Newbie 3 08-24-2004 10:01 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 08:51 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration