Early versions of the free/open Unix variant BSD came with password files that included hashed passwords for such Unix luminaries as Dennis Ritchie, Stephen R. Bourne, Eric Schmidt, Brian W. Kernighan and Stuart Feldman.
Leah Neukirchen recovered an BSD version 3 source tree and posted about it on the Unix Heritage Society mailing list, revealing that she was able to crack many of the weak passwords used by the equally weak hashing algorithm from those bygone days.
Dennis MacAlistair Ritchie’s was “dmac”, Bourne’s was “bourne”, Schmidt’s was “wendy!!!” (his wife’s name), Feldman’s was “axlotl”, and Kernighan’s was “/.,/.,”.
Four more passwords were cracked by Arthur Krewat: Özalp Babaoğlu’s was “12ucdort”, Howard Katseff’s was “graduat;”, Tom London’s was “..pnn521”, Bob Fabry’s was “561cml..” and Ken Thompson’s was “p/q2-q4!” (chess notation for a common opening move).
BSD 3 used Descrypt for password hashing, which limited passwords to eight characters, salted with 12 bits of entropy.
Descrypt limits passwords to just eight characters, a constraint that makes it all but impossible for end users to choose truly strong credentials. And the salt Descrypt uses provides just 12 bits of entropy, the equivalent of two printable characters. That tiny salt space makes it likely that large databases will contain thousands of hash strings that attackers can crack simultaneously, since the hash strings use the same salt.
Jeremi M. Gosney, a password security expert and CEO of the password-cracking firm Terahash, told Ars that Descrypt is so weak and antiquated that one of his company’s 10-GPU Inmanis appliances (price: almost $32,000) could besiege a Descrypt hash with 14.5 billion guesses per second (the rigs can be clustered to achieve faster results). The speed of just one rig is enough to brute force the entire Descrypt keyspace—which, due to practical limitations, was about 249 in 1979—in less than 10 hours, and even less time when using cracking tools, such as wordlists, masks, and mangling rules. This site will also crack a Descrypt hashe for as little as $100.
Re: [TUHS] Recovered /etc/passwd files [Leah Neukirchen/The Unix Heritage Society mailing list]
Forum cracks the vintage passwords of Ken Thompson and other Unix pioneers [Dan Goodin/Ars Technica]
(via Four Short Links)
For years, I’ve followed Andy Greenberg’s excellent reporting on “Sandworm,” a set of infrastructure-targeted cyberattacks against Ukraine widely presumed to be of Russian origin, some of which escaped their targeted zone and damaged systems around the world.
White House cybersecurity adviser Giuliani took his iPhone to the Genius Bar when he forgot his password
In 2017, a month after Trump named Rudy Giuliani to be his cybersecurity officer, Giuliani locked himself out of his iPhone. So he waited in line at a San Francisco Apple store to get the Genius Bar to unlock his phone. Last night when NBC broke the news of this, Giuliani idiotically compared what he […]
Frank Wu writes, “Brianna Wu (US Congressional candidate in MA-8 and cybersecurity expert) has a brand new article in The Boston Globe about election security. People think electronic voting machines are the biggest problem. They’re wrong. The electronic VOTER ROLLS are the largest attack surface for hackers. 2% of all ballots cast (enough to sway […]
You don’t need to be a TV chef to take advantage of the same accessories they use – and if you’re still cooking with hand-me-down kitchenware from your parents, it might be time to trade up. Here are 15 kitchen accessories that will make dinnertime prep shorter and the results tastier. Gemelli Twin Oven This […]
Before they had their historic first flight in 1903, the Wright Brothers had to endure countless failures, crash landings, and false starts. One wonders what they’d make of today’s drones, which any non-pilot can just turn and launch with no training. Or better still, this DIY Drone Builder Kit, which not only lets you fly […]
A voracious appetite for reading is a good indicator of success and fulfillment. And why not? The more you read, the more you know. The more you know, the more you can do. By that equation, the Speed Reading Mastery Bundle is out to supercharge the productivity and knowledge in your life. It’s a series […]