exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

pwgen Crackable Passwords

pwgen Crackable Passwords
Posted Jan 18, 2012
Authored by Solar Designer

6% of pwgen passwords generated can get cracked in 2 minutes with NTLM hashes. For the MD5-based crypt(3), NTLM's 2 minutes would translate to 2 days.

tags | advisory
SHA-256 | 0cce10ca1a5989b09cd638d36869a014336958fad1337b95c08ad71bfe840357

pwgen Crackable Passwords

Change Mirror Download
Hi,

I never heard back from Ted on the below. I am not complaining -
I understand that Ted is super busy with great stuff like ext4 - yet I
think it's time to bring this to oss-security (for distros) and to
Bugtraq (for end-users). (Not really "to make this public" since the
issue was already discussed in public on john-users.)

Some highlights (excerpts from the longer message below):

"Time running (D:HH:MM) - Keyspace searched - Passwords cracked
0:00:02 - 0.0008% - 6.0%
0:01:00 - 0.025% - 19.5%
0:20:28 - 0.5% - 39.1%
1:16:24 - 1.0% - 47.1%
3:00:48 - 1.8% - 55.2%
3:21:44 - 2.3% - 59.4%
5:05:17 - 3.1% - 64.2%

6% of pwgen'ed passwords get cracked in 2 minutes. This is with NTLM
hashes, which are obviously very fast. For the MD5-based crypt(3),
NTLM's 2 minutes would translate to 2 days, and this would apply
per-salt, yet having 6% of passwords crackable in 2 days on a single CPU
core is probably unacceptable.

What might be worse is that 0.5% of passwords get cracked in 1 second
(NTLM). This is approx. 20 minutes for MD5-based crypt(3) hashes, also
on one CPU core. 0.5% is small, but not negligible."

Additional notes for Bugtraq:

Now is a good time because a related issue was just brought up:

"gpw password generator giving short password at low rate"
http://www.openwall.com/lists/oss-security/2012/01/17/2

Oh, and while I am at it: beware of JavaScript password generators -
these are almost universally broken by design.

Not very closely related, but DragonFly BSD's password hashing is
ridiculous (non-portable and weaker than FreeBSD's). I am gradually
bringing more attention to the problem in an attempt to get it
corrected (this posting is one such step):

http://www.openwall.com/lists/oss-security/2012/01/16/2

Alexander

----- Forwarded message from Solar Designer <solar@openwall.com> -----

Date: Tue, 25 Jan 2011 17:51:43 +0300
From: Solar Designer <solar@openwall.com>
To: Theodore Ts'o <tytso@mit.edu>
Subject: pwgen: non-uniform distribution of passwords

Hi Ted,

I did some testing of pwgen-2.06's "pronounceable" passwords, and I
think they might be weaker than you had expected (depends on what you
had expected, which I obviously don't know).

Specifically, not only the keyspace is significantly smaller than that
for "secure" passwords (which I'm sure you were aware of), but also the
distribution is highly non-uniform. My guess is that this results from
different phonemes containing the same characters. So certain
substrings can be produced in more than one way, and then some
characters turn out to be more probable than some others (especially as
it relates to their conditional probabilities given certain preceding
characters).

By generating a custom .chr file for John the Ripper based on a lot of
pwgen'ed passwords, I am able to crack further pwgen'ed passwords a lot
faster - possibly faster than you would have expected. This is without
any custom programming yet, which could provide a further speedup (by
fully avoiding candidate passwords that couldn't possibly be generated).

Time running (D:HH:MM) - Keyspace searched - Passwords cracked
0:00:02 - 0.0008% - 6.0%
0:01:00 - 0.025% - 19.5%
0:20:28 - 0.5% - 39.1%
1:16:24 - 1.0% - 47.1%
3:00:48 - 1.8% - 55.2%
3:21:44 - 2.3% - 59.4%
5:05:17 - 3.1% - 64.2%

That is, 6% of pwgen'ed passwords get cracked in 2 minutes. This is
with NTLM hashes, which are obviously very fast. For the MD5-based
crypt(3), NTLM's 2 minutes would translate to 2 days, and this would
apply per-salt, yet having 6% of passwords crackable in 2 days on a
single CPU core is probably unacceptable - or at least not what users of
pwgen would reasonably expect (I think), unless they're explicitly told
about this. On a quad-core, this is 6% in half a day.

What might be worse, but is not seen in the table above, is that 0.5%
of passwords get cracked in 1 second (NTLM). This is approx. 20 minutes
for MD5-based crypt(3) hashes, also on one CPU core. 0.5% is small, but
not negligible.

The "keyspace searched" column above shows percentage of the full
{62 different, length 8} keyspace. I'd also include percentages of the
smaller keyspace that corresponds to the pronounceable passwords only,
but its size is non-trivial to calculate, so I did not bother...

Additionally, there are over 2 thousand duplicates in just 1 million of
generated passwords. Sounds like too many dupes. Not what a user would
expect, I think.

More info on the attack:

http://www.openwall.com/lists/john-users/2010/11/17/7
http://www.openwall.com/lists/john-users/2010/11/22/5
http://www.openwall.com/lists/john-users/2010/11/28/1
http://www.openwall.com/lists/john-users/2010/12/06/1

The "secure" ("-s") passwords appear to be safe from this:

http://www.openwall.com/lists/john-users/2010/12/07/3

A reimplementation of pwgen in JavaScript shows even worse behavior:

http://www.openwall.com/lists/john-users/2010/12/07/4
http://www.openwall.com/lists/john-users/2010/12/21/5

Please let me know if you're going to address this in any way (code,
documentation, advisory - whatever) or not (that is, I'd appreciate a
response either way).

Thanks,

Alexander

----- End forwarded message -----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close