{"id":4800,"date":"2017-09-05T14:21:29","date_gmt":"2017-09-05T18:21:29","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=4800"},"modified":"2018-10-02T06:22:57","modified_gmt":"2018-10-02T10:22:57","slug":"cynosure-reverses-320-million-hashed-passwords","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/cynosure-reverses-320-million-hashed-passwords\/","title":{"rendered":"CynoSure Prime Reverses 320-million Hashed Passwords"},"content":{"rendered":"

The researchers uncover some interesting data about SHA-1 and passwords in general<\/h2>\n

CynoSure Prime, a group that classifies itself as a \u201cpassword research collective\u201d has reverse hashed 320-million passwords<\/a> from Troy Hunt\u2019s Have I Been Pwned database. The collective, working in conjunction with a pair or other researchers, came away with some interesting information while also commenting on the practicality of blacklisting such a lengthy list of leaked passwords. <\/span><\/p>\n

Per CynoSure Prime\u2019s post:<\/p>\n

Blocking common passwords during account creation has positive effects on the overall password security of a website [10]. While blacklisting 320m leaked passwords might sound like a good idea to further improve password security, it can have unforeseeable consequences on usability (i.e, the level of user frustration). Conventional blacklist approaches typically include the 10k most common passwords to limit online password guessing attack consequences. Until now, there has been no evidence to support which blacklist size provides an optimal balance.<\/p><\/blockquote>\n

If you\u2019re not a regular part of the infosec community, the only reason you might know CynoSure Prime\u2019s name is because of its works on the Ashley Madison breach a couple of years ago. Even then, CynoSure has only posted a handful of times since 2015. Regardless, the research is impressive. Here are some of the key takeaways.<\/p>\n

Also, before we go any further, here\u2019s a functional definition of hashing:<\/p>\n

Hashing is the act of transforming a string of characters into a shorter, typically fixed-length value or key. It\u2019s typically used to index and find items in a database, though it does also serve other functions as well.<\/p>\n

More Dirt on SHA-1\u2019s Grave<\/h2>\n

While as many as 15 different hashing algorithms appeared in Hunt\u2019s database, the vast majority of the passwords were hashed with good old SHA-1. SHA-1 was officially outmoded a couple of years ago and then, just to remove any doubt, Google spent millions of dollars and conducted years of research that culminated in a SHA-1 collision<\/a> last year\u2014that really ended the discussion.<\/p>\n

Which a quick aside, that\u2019s terrifying, Google. The vast majority of us were willing to take the researchers at their word when they said SHA-1 was vulnerable. But you, you dedicated vast resources and brain power to create an outcome that was, to everyone else, just an abstraction at that point. For what? To prove a point? Terrifying.<\/p>\n

Anyway, Google will be happy to know that SHA-1 is still very dead.<\/p>\n

Out of the roughly 320 million hashes, we were able to recover all but\u00a0116<\/strong>\u00a0of the SHA-1 hashes, a roughly\u00a099.9999%<\/strong>\u00a0success rate.<\/p><\/blockquote>\n

CynoSure was also able to extrapolate further and resolve \u201cnested\u201d hashes, or hashes within hashes, to their plaintext forms. This table breaks down the layout of the different hashes found\u00a0across Hunt\u2019s data (images courtesy of CynoSure Prime):<\/p>\n

\"Hashing<\/p>\n

Additional Information Contained in Hashes<\/h2>\n

One of the other issues that CynoSure found was that many of the groups that were originally storing this hashed data \u2013 Hunt\u2019s data is compiled from high profile breaches \u2013 were also storing additional personal identifying information like email\/password combos. Some even contained fragments of whole files.<\/p>\n

For what it\u2019s worth, Hunt never intended to include this information in his data release and has pledged to scrub it.<\/p>\n

The fact that this information exists comes down to mistakes by the original owners with things like parsing.<\/p>\n

Quick Hitter Facts from the Exercise<\/h2>\n

Here are some of the best quick hitter facts from CynoSure\u2019s research:<\/p>\n

    \n
  • The longest password found was 400 characters<\/li>\n
  • The shortest password found was 3 characters<\/li>\n
  • 06& of all passwords were greater than 50 characters<\/li>\n
  • 67% of all passwords were less than 16 characters<\/li>\n<\/ul>\n

    \"Password<\/p>\n

    This Was Not Challenging<\/h2>\n

    Perhaps the most notable takeaway is just how powerful some of the tools on the market currently are. Using MDXfind and Hashcat on a quad-core Intel Core i7-6700K system, with four GeForce GTX 1080 GPUs and 64 gigs of memory, the researchers reverse hashed all but 116 of the hashes in under an hour.<\/p>\n

    That\u2019s insane.<\/p>\n

    What We Hashed Out (For the Skimmers)<\/h2>\n

    Here are the highlights from today\u2019s conversation:<\/p>\n

      \n
    • CynoSure Prime, a \u201cpassword research collective\u201d did a deep analysis of data made available by researcher Troy Hunt and reverse hashed nearly 320 passwords.<\/li>\n
    • SHA-1 did not fare well in this exercise, with researchers managing to reverse hash 99.99999% of the SHA-1 data.<\/li>\n
    • The average password is less than 16 characters.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"

      The researchers uncover some interesting data about SHA-1 and passwords in general CynoSure Prime, a group that classifies itself as a \u201cpassword research collective\u201d has reverse hashed 320-million passwords from…<\/p>\n","protected":false},"author":6,"featured_media":4805,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[130],"tags":[159,2726,156],"class_list":["post-4800","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-everything-encryption","tag-hashing","tag-passwords","tag-sha-1","post-with-tags"],"views":7480,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2017\/09\/iStock-467768666.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/4800","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=4800"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/4800\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/4805"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=4800"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=4800"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=4800"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}