16 Years Of Password Cracking

Dave G. | March 6th, 2006 | Filed Under: Uncategorized

From Gene Spafford, circa 1990:

Crackers have copies of *very* fast password code. Some are advertising password cracking services (“You drop off the password file and we’ll break easy passwords.”) They are capable of checking over 100 passwords per second on their machines against large dictionaries. They don’t care if they have to burn a week or so of cpu time — they have 386 machines dedicated to this kind of thing.

From Solar Designer, circa 2006:

John 1.7 also improves on the use of MMX on x86 and starts to use AltiVec on PowerPC processors when cracking DES-based hashes (that is, both Unix crypt(3) and Windows LM hashes). To my knowledge, John 1.7 (or rather, one of the development snapshots leading to this release) is the first program to cross the 1 million Unix crypts per second boundary on a general-purpose CPU. John 1.7 achieves up to 1.6M c/s raw performance (with no matching salts) on a PowerPC G5 at 2.7 GHz (or 1.1M c/s on a 1.8 GHz) and approaches 1M c/s on the fastest x86 CPUs currently available.

To understand what a 2006SolarDiz would look like to a 1990Spaf, you would need to read this. To be fair, I am not sure a 2006DaveG would fare much better than 1990Spaf.

Viewing 1 Comment

    • ^
    • v
    Wow, things sure have come a long way. When I wrote PalmCrack (www.noncon.org) it managed 25 c/s on the Motorola Dragonball processor. Alec Muffett says that in 1992 when working on Crack, replacing crypt() with fcrypt() yielded 25 crypts/sec on a Sun 3/60.

    Passwords won't protect you. Your OS won't protect you (iMac hacked in less than 30 minutes). I guess the best defense is:

    (1) Keep the ankle biters at bay
    (2) Don't be a target of the determined

    Steve
    Steve Lodin | Homepage | 03.07.06 - 10:10 am | #

Trackbacks

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus