Pierluigi Paganini
September 04, 2017
The anonymous CynoSure Prime ‘cracktivists” is back and reversed 320 million hashed passwords dumped to the popular researcher Troy Hunt.
Two years ago the CynoSure Prime group reversed hashes of 11 million leaked Ashley Madison passwords. The hashed passwords were protected by the cryptographic algorithm Bcrypt, the algorithm implements “salting” of the hashed password to protect them against rainbow table attacks.
Recently the expert Troy Hunt who operates the data breach notification website HaveIBeenPwned has released the passwords that were grabbed from various sources such as the Exploit.in list (805,499,391 rows of email address and plain text password pairs, but with only 197,602,390 unique values) and the Anti Public list (562,077,488 rows with 457,962,538 unique email addresses, 96,684,629 unique passwords not already in the Exploit.in data).
The CynoSure Prime group along with German IT security PhD student @m33x and researchers Royce Williams (@tychotithonus) accepted the challenge.
The passwords disclosed by Hunt were sourced from various data leaks, many of them were protected with the weak hashing algorithms such as the SHA-1.
“Out of the roughly 320 million hashes, we were able to recover all but 116 of the SHA-1 hashes, a roughly 99.9999% success rate. In addition, we attempted to take it a step further and resolve as many “nested” hashes (hashes within hashes) as possible to their ultimate plaintext forms. Through the use of MDXfind [2] we were able to identify over 15 different algorithms in use across the pwned-passwords-1.0.txt and the successive update-1 and update-2 packages following that. We also added support for SHA1SHA512x01 to Hashcat [3].” reads the blog post published by the CynoSure Prime group.
The researchers noticed that 15 different hashes in use were using the MDXfind tool.
The experts noticed that the Hunt’s dump also includes personally identifiable information of some people that likely Hunt didn’t intend to release.
<firstname.lastname@tld><:.,;| /><password> <truncated-firstname.lastname@tld><:.,;| /><password> <@tld><:.,;| /><password> <username><:.,;| /><password> <firstname.lastname@tld><:.,;| /><some-hash>
Hunt appreciated the CynoSure Prime work and confirmed the presence of junk data due to mistakes in parsing made by original authors.
Hunt is working with the CryptoSure Prime data to purge it from the hashed lists hosted at HaveIBeenPwned.
Giving a look at the reversing process, CryptoSure Prime used MDXfind and Hashcat running on a quad-core Intel Core i7-6700K system, with four GeForce GTX 1080 GPUs and 64GB of memory.
The researchers were able to “recover all but 116 of the SHA-1 hashes”.
According to the researchers, most of the passwords in the HaveIBeenPwned release are between 7 and 10 characters long, just for curiosity the longest password we found was 400 characters.
“In order to speed up the analysis of such a large volume of plaintexts, a custom tool was coded “Panal” (will be released at a later time) to quickly and accurately analyse our large dataset of over 320 million passwords. The longest password we found was 400 characters, while the shortest was only 3 characters long.” reads the post published by the CryptoSure Prime group. “About 0.06% of passwords were 50 characters or longer with 96.67% of passwords being 16 characters or less. Roughly 87.3% of passwords fall into the character set of LowerNum 47.5%, LowerCase 24.75%, Num 8.15%, and MixedNum 6.89% respectively. In addition we saw UTF-8 encoded passwords along with passes containing control characters. See [9] for full Panal output.”
The experts concluded that even if blocking common passwords during account creation has positive effects on the overall password security of a website, blacklisting the entire Hunt’s archive can have unforeseeable consequences on usability.
[adrotate banner=”9″]
(Security Affairs – password hashes, cracking)
[adrotate banner=”12″]
