#40 in Computer hacking books
Use arrows to jump to the previous/next product
Reddit mentions of Hash Crack: Password Cracking Manual (v3)
Sentiment score: -1
Reddit mentions: 1
We found 1 Reddit mentions of Hash Crack: Password Cracking Manual (v3). Here are the top ones.
or
- 3-YEAR WARRANTY. We are confident of our product's quality that is why we give a 3-year warranty. If you have any problem with your purchase within 3 years, please let us know. We will solve it as soon as possible by all means;
- DIMENSIONS: 3.7 X 0.2 X 5.2 INCHES. Passport Holder does not take much more room than your passport. Yet with the Passport Holder you may put in a purse or a pocket and know that it is safe;
- The United States Great Seal embossing. Due to its classic design the Passport Holder is good for everyone;
- 100% MONEY BACK GUARANTEE: In case you are not satisfied with your purchase, return it without any problem. We care about our customers and accept criticism. It helps us to develop ourselves and create new models by taking into account your wishes and preferences;
- Passport Holder is packed in a durable fabric cover with a leather sample on it. Not only you will enjoy opening the package, but you may also present the Passport Holder to anyone due to its decent look.
Features:
Specs:
| Height | 8.5 Inches |
| Length | 5.5 Inches |
| Number of items | 1 |
| Weight | 0.37 pounds |
| Width | 0.31 Inches |
I agree with /u/TaviRider, I did want to expand on how passwords are attacked and the side channel aspect though.
Regarding the side channel attack, it might be worse than that depending on how they implement it. I could try a user name with any random password that I know won't work. If they compare algorithms and return a failed result instantly if it doesn't match, then I know the algorithm is the opposite of whichever one was involved in my trial. If it's slower to return, then I know a comparison took place. In other words, I don't need to see the encrypted traffic generated by the user, I can generate my own.
Regarding the password cracking.... basically the entire thing is wrong. "Lookup tables"? I mean, I guess you could create something like that, but nobody would. Nobody even uses rainbow tables anymore (think of it as a compressed lookup table, a time/memory tradeoff). There's just no point. If it's a strong/salted hash, then the lookup table won't work. If it's a weak hash, then you can exhaustively search that same keyspace in about the same amount of time. To put it more succinctly, "Rainbow tables are dead. They died years ago. Stop trying to resurrect them." I'm not even sure why this was brought up in the article.
Regarding brute force, same thing, this just isn't really how password cracking is done (shout out to Hash Crack! It's amazing). You use wordlists, rules, and other utilities to generate candidates that you think people are going to actually use, you don't exhaustively search the entire keyspace hoping to get lucky. The only thing this split hashing algorithm has done for me is made my job easier. Now I can divide up the passwords and be much lazier about the 14+ character ones, by that I mean I can throw larger wordlists with more rules at it and get lucky, because hey! fast hashes! Instead of having to get smart about the candidates I generate because bcrypte is so f-ing slow.
TL;DR - No, I don't think this is a good idea. The gold standard of password storage, as far as I've seen, is what Dropbox does - https://blogs.dropbox.com/tech/2016/09/how-dropbox-securely-stores-your-passwords/