Silk Road forums
Discussion => Security => Topic started by: railroadbill on October 05, 2013, 02:20 pm
-
What do you think, did dpr lie about encrypting our passwords too?
-
Compromised passwords are a safe paranoid assumption. Is anyone familiar with the backend used on the forums?
-
The forum passwords are all stored as SHA1 hashes salted with the account username.
You know you shouldn't be reusing this password anywhere else. If you are then go and change them.
-
The forum passwords are all stored as SHA1 hashes salted with the account username.
You know you shouldn't be reusing this password anywhere else. If you are then go and change them.
What would be the point of trying to crack individual account passwords? It would be of far more value to crack the main administrator password. They may not even need to do that, for all we know they may have obtained it when they seized DPR's laptop. Unless I'm mistaken, the administrator should be able to see everything, including PMs sent between users. As a result, anything posted or sent as a PM on here should be considered in the hands of the Feds, unless it's encrypted.
The Administrator account should also be able to change passwords for users, enabling them to lock out the original owners and allowing the Feds to use those accounts.
I think what they're doing is just watching and gathering intel for now. collecting email addresses, PGP keys, seeing what other Darknet marketplaces people are planning to move to, etc.
I believe the Forum will be allowed to continue as long as it is of value to them -- when they have satisfied with what information they've collected, they'll shut it down.
Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090
PGP Key Fingerprint = 83F8 CAF8 7B73 C3C7 8D07 B66B AFC8 CE71 D9AF D2F0
-
Even encyrypted passwords can be broken if they can guess your password from a dictionary or brute force. The encyrpted password can confirm a guess so it gives them unlimited guesses.
Currently, a random password over 15 characters is unlikely to be brute forced with feasible technology.
Passwords under 9 characters will be broken for sure eventually regardless of how random they are.
-
Even encyrypted passwords can be broken if they can guess your password from a dictionary or brute force. The encyrpted password can confirm a guess so it gives them unlimited guesses.
Currently, a random password over 15 characters is unlikely to be brute forced with feasible technology.
Passwords under 9 characters will be broken for sure eventually regardless of how random they are.
Agreed. The problem with passwords is that people are really lousy at choosing good, random, ones.
For an excellent idea of just how the Feds do it, see Brian Krebs' superb article written for the Washington Post:
DNA Key to Decoding Human Factor
Secret Service's Distributed Computing Project Aimed at Decoding Encrypted Evidence
By Brian Krebs
washingtonpost.com Staff Writer
Monday, March 28, 2005; 6:48 AM
http://www.washingtonpost.com/wp-dyn/articles/A6098-2005Mar28.html (clearnet link)
Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090
PGP Key Fingerprint = 83F8 CAF8 7B73 C3C7 8D07 B66B AFC8 CE71 D9AF D2F0
-
Every username and password need be different, never re use.
-
A cracked (known) password is a great starting point to defeat other password-protected mechanisms down the road. If they're ever at a point where they're stumped by a password to protect FDE/TrueCrypt/PGP keys/SSH keys/whatever, wouldn't they want to start their dictionary attack with variations on that person's known passwords?
If they see the same, non-trivial, password in two different places, don't you think it would be a reasonable assumption on their part that the two different accounts belong to the same entity? i.e. UserX at SiteA uses the same password as UserY at SiteB. Same person.
It doesn't really cost them anything.. just feed that shit into cuda hashcat or the like and wait a while. Why wouldn't they?
-
A cracked (known) password is a great starting point to defeat other password-protected mechanisms down the road. If they're ever at a point where they're stumped by a password to protect FDE/TrueCrypt/PGP keys/SSH keys/whatever, wouldn't they want to start their dictionary attack with variations on that person's known passwords?
It goes a little further than that, actually. If you read Krebs' article, you will see that Access Data's software is used to scour a suspect's machine for keywords reflecting the suspect's hobbies, interests, etc. These are used to build a custom dictionary with which to attack their encrypted data. Most people choose passwords which are memorable to them, which means they are based on something they're interested in. Access Data's software exploits that principle. The only way to defeat this is to use a scheme like Diceware.
If they see the same, non-trivial, password in two different places, don't you think it would be a reasonable assumption on their part that the two different accounts belong to the same entity? i.e. UserX at SiteA uses the same password as UserY at SiteB. Same person.
Precisely.
It doesn't really cost them anything.. just feed that shit into cuda hashcat or the like and wait a while. Why wouldn't they?
Indeed.
Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090
PGP Key Fingerprint = 83F8 CAF8 7B73 C3C7 8D07 B66B AFC8 CE71 D9AF D2F0
-
I would like to see them crack my 37 characters of random ascii. Even if they did it, it would be of no use. I don't use it anywhere else.
-
I would like to see them crack my 37 characters of random ascii. Even if they did it, it would be of no use. I don't use it anywhere else.
Even if you used just upper/lower case and numerics, you'd be looking at on the order of 62^37 combinations, or 2.08x10^66. That works out to about 220 bits of entropy, or just a shade less than AES-256. You'd be long dead before they cracked this.
Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090 (Silk Road Forums PGP Key Link)
PGP Key Fingerprint = 83F8 CAF8 7B73 C3C7 8D07 B66B AFC8 CE71 D9AF D2F0
-
I would like to see them crack my 37 characters of random ascii. Even if they did it, it would be of no use. I don't use it anywhere else.
Even if you used just upper/lower case and numerics, you'd be looking at on the order of 62^37 combinations, or 2.08x10^66. That works out to about 220 bits of entropy, or just a shade less than AES-256. You'd be long dead before they cracked this.
Yes. I know it is overkill in terms of entropy. The extra characters is the mitigate the possibility of shoulder surfing.
"Did you see his password?"..."Yes I got to look at it for 20 seconds"..."What is it!?"..."I can't remember"