On 3/23/17 4:49 PM, Timothy Coalson wrote:
When you are done, your hash should look something like this:
jason:$2a$16$2ynmKaAAnKZYWLF8umslZeHjkVIX6iDLsx345k59rVkBF/
8zWdCqO:17248::::::
If someone can crack this hash I will buy you a beer.
There's some logic to why the shadow file isn't world-readable. You might
want to reset that password soon anyway (if you haven't already), as the
NSA may decide not to ask for that beer;)
First let me assure you, the NSA is not coming in with a password. They
might come in through the Intel ME or perhaps through the service
processor (Apple recently dumped Supermicro as a vendor due to malware
embedded in their service processor firmware updates) but they are not
coming with a password. They may even come in with one of highly bloated
BIOS's. There are easier ways than to try break a 39 character password
blowfish hashed password with sixteen rounds.
Hashes used to be left out in the open. The real world circumstances
behind concealing hashes and the creation of /etc/shadow date back to
the 70's where unix crypt was pretty much unbreakable with the compute
power available at the time. When the late 80s and early 90s rolled
around suddenly it was possible to calculate hashes fast enough to crack
dictionary words. We are well beyond that now. I have three GTX1080
capable of doing 8+ billion hashes per second each for SHA1 (assuming a
small number of target hashes). The name of the game is to make hashing
take a long long time. Since it takes seven CPU seconds for password(1)
on an L5630 to compute just one iteration of my thirty-nine character
password I am going to bet that it is pretty safe out in the open,
unless someone finds a new attack vector against blowfish. In this
event, they'll probably get more than a beer from Bruce. The best case
scenario is if I only used lower case which means the number of
possibilities is limited to 26^39 or (according to echo 26^39 |bc)
15274273784216769021564085930704478424313742483024510976 possibilities.
Each possibility takes seven seconds. I think my beer money is safe.
While the hash is real, it was for demonstration purposes only. I dont
actually use that in a shadow file. Still, show me the plain text and
the beer is yours.
best,
j.
_______________________________________________
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss
