Speedy password cracking

Earlier today Jeff Atwood tweeted:

you should *really* be scared if your passwords are all lowercase. 12 chars in 75 days on my box..

He was referring to his post on speed hashing where a video card GPU is used to calculate the hash of any given text. Compared to a computer CPU it does it much faster.

all 6 character password MD5s 47 seconds
all 7 character password MD5s 1 hour, 14 minutes
all 8 character password MD5s ~465 days
all 9 character password MD5s fuggedaboudit

It’s honestly scary and really time for everyone to use pass phrases. They’re not perfect either but they’re better because they’re longer and easier to remember. Some of my passwords are not phrases yet, this pass phrase generator (or this one) should help make it easier to change those.


* obligatory xkcd cartoon.

20f1aeb7819d7858684c898d1e98c1bb

What is the significance of “20f1aeb7819d7858684c898d1e98c1bb”? It’s the MD5 hash of the name “Anthony” and was the password used by someone who broke into lightbluetouchpaper.org. Searching for the md5 hash was clever, but it won’t work for long because Ryan is working on securing the WordPress cookies and passwords.
In case you’re wondering, the hacker got in because the blog was running an outdated version of WordPress.

Tips to help keep your blog safe:

  • Keep all your software updated, not just WordPress. Make sure your plugins are updated.
  • Use a strong password. Don’t use words or sequences of characters like “12345″ as your password. Make it a mix of characters and numbers.
  • Don’t ever store your database dump online in a place Google will index it. It is very easy to use a Google search to find it.
  • If you use public WiFi or a net cafe regularly, use SSL to secure the communication with your blog. Use the secure admin plugin for just this purpose.
  • If you use Firefox, install PwdHash. It’s simple to use and works really well.

WordPress MU admins – Fire up phpmyadmin and look at wp_users. Try these sql queries to find weak passwords in your database:

SELECT count(*) FROM `wp_users` WHERE user_pass = md5(‘wordpress’);
SELECT count(*) FROM `wp_users` WHERE user_pass = md5(’12345′);
SELECT count(*) FROM `wp_users` WHERE user_pass = md5(‘qwerty’);
SELECT count(*) FROM `wp_users` WHERE user_pass = md5(‘anthony’);
SELECT count(*) FROM `wp_users` WHERE user_pass = md5(‘Anthony’);
and because of the season:
SELECT count(*) FROM `wp_users` WHERE user_pass = md5(‘christmas’);

Scary isn’t it how many people still use simple passwords? I must release that “Strong password” plugin we use on WordPress.com soon. That will certainly help avoid account hijacking.

Excel password remover

If, as sometimes happens, you’re working at something and are called away from your desk, it’s nice to know you can lock Excel and stop others fiddling with it. Unfortunately it’s also possible that you might forget your password. *ahem*
If so, go download the Free Excel password remover and watch it work wonders and crack that password and get you back into work mode faster than you can read a long winded run-on sentence that’s meandering nowhere, fast.