Thread: Classic New B&N eReader $259 & will allow sharing
View Single Post
Old 10-21-2009, 01:17 PM   #352
sircastor
Reader
sircastor got an A in P-Chem.sircastor got an A in P-Chem.sircastor got an A in P-Chem.sircastor got an A in P-Chem.sircastor got an A in P-Chem.sircastor got an A in P-Chem.sircastor got an A in P-Chem.sircastor got an A in P-Chem.sircastor got an A in P-Chem.sircastor got an A in P-Chem.sircastor got an A in P-Chem.
 
sircastor's Avatar
 
Posts: 85
Karma: 6124
Join Date: Jul 2009
Device: PRS-505
Quote:
Originally Posted by kacir View Post
You can retrieve a password.
Even if it is stored as a one-way hash.
There are numerous programs (such as well known John The Ripper for unix passwords) and services (such as server in Switzerland that has database of hashes for all possible password combinations for Windows computers (there is maximum 26 letters allowed in Windows))
It can't be that difficult to brute-force CC number on a quad-core machine with more than of 4GB RAM
I think this is more complex than you're giving it credit.
In the case of the windows password, you're not just looking at 26 characters in any combination, you're looking for up to 26 characters in any combination.
With just the initial 26 characters in any order, you're looking at 26^25, or as an integer:
2,367,738,300,079,67,588,876,795,164,938,469,376

That's a large number.
(That's assuming only 26 alphabet characters and no case differentiation)

Your quad-core machine is capable of a significant number of operations, but even so, it has to test those possible combinations. If we go in order starting with 26 consecutive "A"s, this test is going to take us a LONG time. Even at a million tries/second, You're still looking at BILLIONS of years. Brute force is a wholly impractical way to resolve passwords. If you add some rules to your brute force, you'll be able to do it faster, at the cost of not trying some passwords.

Now, the game is a little more promising for our criminal if we're working with a name and a credit card number combination. While the number of characters is greater (often, but not always), the available combinations are fewer. Some of the numbers on your credit card identify the issuer, the industry, etc. Names are fairly limited to probably a few thousand or ten-thousand.

I think we can safely assume that the hash is generated out of the name and Credit Card number, So you have to brute-force both simultaneously. Either way, we're again talking about an absurdly high number of tests.

The advantage our criminal has is that if he has your nook, he probably knows your name, just by playing around in it. So he has half the puzzle to begin with. Brute-forcing the credit card is much more possible now. The hash will be stored in the file (most likely) and will be there to test against (I assume).

In the end though, I think we're giving our criminal way too much credit. This is a guy that either swiped your nook when you weren't looking, found it when you lost it, or broke into your house and took it. I seriously doubt his skill to take on hash-cracking, simply because I don't think he's that bright.

Corrections to my math/logic are welcome.
Last edited by sircastor; 10-21-2009 at 01:18 PM. Reason: Corrections to my math/logic are welcome.
sircastor is offline   Reply With Quote