Talk:Password cracking

From Wikipedia, the free encyclopedia

The statement "Proprietary encryption algorithms which rely on obscurity for security are much more likely to succumb to such attacks." was POV. I think a cited source is in order for this statement.

Agreed. — Matt Crypto 18:48, 23 Mar 2005 (UTC)

The following statement mix preference with analysis, and I suggest an insertion for the difference between vertical & horizontal password guessing:
"This method is unlikely to be practical unless the password is relatively small. ... in which case the attack is called an offline attack (it can be done without connection to the protected resource), or not, in which case it is called an online attack. Offline attack is generally a lot easier, because testing a password is reduced to a quickly calculated mathematical computation; i.e., calculating the hash of the password to be tried and comparing it to the hash of the real password. In an online attack the attacker has to actually try to authenticate himself with all the possible passwords, where arbitrary rules and delays can be imposed by the system and the attempts can be logged. "

These statements come from assumptions which should not be presumed - i.e. What type of system are you attempting an "online" or "offline" attack against as well as a perceived "preference" of the author towards discouraging online brute force attacks. When discussing methodology of brute force password guessing, standard vertical (many user-single password, horizontal (single user-many passwords) techniquies for "online" password guessing can be quite successful depending on the type of access you are attempting to achieve. RDC, emails, website and vpn all have different levels which may not be covered under the scope of this article, but that does not mean that the method is unlikely to be practical. I don't think the goal here is to explain why there is a preference of which type of attack is more successful depending on what you are trying to access, only the difference between the two. It is conceivable to gain administrator access through RDC in a day. In a horizontal attack against an email address, I have documented lab cases where I can report the users password within 2 hours from a single "attacking" computer. There is a preference stated where "arbitrary rules" and "delays can be imposed by the system", this seems to slant to the author's preference here, there can be "delays" and "rules" which prevent access to hash. Suggest either limiting discussion to what types of attacks and pro's vs. con's objectively. Overall, nice article. - FA of Astral 4/30/08

—Preceding unsigned comment added by 69.118.250.123 (talk) 06:38, 30 April 2008 (UTC)


Please be slightly more careful while editing. 'Memoization' is a real word, not a typo. It is explained only a couple of sentences before the place where you corrected it to 'memorization'. Also, there are two separate attacks that salting protects against -- precomputation and memoization. Each one can be carried out without the other. Please do not roll them into one or brush one under the carpet. Thank you. Arvindn 02:09, 23 July 2005 (UTC)

Quite right, sorry. --agr 09:17, 24 July 2005 (UTC)

a suggestion for the Prevention section

There are alternatives to what Linux does ;-) http://cvs.openbsd.org/papers/bcrypt-paper.ps

Contents

[edit] Weak encryption

This section should be rewriten. A stark encryption method doesn't mean that it is a stark hash method. (it is a common error)

[edit] Password recovery programs

This page would benefit from an expanded list of password recovery software, including which is freeware and which is not. There are many commercial programs, but I know there are free ones too. I'm thinking of the types of programs which recover passwords from Access, Excel, Word, WordPerfect, and .zip files. There are legit uses for such software, such as finding the password I put on a .zip file I made 5 years ago! 2006-08-18.

Wikipedia is not a directory and should not promote every random software that exists. Those things can be found on directories like dmoz. --Spoon! 10:30, 31 August 2006 (UTC)

[edit] POV

Just in my opinion, some of the section aren't written neutrally. Please remove if you don't see a problem, or fix. RegaL the Proofreader (talk) 18:21, 10 January 2008 (UTC)

[edit] Requested move

The following discussion is an archived discussion of the proposal. Please do not modify it. Subsequent comments should be made in a new section on the talk page. No further edits should be made to this section.

The result of the proposal was no consensus to move this page, per the discussion below. Dekimasuよ! 10:34, 23 February 2008 (UTC)

I suppose renaming this article to Password recovery would be more of NPOV. Dadudadu (talk) 23:11, 17 February 2008 (UTC)

Oppose. Password recovery is a subset of password cracking, in that there's the implication that recovery is being done on behalf of someone who in some way owns the information and has a right to recover it. Cracking can mean recovery, but it can also mean breaking someone else's security. This article deals with the general issue of getting access to password protected information without knowing the password, and password cracking is the correct term for this. Andrewa (talk) 09:23, 18 February 2008 (UTC)

  • Oppose per Andrewa. Password recovery is merely the "positive" aspect, while password cracking is all-encompassing. JPG-GR (talk) 02:27, 23 February 2008 (UTC)
The above discussion is preserved as an archive of the proposal. Please do not modify it. Subsequent comments should be made in a new section on this talk page. No further edits should be made to this section.

[edit] Shouldn't it be Cain and Able?

At the bottom of the page, under see also or Ex. Ref, I saw Cain. If I'm not mistake, shouldn't it be Cain and Able? ~The Unwanted Comment
A Dirge for her, the doubly dead. In that, she died so young. 23:34, 26 March 2008 (UTC)