password

Is your password strong enough?

h4ck3rprotocol, , Leave a comment

I have a problem to memorize especially password. I have to memorize many passwords for applications in the Internet. However, I believe that I am not the only one with this problem 🙂

How to memorize passwords?

I see comic above and understand that the most important thing is hard to crack and easy to remember. Those combinations are our goal. Let’s open this site, https://howsecureismypassword.net/. You may compare both passwords and will find the second one takes more time to be cracked. I do not know how that site calculate the strength of password but we can use to compare each password we enter.

Rule #1 : Length is important. Some advices suggest at least 12 characters. If you can go till the length of password field, it is better 🙂

Rule #2 : Use mixture of upper-case and lower cases, numbers and symbols.

Rule #3 : Not a single word and it is common word in any language. Are you not sure about it? Please go to OWASP SecList Project. That project has millions single common words that can be used to crack your password.

Rule #4 : Change regularly (e.g. every 6 months)

Rule #5 : Do not using password that you have used recently.

Rule #6 : Not your telephone numbers, username, your spouse’s or kid’s name and their birthdate, mother’s maiden name or anything that someone might associate with you.

Rule #7 : Do not use common substitution (e.g. 4 for a or 5 for s)

Rule #8 : Do not use one password for all accounts although it is quite strong enough.
Once it has been cracked, all your accounts are compromised.. sad..

Rule #9 : You may have your application service in your password (read my example below).

Let’s we try to apply those rules. I want to create a strong password for my Facebook account. I like to hear song especially 70’s, 80’s and 90’s songs… I take a song with title If from Bread. I take this password

Facebook If A Picture Paints A Thousand Words

Rule #1 : Yeah.. there are 45 characters (including spaces).
Rule #2 : Done. I have spaces and combination of upper-case and lower-case.
Rule #3 : Of course it is not single word.
Rule #6 : Do not use common substitution (e.g. 4 for a or 5 for s)
Rule #9 : I put Facebook 🙂 It makes my password strong as well.

When I try to use https://howsecureismypassword.net, I get 603 unvigintillion years to crack it using a desktop PC.

Now… after read this.. how strong is your password? The choice is yours…..

Is your password strong enough?

Find hash type of your data or password using hash-identifier

h4ck3rprotocol, , , 1 Comment

Some times, I encounter a problem when I need to crack a password using John The Ripper. To minimize search space, I should know the type of hash algorithm for that password. It will reduce time when John The Ripper does its work. There is one tool that I can use. It is Hahs Identifier.

Hash Identifier is a software to identify the different types of hashes used to encrypt data (especially passwords). You may get to know the source code of it at http://code.google.com/p/hash-identifier/ . Currently, it supports 125 types of hash algorithm.

Those are

  • ADLER-32
  • CRC-32
  • CRC-32B
  • CRC-16
  • CRC-16-CCITT
  • DES(Unix)
  • FCS-16
  • GHash-32-3
  • GHash-32-5
  • GOST R 34.11-94
  • Haval-160
  • Haval-160(HMAC)
  • Haval-192
  • Haval-192(HMAC)
  • Haval-224
  • Haval-224(HMAC)
  • Haval-256
  • Haval-256(HMAC)
  • Lineage II C4
  • Domain Cached Credentials – MD4(MD4(($pass)).(strtolower($username)))
  • XOR-32
  • MD5(Half)
  • MD5(Middle)
  • MySQL
  • MD5(phpBB3)
  • MD5(Unix)
  • MD5(WordPress)
  • MD5(APR)
  • Haval-128
  • Haval-128(HMAC)
  • MD2
  • MD2(HMAC)
  • MD4
  • MD4(HMAC)
  • MD5
  • MD5(HMAC)
  • MD5(HMAC(WordPress))
  • NTLM
  • RAdmin v2.x
  • RipeMD-128
  • RipeMD-128(HMAC)
  • SNEFRU-128
  • SNEFRU-128(HMAC)
  • Tiger-128
  • Tiger-128(HMAC)
  • md5($pass.$salt)
  • md5($salt.’-‘.md5($pass))
  • md5($salt.$pass)
  • md5($salt.$pass.$salt)
  • md5($salt.$pass.$username)
  • md5($salt.md5($pass))
  • md5($salt.md5($pass).$salt)
  • md5($salt.md5($pass.$salt))
  • md5($salt.md5($salt.$pass))
  • md5($salt.md5(md5($pass).$salt))
  • md5($username.0.$pass)
  • md5($username.LF.$pass)
  • md5($username.md5($pass).$salt)
  • md5(md5($pass))
  • md5(md5($pass).$salt)
  • md5(md5($pass).md5($salt))
  • md5(md5($salt).$pass)
  • md5(md5($salt).md5($pass))
  • md5(md5($username.$pass).$salt)
  • md5(md5(md5($pass)))
  • md5(md5(md5(md5($pass))))
  • md5(md5(md5(md5(md5($pass)))))
  • md5(sha1($pass))
  • md5(sha1(md5($pass)))
  • md5(sha1(md5(sha1($pass))))
  • md5(strtoupper(md5($pass)))
  • MySQL5 – SHA-1(SHA-1($pass))
  • MySQL 160bit – SHA-1(SHA-1($pass))
  • RipeMD-160(HMAC)
  • RipeMD-160
  • SHA-1
  • SHA-1(HMAC)
  • SHA-1(MaNGOS)
  • SHA-1(MaNGOS2)
  • Tiger-160
  • Tiger-160(HMAC)
  • sha1($pass.$salt)
  • sha1($salt.$pass)
  • sha1($salt.md5($pass))
  • sha1($salt.md5($pass).$salt)
  • sha1($salt.sha1($pass))
  • sha1($salt.sha1($salt.sha1($pass)))
  • sha1($username.$pass)
  • sha1($username.$pass.$salt)
  • sha1(md5($pass))
  • sha1(md5($pass).$salt)
  • sha1(md5(sha1($pass)))
  • sha1(sha1($pass))
  • sha1(sha1($pass).$salt)
  • sha1(sha1($pass).substr($pass,0,3))
  • sha1(sha1($salt.$pass))
  • sha1(sha1(sha1($pass)))
  • sha1(strtolower($username).$pass)
  • Tiger-192
  • Tiger-192(HMAC)
  • md5($pass.$salt) – Joomla
  • SHA-1(Django)
  • SHA-224
  • SHA-224(HMAC)
  • RipeMD-256
  • RipeMD-256(HMAC)
  • SNEFRU-256
  • SNEFRU-256(HMAC)
  • SHA-256(md5($pass))
  • SHA-256(sha1($pass))
  • SHA-256
  • SHA-256(HMAC)
  • md5($pass.$salt) – Joomla
  • SAM – (LM_hash:NT_hash)
  • SHA-256(Django)
  • RipeMD-320
  • RipeMD-320(HMAC)
  • SHA-384
  • SHA-384(HMAC)
  • SHA-256
  • SHA-384(Django)
  • SHA-512
  • SHA-512(HMAC)
  • Whirlpool
  • Whirlpool(HMAC)

Now, I would like to demonstrate how to use it. I use this a hash function at http://www.fileformat.info/tool/hash.htm . And type in ‘my secure password’ in String hash text field.

I get the following results

Original text : my secure password
Original bytes : 6d:79:20:73:65:63:75:72:65:20:70:61:73:73:77:6f:72:64 (length=18)
Adler32 : 420c0721
CRC32 : 3258d7d9
Haval : c370c11d1839aa68d61367e66b3de6cd
MD2 : bb72ecfa080e5e9f89ac7bf297cd46d6
MD4 : c51adae62fe94f15bdfbf82486b8a744
MD5 : 32b36c3f019e09ad8eec18d558c03d49
RipeMD128 : a3bb654dbac734683077727f54d697c2
RipeMD160 : d1484b7a81e431607527711e552c442006578de6
SHA-1 : 91662ae66efecdd0dda69734e6096b7b08aba5dc
SHA-256 : 3e0357f4b2583fd0dcda249acd2378c77d62f647e2b6f27fea5f203cb4d65afa
SHA-384 : 1f7c826615d984145bec1caa473990f8f59b5f5c48e4f3dc63344502cc0e10e2011b41e84ce75ac1ed56d627ea4d26b8
SHA-512 : 0bf936fd3ebcb43233d088b3f5069063fa6eba11f2b11978bf6b5214aa0b2feccbbe936d18e30277f0104fca335d4b4feed65a385f298d20f838c93f7d78b101
Tiger : 524c309da4801fec8eb02de29793250fe45780e465f4205b
Whirlpool : e2fd4c42492b48db7600d088d7f5e423a71169bda0e0475a818821ba04f5745038a289e80bbe96f6819a5d73441e29c799d0d779d95435dab5c3088a82374320

Then, I use hash-identifier to get hash type.

  • MD5

    • Screenshot from 2015-08-20 13:24:26

  • SHA-512

  • Whirlpool

  • Tiger

Find hash type of your data or password using hash-identifier