http://www.lightbluetouchpaper.org/2012/09/04/password-cracking-part-ii-when-does-password-cracking-matter/ Security Research, Computer Laboratory, University of Cambridge Sun, 19 May 2013 19:34:11 +0000 http://wordpress.org/?v=2.9.2 hourly 1 http://www.lightbluetouchpaper.org/2012/09/04/password-cracking-part-ii-when-does-password-cracking-matter/comment-page-1/#comment-334868 Jakob Fri, 07 Sep 2012 12:59:13 +0000 http://www.lightbluetouchpaper.org/?p=4398#comment-334868 You argue that algorithms aren't needed if you only have a limited number of attempts because you can just take a static list of passwords to try. However, in many real-world cases the attacker has not only the password hash but also some kind of contextual information such as the associated username/email address, the name of the site the hashes come from (or address/names/telephone numbers etc. in case of WPA2-PSK) or even a custom wordlist generated by crawling the company website. Using this contextual information can significantly improve cracking efficiency but requires some algorithmic support to combine the contextual information with a general-purpose wordlist. You argue that algorithms aren’t needed if you only have a limited number of attempts because you can just take a static list of passwords to try. However, in many real-world cases the attacker has not only the password hash but also some kind of contextual information such as the associated username/email address, the name of the site the hashes come from (or address/names/telephone numbers etc. in case of WPA2-PSK) or even a custom wordlist generated by crawling the company website. Using this contextual information can significantly improve cracking efficiency but requires some algorithmic support to combine the contextual information with a general-purpose wordlist.

]]>