IT security experts have cracked a number of passwords used by Unix pioneers in the late 1970s.
On Saturday last week, I gave a presentation at a hacker meeting (Labortage) in Bochum Germany.
Only 75 percent of passwords hashed
After the talk, someboddy asked me if I knew how many of the passwords stored on servers are hashed (i.e., cryptographically secured). I didn’t know the answer, but I assumed that today as good as all passwords were hashed – after all, this is a very basic security measure that has been around for decades.
However, some people in the audience corrected me. They said that at most 75 percent of all passwords stored on servers are cryptographically protected. It is quite disappointing that such a basic security tool is still not a standard.
In my presentation, I included a slide that stated that today only about 75 percent of all passwords are hashed. There was no contradiction.
Passwords from the 1970s broken
Recently, several press articles discussed how passwords were hashed 40 years ago by the Unix operating system BSD. This hashing procedure had several weaknesses:
- The hashing function BSD used at that time, Descrypt, was not very secure. Descrypt is based on the DES encryption algorithm. While breaking DES is still a challenge today, the way it was used by BSD for hashing was not the best.
- Descrypt encrypts eight-letter blocks. The BSD passwords of the time therefore had at most eight characters.
- The password hashes of some BSD creators were included in publicly available source code.
- The passwords people chose 40 years ago were not much better that the ones used today. So, a dictionary attack could be used to attack them.
A few weeks ago, technologist Leah Neukirchen reported on having found some BSD source code from about 1980, which included the password hashes of several Unix pioneers. Neukirchen tried to break them, and in most of the cases was successful with a dictionary attack. Among others, the following passwords came up:
- BSD co-inventor Dennis Ritchie (1941-2011) used “dmac”. His middle name was MacAlistair.
- Stephen R. Bourne, inventor of the Bourne shell, used the password “bourne”.
- Eric Schmidt, now the head of Google, chose “wendy!!!”. Wendy is the name of his wife.
- Stuart Feldman, another Unix pioneer, used “axolotl”.
- Brian W. Kernighan, another well-known person in the Unix community, chose “/.,/.,”.
However, five of the vintage passwords were apparently not contained in the dictionaries Neukirchen used – including the one of Unix pioneer Ken Thompson. Neukirchen asked the members of an online forum for help.
As Descrypt limits passwords to eight characters, an exhaustive search seemed possible. In fact, forum member Nigel Williams applied this method successfully. Six days after Neukirchen had asked for support, he posted Thompson’s password: “p/q2-q4!”.
A few forum members pointed out that “p/q2-q4!” is the description of a chess opening. This comes as no surprise, as Ken Thompson is known as a chess fan. “p/q2-q4!” (descriptive chess notion) is the equivalent of “d2-d4” (algebraic chess notion). It’s a common start move in chess.
A few hours after Williams’ post, forum member Arthur Krewat provided the passwords for the four remaining cracked hashes. They were: graduat, 12ucdort, 561cml.., and ..pnn521. Apparently, these expressions were not contained in a dictionary and therefore hard to crack with a dictionary attack.
Further reading: Masked Man reveals his passwords after five years