Login

**Tiberius** · April 29, 2012 at 6:06 pm

Password was "debbie". The decrypted file plays in VLC perfectly.

pwned Big Grin

**Darwinian** · April 29, 2012 at 6:07 pm

Hmm, well done Angry

Back to the drawing board then...

**Tiberius** · April 29, 2012 at 6:10 pm

Not really. If you use a long complex key (password) then the encryption will be fine. No encryption mechanism is protected against brute-force attacks.

However, in this case I ran two attacks, one where I tried to brute-force every password from a character set of A-Za-z0-9 and symbols, and one where I used a large dictionary file of commonly used passwords. The brute-force one ran first, but after a while I decided to use the dictionary attack, and that broke it in less than a second. The brute-force attack may have taken days to crack the password "debbie".

**Autumnlicious** · April 29, 2012 at 6:49 pm

Dictionary attacks with variations is usually more successful when dealing with human targets.

**Tiberius** · April 29, 2012 at 7:00 pm

True. I just used the rockyou password list.

goddamnit · June 20, 2012 at 1:58 am

That was cool. How did you apply a dictionary file to do a brute force attack? Was there a program that loaded it and did it (like AccessDiver does for websites)? Did you have to manually write a short program/script that can load each password and do send a password prompt does?

Angrboda · (This post was last modified: June 20, 2012 at 7:17 pm by Angrboda.)

(April 29, 2012 at 5:19 pm)Cthulhu Dreaming Wrote:
(April 29, 2012 at 5:11 pm)Tiberius Wrote: Sure, but the first rule of security is to assume that an attacker knows as much about your system as possible, since they can always figure it out in the end. The point of a secure system is that it is secure even if the attacker knows how it works (since the real security is in the password / key).

^^^ This ^^^

Aka, "Security through obscurity is no security."

Generally it's best to avoid regular words or names. But I'm the same way. I like to think my passwords are more secure because I use a mix of numbers and Chinese and Japanese words, but the fact is, a good dictionary will include more than one language.

I've started buying eBooks from Barnes & Noble, and I kept getting login failures, with the message that this email address and password isn't associated with an account, forcing me to call support. I did that, and we reset the password successfully. The next time I went to login, I got the same thing again. So I call up support again, reset the password, and it doesn't take again. So the rep asks me how long my password is. I count it up and tell her that it's 14 characters. She tells me that it needs to be 6-10 characters. No warning. No check that the password needs to be that length. And two calls to support to figure it out. I was so mad.

**Tiberius** · (This post was last modified: July 4, 2012 at 5:00 pm by Tiberius.)

(June 20, 2012 at 1:58 am)goddamnit Wrote: That was cool. How did you apply a dictionary file to do a brute force attack? Was there a program that loaded it and did it (like AccessDiver does for websites)? Did you have to manually write a short program/script that can load each password and do send a password prompt does?

I believe I used fcrackzip and a dictionary file I had lying around somewhere.

goddamnit · July 4, 2012 at 5:30 pm

How did you know to use fcrackzip? Did you know it was a zipped file? If so, how? I opened it with HxD and saw the name of the song but everything else looked like jibberish. Thanks!

**Autumnlicious** · July 4, 2012 at 5:44 pm

He asked.

Login
Username:
Password:	Lost Password?
	Remember me

Possibly Related Threads...
Thread		Author	Replies	Views	Last Post
	The Shell Cipher (Challenge)	Tiberius	36	10078	June 2, 2012 at 7:35 pm Last Post: Tiberius