Aussie user’s AMD GPU breaks hash in just four days

Back in 2014, developer Leah Neukirchen found an /etc/passwd file among a file dump from the BSD 3 source tree that included the passwords used by various computer science pioneers, including Dennis Ritchie, Ken Thompson, Brian Kernighan, Steve Bourne, and Bill Joy.

As she explained in a blog post on Wednesday, she decided at the time to try cracking the password hashes, created using DES-based crypt(3), using various cracking tools like John the Ripper and hashcat.

When the subject surfaced on the Unix Heritage Society mailing list last week, Neukirchen responded with 20 cracked passwords from the file that’s she’d broken five years ago. Five hashed passwords, however, remained elusive, including Thompson’s.

ZghOT0eRm4U9s

“Even an exhaustive search over all lower-case letters and digits took several days (back in 2014) and yielded no result,” wrote Neukirchen, who wondered whether Thompson might somehow have used uppercase or special characters.

Samizdat no more: Old Unix source code opened for study

READ MORE

The mailing list participants, intrigued by the challenge, set to work on the holdouts. The breakthrough came on Wednesday, from Nigel Williams, a HPC systems administrator based in Hobart, Tasmania.

“Ken is done,” he wrote in a post to the mailing list. The cracking effort took more than four days on an AMD Radeon RX Vega 64 running hashcat at a rate of about 930MH/s.

ZghOT0eRm4U9s is a hash of p/q2-q4!

It’s a common chess opening in descriptive notation. As Neukirchen observed, Thompson contributed to the development of computer chess.

Thompson, who helped create Unix and the Go programming language among many other accomplishments, acknowledged the feat by offering his congratulations. He didn’t immediately respond to a request for comment.

According to NIST’s password guidelines, user-selected secrets should be at least eight characters in length, which assumes using the full range of upper-case, lower-case, and special characters. Microsoft suggests an eight character minimum too. But given that Thompson’s eight character password hash was cracked in a few days, something longer might provide more peace of mind. ®

Sponsored: Disrupting with data – challenges for digital native organizations