> Cracking WordPress passwords with 20 lines of Go
The original title is actually “WordPress passwords, explained and cracked”.
It seems Frenxi —the author— added “… with 20 lines of Go” in the post submission simply to appeal to the masses of Hacker News who often upvote links based on keywords more than the content of the article. Per the Hacker News Guidelines [1] → “[…] please use the original title, unless it is misleading or linkbait; don't editorialize.”
Go has nothing to do here except the author decided to write the brute force password cracker in it. The program could have been written in any other programming language without losing anything. Honestly, I am disappointed. They didn’t even try to make an interesting cracking program, the program doesn’t even have goroutines which one would expect from a tool that is trying to brute force a solution.
Maybe the interesting thing about it is that it doesn't require any interesting techniques to crack WP passwords? That seems interesting (although unsurprising having an early career background in PHP and WP) to me.
Given a password database, and the password check algorithm, this sort of dictionary or brute force approach is just a loop, regardless of the algorithm used because that's factored out.
Worse algorithms can offer the possibility of an exciting optimisation, especially for bulk cracking (e.g. Microsoft's LanMan Hash) - but that's not happening here.
In the case of this algorithm you could get a boost by vectorising to run on a GPU, memory hard pessimisation defeats that and this password hash doesn't offer it, again this Go program doesn't do that either.
For any human memorable password scheme, "Guess until you get lucky" is potentially viable and that's all this does, so it's almost the least interesting case.
I reckon this is a relatively simple explanation & demo of how simple it is to crack passwords if you have access to both a database dump of salted passwords, provided the password itself is relatively easily guessable (present in some dictionary of candidate passwords).
In terms of performance --
> At the moment, it processes 100K attempts in about 2 minutes on a small VPS.
It is a bit hard to compare performance without knowing what the `hashloop` parameter was set to for each attempt for that benchmark. Assuming that the hashloop parameter is set to `8192` aka `(1 << strings.Index(itoa64, "B"))` as in the blog post, then this approach is computing about 6.83 md5 mega-hashes (MH) / sec.
For a 30,000x speedup for brute forcing md5: hashcat + 8x GPUs can hit something like 200 GH / sec of md5:
When I read "Bcrypt is known to be a stronger hashing method compared to md5" it is blatantly clear the author have missed the entire point of the phpass library. https://www.openwall.com/phpass/ to quote
>
The approach of using multiple iterations to purposefully increase the computational cost of testing a password
The author has shown that a hashing function can be attacked by using a dictionary attack... well, yes, of course. But the library is not inherently weak just because of that. Yes, you can write it in 20 lines of Go but -- you'd need to benchmark the attack against other hashes. Just because the md5() primitive is used as part of the algorithm doesn't make the whole shebang weak.
The question always is how long it takes to find clear text which gets hashed to a certain value.
It’s 2020 and password-cracking is done on GPUs nowadays. The multiple rounds of PHPass do nothing against the speed of modern GPUs. You need a password hash that also requires a lot of RAM to compute to limit parallelism, like argon2 or scrypt.
It’s 2020 use OpenID Connect or any other “federated/delegated authentication” or anything else you may think off that doesn’t forces you to store passwords.
Realize that the attacker must first possess the user/password database for this to work. This is because the author takes the salt from that information. Without the salt, it will take much longer to brute force... even though it’s md5 hashed.
this corresponds to sad scenario where the database itself is leaked and the attacker has access to it. the blog describes how the salt is stored as prefix to each hash.
The original title is actually “WordPress passwords, explained and cracked”.
It seems Frenxi —the author— added “… with 20 lines of Go” in the post submission simply to appeal to the masses of Hacker News who often upvote links based on keywords more than the content of the article. Per the Hacker News Guidelines [1] → “[…] please use the original title, unless it is misleading or linkbait; don't editorialize.”
Go has nothing to do here except the author decided to write the brute force password cracker in it. The program could have been written in any other programming language without losing anything. Honestly, I am disappointed. They didn’t even try to make an interesting cracking program, the program doesn’t even have goroutines which one would expect from a tool that is trying to brute force a solution.
[1] https://news.ycombinator.com/newsguidelines.html