Mixing
Cracking double encrypted router password?
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;
up vote
9
down vote
favorite
I noticed in the html of my router this parameter:
form.addParameter('Password', base64encode(SHA256(Password.value)));
So when I type in the password passw I get this via sslstrip:
2018-09-25 21:13:31,605 POST Data (192.168.1.1):
Username=acc&Password=ZTQ1ZDkwOTU3ZWVjNzM4NzcyNmM2YTFiMTc0ZGE3YjU2NmEyNGZmNGNiMDYwZGNiY2RmZWJiOTMxYTkzZmZlMw%3D%3D
Is this hash easy to crack via bruteforce/dictionary? I am still a beginner, but that looks like double encryption to me.
Also, is there some faster way of getting this password than cracking it?
encryption passwords password-cracking
edited 13 mins ago
Anders
45.4k21127152
asked 14 hours ago
MyWays
483
New contributor
MyWays is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |Â
up vote
9
down vote
favorite
I noticed in the html of my router this parameter:
form.addParameter('Password', base64encode(SHA256(Password.value)));
So when I type in the password passw I get this via sslstrip:
2018-09-25 21:13:31,605 POST Data (192.168.1.1):
Username=acc&Password=ZTQ1ZDkwOTU3ZWVjNzM4NzcyNmM2YTFiMTc0ZGE3YjU2NmEyNGZmNGNiMDYwZGNiY2RmZWJiOTMxYTkzZmZlMw%3D%3D
Is this hash easy to crack via bruteforce/dictionary? I am still a beginner, but that looks like double encryption to me.
Also, is there some faster way of getting this password than cracking it?
encryption passwords password-cracking
edited 13 mins ago
Anders
45.4k21127152
asked 14 hours ago
MyWays
483
New contributor
MyWays is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
9
It's not necessary to crack at all if you want to access the router, as you can just send theZTQ1ZDkwOTU3ZWVjNzM4Nzc…string directly (instead of entering it in the input field)
– Bergi
12 hours ago
If the attacker is able to read the data transmitted, he might also be able to to a mitm attack. So he can change the hmtl, so it will also transfer the unencrypted password.
– davidbaumann
7 hours ago
Note that this being client side, there may still be proper password hashing on the router itself. This does not bode well for that possibility, of course.
– jpmc26
5 hours ago
add a comment |Â
up vote
9
down vote
favorite
up vote
9
down vote
favorite
I noticed in the html of my router this parameter:
form.addParameter('Password', base64encode(SHA256(Password.value)));
So when I type in the password passw I get this via sslstrip:
2018-09-25 21:13:31,605 POST Data (192.168.1.1):
Username=acc&Password=ZTQ1ZDkwOTU3ZWVjNzM4NzcyNmM2YTFiMTc0ZGE3YjU2NmEyNGZmNGNiMDYwZGNiY2RmZWJiOTMxYTkzZmZlMw%3D%3D
Is this hash easy to crack via bruteforce/dictionary? I am still a beginner, but that looks like double encryption to me.
Also, is there some faster way of getting this password than cracking it?
encryption passwords password-cracking
edited 13 mins ago
Anders
45.4k21127152
asked 14 hours ago
MyWays
483
New contributor
MyWays is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I noticed in the html of my router this parameter:
form.addParameter('Password', base64encode(SHA256(Password.value)));
So when I type in the password passw I get this via sslstrip:
2018-09-25 21:13:31,605 POST Data (192.168.1.1):
Username=acc&Password=ZTQ1ZDkwOTU3ZWVjNzM4NzcyNmM2YTFiMTc0ZGE3YjU2NmEyNGZmNGNiMDYwZGNiY2RmZWJiOTMxYTkzZmZlMw%3D%3D
Is this hash easy to crack via bruteforce/dictionary? I am still a beginner, but that looks like double encryption to me.
Also, is there some faster way of getting this password than cracking it?
encryption passwords password-cracking
encryption passwords password-cracking
edited 13 mins ago
Anders
45.4k21127152
asked 14 hours ago
MyWays
483
New contributor
MyWays is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 13 mins ago
Anders
45.4k21127152
asked 14 hours ago
MyWays
483
New contributor
MyWays is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 13 mins ago
Anders
45.4k21127152
edited 13 mins ago
Anders
45.4k21127152
edited 13 mins ago
Anders
45.4k21127152
45.4k21127152
asked 14 hours ago
MyWays
483
New contributor
MyWays is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 14 hours ago
MyWays
483
asked 14 hours ago
MyWays
483
483
New contributor
MyWays is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
MyWays is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
MyWays is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
9
It's not necessary to crack at all if you want to access the router, as you can just send theZTQ1ZDkwOTU3ZWVjNzM4Nzc…string directly (instead of entering it in the input field)
– Bergi
12 hours ago
If the attacker is able to read the data transmitted, he might also be able to to a mitm attack. So he can change the hmtl, so it will also transfer the unencrypted password.
– davidbaumann
7 hours ago
Note that this being client side, there may still be proper password hashing on the router itself. This does not bode well for that possibility, of course.
– jpmc26
5 hours ago
add a comment |Â
9
It's not necessary to crack at all if you want to access the router, as you can just send theZTQ1ZDkwOTU3ZWVjNzM4Nzc…string directly (instead of entering it in the input field)
– Bergi
12 hours ago
If the attacker is able to read the data transmitted, he might also be able to to a mitm attack. So he can change the hmtl, so it will also transfer the unencrypted password.
– davidbaumann
7 hours ago
Note that this being client side, there may still be proper password hashing on the router itself. This does not bode well for that possibility, of course.
– jpmc26
5 hours ago
9
9
It's not necessary to crack at all if you want to access the router, as you can just send the
ZTQ1ZDkwOTU3ZWVjNzM4Nzc… string directly (instead of entering it in the input field)– Bergi
12 hours ago
It's not necessary to crack at all if you want to access the router, as you can just send the
ZTQ1ZDkwOTU3ZWVjNzM4Nzc… string directly (instead of entering it in the input field)– Bergi
12 hours ago
If the attacker is able to read the data transmitted, he might also be able to to a mitm attack. So he can change the hmtl, so it will also transfer the unencrypted password.
– davidbaumann
7 hours ago
If the attacker is able to read the data transmitted, he might also be able to to a mitm attack. So he can change the hmtl, so it will also transfer the unencrypted password.
– davidbaumann
7 hours ago
Note that this being client side, there may still be proper password hashing on the router itself. This does not bode well for that possibility, of course.
– jpmc26
5 hours ago
Note that this being client side, there may still be proper password hashing on the router itself. This does not bode well for that possibility, of course.
– jpmc26
5 hours ago
add a comment |Â
4 Answers
4
active
oldest
votes
up vote
15
down vote
accepted
It's a base64 unsalted sha256 hash. It's not double encryption, but a not needed encoding.
An unsalted hash means it's trivial to just search the hash on Google and probably it will find the result.
answered 14 hours ago
ThoriumBR
17.9k44365
1
Only trivial if the password is common.
– zaph
13 hours ago
5
I meant "is trivial to search", not to find the password. But to bruteforce SHA256 using any bitcoin ASIC is trivial too. A Dragonmint 16T can do 16TH/s and would bruteforce a 12 chars alphanumeric password in less than 100 hours. A 8 chars alphanumeric would fail in a tenth of a second...
– ThoriumBR
13 hours ago
Sure a Dragonmint is fast and specialized hardware. That is why using SHA256 is not secure for passwords, what is needed is a slow method such as PBKDF2, Argon2i or comparable methods, these are slow and should be used with parameters to require about 100ms or CPU time and additionally Argon2i requires substantial memory as well. Trye88f244abd61582387cc2afc0476e112550f24395cdf338ed7ad7deace2e6ebe, it is a the SHA-256 hash of a 12 character password.
– zaph
12 hours ago
@zaph sure, everyone agrees that a slow method is best. That isn't the question though - the question is if the password security here is good, and the password security here uses a comparatively fast algorithm (SHA256). The fact that slow algorithms are better is a red herring.
– Conor Mancone
7 hours ago
add a comment |Â
up vote
22
down vote
I URL decoded it, then decoded it from base64, then passed it to an online hash database.
The result was:
Hash Type Result
e45d90957eec7387726c6a1b174da7b566a24ff4cb060dcbcdfebb931a93ffe3 sha256 passw
The fact that this is an un-salted hash makes it easy to look up. All the encoding is a convenience for the login service, not a security control.
With a salt, you cannot just look it up, so you would need to bruteforce. If you knew the salt, success depends on the password and the wordlist you use. There are methods to make the wordlist more efficient for bruteforcing, but it ultimately is a function of time.
answered 14 hours ago
schroeder♦
65.6k25139177
add a comment |Â
up vote
5
down vote
This is trivial to break due to the following:
Base64 isn't encryption at all, it is an encoding scheme. Decoding Base64 is trivial.
SHA256 is a known weak cryptographic algorithm due to its speed, meaning passwords can be checked for validity extremely quickly. This means that specialized computers with multiple GPUs can check passwords at incredible speeds. The record for password cracking SHA256 at the time of writing is 21.4 GH/s (21 Billion hashes per second) set by 25 GPUs.
(Side note: Some users here think that Bitcoin/Cryptocurrency mining hardware can be used to crack passwords. This is not true. These machines' ASICs run very specific instructions and cannot be reprogrammed, meaning that they cannot be used to run dictionary or brute force attacks on passwords. Even if this were possible, they would not have the required bandwidth to send wordlists back and forth.)
answered 11 hours ago
Kevin
512
New contributor
Kevin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
17
SHA256 is not weak, it's actually quite strong. The problem is using it for something it's not intended to be used for.
– AndrolGenhald
11 hours ago
add a comment |Â
up vote
0
down vote
Everyone agrees that using an unsalted hash is very bad, and that sha256 is not an ideal hash function. However this wisdom relates to the storage of passwords, not their transmission.
We don't know how the password is validated on the target device.
For all we know the data is subsequently passed through a password stretching function, salted and hashed on the target device (which would be secure) or it is simply compared with a stored literal value (insecure).
If the communications with the router is always via HTTPS as inidicated in the question, then this adds nothing to the protection of the data in transit and is redundant. If the communication were via HTTP, it could be argued that it prevents some very trivial attacks (but not, for example, a simple replay attack).
answered 14 mins ago
symcbean
15.2k2965
add a comment |Â
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
15
down vote
accepted
It's a base64 unsalted sha256 hash. It's not double encryption, but a not needed encoding.
An unsalted hash means it's trivial to just search the hash on Google and probably it will find the result.
answered 14 hours ago
ThoriumBR
17.9k44365
1
Only trivial if the password is common.
– zaph
13 hours ago
5
I meant "is trivial to search", not to find the password. But to bruteforce SHA256 using any bitcoin ASIC is trivial too. A Dragonmint 16T can do 16TH/s and would bruteforce a 12 chars alphanumeric password in less than 100 hours. A 8 chars alphanumeric would fail in a tenth of a second...
– ThoriumBR
13 hours ago
Sure a Dragonmint is fast and specialized hardware. That is why using SHA256 is not secure for passwords, what is needed is a slow method such as PBKDF2, Argon2i or comparable methods, these are slow and should be used with parameters to require about 100ms or CPU time and additionally Argon2i requires substantial memory as well. Trye88f244abd61582387cc2afc0476e112550f24395cdf338ed7ad7deace2e6ebe, it is a the SHA-256 hash of a 12 character password.
– zaph
12 hours ago
@zaph sure, everyone agrees that a slow method is best. That isn't the question though - the question is if the password security here is good, and the password security here uses a comparatively fast algorithm (SHA256). The fact that slow algorithms are better is a red herring.
– Conor Mancone
7 hours ago
add a comment |Â
up vote
15
down vote
accepted
It's a base64 unsalted sha256 hash. It's not double encryption, but a not needed encoding.
An unsalted hash means it's trivial to just search the hash on Google and probably it will find the result.
answered 14 hours ago
ThoriumBR
17.9k44365
1
Only trivial if the password is common.
– zaph
13 hours ago
5
I meant "is trivial to search", not to find the password. But to bruteforce SHA256 using any bitcoin ASIC is trivial too. A Dragonmint 16T can do 16TH/s and would bruteforce a 12 chars alphanumeric password in less than 100 hours. A 8 chars alphanumeric would fail in a tenth of a second...
– ThoriumBR
13 hours ago
Sure a Dragonmint is fast and specialized hardware. That is why using SHA256 is not secure for passwords, what is needed is a slow method such as PBKDF2, Argon2i or comparable methods, these are slow and should be used with parameters to require about 100ms or CPU time and additionally Argon2i requires substantial memory as well. Trye88f244abd61582387cc2afc0476e112550f24395cdf338ed7ad7deace2e6ebe, it is a the SHA-256 hash of a 12 character password.
– zaph
12 hours ago
@zaph sure, everyone agrees that a slow method is best. That isn't the question though - the question is if the password security here is good, and the password security here uses a comparatively fast algorithm (SHA256). The fact that slow algorithms are better is a red herring.
– Conor Mancone
7 hours ago
add a comment |Â
up vote
15
down vote
accepted
up vote
15
down vote
accepted
It's a base64 unsalted sha256 hash. It's not double encryption, but a not needed encoding.
An unsalted hash means it's trivial to just search the hash on Google and probably it will find the result.
answered 14 hours ago
ThoriumBR
17.9k44365
It's a base64 unsalted sha256 hash. It's not double encryption, but a not needed encoding.
An unsalted hash means it's trivial to just search the hash on Google and probably it will find the result.
answered 14 hours ago
ThoriumBR
17.9k44365
answered 14 hours ago
ThoriumBR
17.9k44365
answered 14 hours ago
ThoriumBR
17.9k44365
answered 14 hours ago
ThoriumBR
17.9k44365
17.9k44365
1
Only trivial if the password is common.
– zaph
13 hours ago
5
I meant "is trivial to search", not to find the password. But to bruteforce SHA256 using any bitcoin ASIC is trivial too. A Dragonmint 16T can do 16TH/s and would bruteforce a 12 chars alphanumeric password in less than 100 hours. A 8 chars alphanumeric would fail in a tenth of a second...
– ThoriumBR
13 hours ago
Sure a Dragonmint is fast and specialized hardware. That is why using SHA256 is not secure for passwords, what is needed is a slow method such as PBKDF2, Argon2i or comparable methods, these are slow and should be used with parameters to require about 100ms or CPU time and additionally Argon2i requires substantial memory as well. Trye88f244abd61582387cc2afc0476e112550f24395cdf338ed7ad7deace2e6ebe, it is a the SHA-256 hash of a 12 character password.
– zaph
12 hours ago
@zaph sure, everyone agrees that a slow method is best. That isn't the question though - the question is if the password security here is good, and the password security here uses a comparatively fast algorithm (SHA256). The fact that slow algorithms are better is a red herring.
– Conor Mancone
7 hours ago
add a comment |Â
1
Only trivial if the password is common.
– zaph
13 hours ago
5
I meant "is trivial to search", not to find the password. But to bruteforce SHA256 using any bitcoin ASIC is trivial too. A Dragonmint 16T can do 16TH/s and would bruteforce a 12 chars alphanumeric password in less than 100 hours. A 8 chars alphanumeric would fail in a tenth of a second...
– ThoriumBR
13 hours ago
Sure a Dragonmint is fast and specialized hardware. That is why using SHA256 is not secure for passwords, what is needed is a slow method such as PBKDF2, Argon2i or comparable methods, these are slow and should be used with parameters to require about 100ms or CPU time and additionally Argon2i requires substantial memory as well. Trye88f244abd61582387cc2afc0476e112550f24395cdf338ed7ad7deace2e6ebe, it is a the SHA-256 hash of a 12 character password.
– zaph
12 hours ago
@zaph sure, everyone agrees that a slow method is best. That isn't the question though - the question is if the password security here is good, and the password security here uses a comparatively fast algorithm (SHA256). The fact that slow algorithms are better is a red herring.
– Conor Mancone
7 hours ago
1
1
Only trivial if the password is common.
– zaph
13 hours ago
Only trivial if the password is common.
– zaph
13 hours ago
5
5
I meant "is trivial to search", not to find the password. But to bruteforce SHA256 using any bitcoin ASIC is trivial too. A Dragonmint 16T can do 16TH/s and would bruteforce a 12 chars alphanumeric password in less than 100 hours. A 8 chars alphanumeric would fail in a tenth of a second...
– ThoriumBR
13 hours ago
I meant "is trivial to search", not to find the password. But to bruteforce SHA256 using any bitcoin ASIC is trivial too. A Dragonmint 16T can do 16TH/s and would bruteforce a 12 chars alphanumeric password in less than 100 hours. A 8 chars alphanumeric would fail in a tenth of a second...
– ThoriumBR
13 hours ago
Sure a Dragonmint is fast and specialized hardware. That is why using SHA256 is not secure for passwords, what is needed is a slow method such as PBKDF2, Argon2i or comparable methods, these are slow and should be used with parameters to require about 100ms or CPU time and additionally Argon2i requires substantial memory as well. Try
e88f244abd61582387cc2afc0476e112550f24395cdf338ed7ad7deace2e6ebe, it is a the SHA-256 hash of a 12 character password.– zaph
12 hours ago
Sure a Dragonmint is fast and specialized hardware. That is why using SHA256 is not secure for passwords, what is needed is a slow method such as PBKDF2, Argon2i or comparable methods, these are slow and should be used with parameters to require about 100ms or CPU time and additionally Argon2i requires substantial memory as well. Try
e88f244abd61582387cc2afc0476e112550f24395cdf338ed7ad7deace2e6ebe, it is a the SHA-256 hash of a 12 character password.– zaph
12 hours ago
@zaph sure, everyone agrees that a slow method is best. That isn't the question though - the question is if the password security here is good, and the password security here uses a comparatively fast algorithm (SHA256). The fact that slow algorithms are better is a red herring.
– Conor Mancone
7 hours ago
@zaph sure, everyone agrees that a slow method is best. That isn't the question though - the question is if the password security here is good, and the password security here uses a comparatively fast algorithm (SHA256). The fact that slow algorithms are better is a red herring.
– Conor Mancone
7 hours ago
add a comment |Â
up vote
22
down vote
I URL decoded it, then decoded it from base64, then passed it to an online hash database.
The result was:
Hash Type Result
e45d90957eec7387726c6a1b174da7b566a24ff4cb060dcbcdfebb931a93ffe3 sha256 passw
The fact that this is an un-salted hash makes it easy to look up. All the encoding is a convenience for the login service, not a security control.
With a salt, you cannot just look it up, so you would need to bruteforce. If you knew the salt, success depends on the password and the wordlist you use. There are methods to make the wordlist more efficient for bruteforcing, but it ultimately is a function of time.
answered 14 hours ago
schroeder♦
65.6k25139177
add a comment |Â
up vote
22
down vote
I URL decoded it, then decoded it from base64, then passed it to an online hash database.
The result was:
Hash Type Result
e45d90957eec7387726c6a1b174da7b566a24ff4cb060dcbcdfebb931a93ffe3 sha256 passw
The fact that this is an un-salted hash makes it easy to look up. All the encoding is a convenience for the login service, not a security control.
With a salt, you cannot just look it up, so you would need to bruteforce. If you knew the salt, success depends on the password and the wordlist you use. There are methods to make the wordlist more efficient for bruteforcing, but it ultimately is a function of time.
answered 14 hours ago
schroeder♦
65.6k25139177
add a comment |Â
up vote
22
down vote
up vote
22
down vote
I URL decoded it, then decoded it from base64, then passed it to an online hash database.
The result was:
Hash Type Result
e45d90957eec7387726c6a1b174da7b566a24ff4cb060dcbcdfebb931a93ffe3 sha256 passw
The fact that this is an un-salted hash makes it easy to look up. All the encoding is a convenience for the login service, not a security control.
With a salt, you cannot just look it up, so you would need to bruteforce. If you knew the salt, success depends on the password and the wordlist you use. There are methods to make the wordlist more efficient for bruteforcing, but it ultimately is a function of time.
answered 14 hours ago
schroeder♦
65.6k25139177
I URL decoded it, then decoded it from base64, then passed it to an online hash database.
The result was:
Hash Type Result
e45d90957eec7387726c6a1b174da7b566a24ff4cb060dcbcdfebb931a93ffe3 sha256 passw
The fact that this is an un-salted hash makes it easy to look up. All the encoding is a convenience for the login service, not a security control.
With a salt, you cannot just look it up, so you would need to bruteforce. If you knew the salt, success depends on the password and the wordlist you use. There are methods to make the wordlist more efficient for bruteforcing, but it ultimately is a function of time.
answered 14 hours ago
schroeder♦
65.6k25139177
edited 27 mins ago
answered 14 hours ago
schroeder♦
65.6k25139177
answered 14 hours ago
schroeder♦
65.6k25139177
answered 14 hours ago
schroeder♦
65.6k25139177
65.6k25139177
add a comment |Â
add a comment |Â
up vote
5
down vote
This is trivial to break due to the following:
Base64 isn't encryption at all, it is an encoding scheme. Decoding Base64 is trivial.
SHA256 is a known weak cryptographic algorithm due to its speed, meaning passwords can be checked for validity extremely quickly. This means that specialized computers with multiple GPUs can check passwords at incredible speeds. The record for password cracking SHA256 at the time of writing is 21.4 GH/s (21 Billion hashes per second) set by 25 GPUs.
(Side note: Some users here think that Bitcoin/Cryptocurrency mining hardware can be used to crack passwords. This is not true. These machines' ASICs run very specific instructions and cannot be reprogrammed, meaning that they cannot be used to run dictionary or brute force attacks on passwords. Even if this were possible, they would not have the required bandwidth to send wordlists back and forth.)
answered 11 hours ago
Kevin
512
New contributor
Kevin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
17
SHA256 is not weak, it's actually quite strong. The problem is using it for something it's not intended to be used for.
– AndrolGenhald
11 hours ago
add a comment |Â
up vote
5
down vote
This is trivial to break due to the following:
Base64 isn't encryption at all, it is an encoding scheme. Decoding Base64 is trivial.
SHA256 is a known weak cryptographic algorithm due to its speed, meaning passwords can be checked for validity extremely quickly. This means that specialized computers with multiple GPUs can check passwords at incredible speeds. The record for password cracking SHA256 at the time of writing is 21.4 GH/s (21 Billion hashes per second) set by 25 GPUs.
(Side note: Some users here think that Bitcoin/Cryptocurrency mining hardware can be used to crack passwords. This is not true. These machines' ASICs run very specific instructions and cannot be reprogrammed, meaning that they cannot be used to run dictionary or brute force attacks on passwords. Even if this were possible, they would not have the required bandwidth to send wordlists back and forth.)
answered 11 hours ago
Kevin
512
New contributor
Kevin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
17
SHA256 is not weak, it's actually quite strong. The problem is using it for something it's not intended to be used for.
– AndrolGenhald
11 hours ago
add a comment |Â
up vote
5
down vote
up vote
5
down vote
This is trivial to break due to the following:
Base64 isn't encryption at all, it is an encoding scheme. Decoding Base64 is trivial.
SHA256 is a known weak cryptographic algorithm due to its speed, meaning passwords can be checked for validity extremely quickly. This means that specialized computers with multiple GPUs can check passwords at incredible speeds. The record for password cracking SHA256 at the time of writing is 21.4 GH/s (21 Billion hashes per second) set by 25 GPUs.
(Side note: Some users here think that Bitcoin/Cryptocurrency mining hardware can be used to crack passwords. This is not true. These machines' ASICs run very specific instructions and cannot be reprogrammed, meaning that they cannot be used to run dictionary or brute force attacks on passwords. Even if this were possible, they would not have the required bandwidth to send wordlists back and forth.)
answered 11 hours ago
Kevin
512
New contributor
Kevin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
This is trivial to break due to the following:
Base64 isn't encryption at all, it is an encoding scheme. Decoding Base64 is trivial.
SHA256 is a known weak cryptographic algorithm due to its speed, meaning passwords can be checked for validity extremely quickly. This means that specialized computers with multiple GPUs can check passwords at incredible speeds. The record for password cracking SHA256 at the time of writing is 21.4 GH/s (21 Billion hashes per second) set by 25 GPUs.
(Side note: Some users here think that Bitcoin/Cryptocurrency mining hardware can be used to crack passwords. This is not true. These machines' ASICs run very specific instructions and cannot be reprogrammed, meaning that they cannot be used to run dictionary or brute force attacks on passwords. Even if this were possible, they would not have the required bandwidth to send wordlists back and forth.)
answered 11 hours ago
Kevin
512
New contributor
Kevin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 11 hours ago
Kevin
512
New contributor
Kevin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 11 hours ago
Kevin
512
answered 11 hours ago
Kevin
512
512
New contributor
Kevin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Kevin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Kevin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
17
SHA256 is not weak, it's actually quite strong. The problem is using it for something it's not intended to be used for.
– AndrolGenhald
11 hours ago
add a comment |Â
17
SHA256 is not weak, it's actually quite strong. The problem is using it for something it's not intended to be used for.
– AndrolGenhald
11 hours ago
17
17
SHA256 is not weak, it's actually quite strong. The problem is using it for something it's not intended to be used for.
– AndrolGenhald
11 hours ago
SHA256 is not weak, it's actually quite strong. The problem is using it for something it's not intended to be used for.
– AndrolGenhald
11 hours ago
add a comment |Â
up vote
0
down vote
Everyone agrees that using an unsalted hash is very bad, and that sha256 is not an ideal hash function. However this wisdom relates to the storage of passwords, not their transmission.
We don't know how the password is validated on the target device.
For all we know the data is subsequently passed through a password stretching function, salted and hashed on the target device (which would be secure) or it is simply compared with a stored literal value (insecure).
If the communications with the router is always via HTTPS as inidicated in the question, then this adds nothing to the protection of the data in transit and is redundant. If the communication were via HTTP, it could be argued that it prevents some very trivial attacks (but not, for example, a simple replay attack).
answered 14 mins ago
symcbean
15.2k2965
add a comment |Â
up vote
0
down vote
Everyone agrees that using an unsalted hash is very bad, and that sha256 is not an ideal hash function. However this wisdom relates to the storage of passwords, not their transmission.
We don't know how the password is validated on the target device.
For all we know the data is subsequently passed through a password stretching function, salted and hashed on the target device (which would be secure) or it is simply compared with a stored literal value (insecure).
If the communications with the router is always via HTTPS as inidicated in the question, then this adds nothing to the protection of the data in transit and is redundant. If the communication were via HTTP, it could be argued that it prevents some very trivial attacks (but not, for example, a simple replay attack).
answered 14 mins ago
symcbean
15.2k2965
add a comment |Â
up vote
0
down vote
up vote
0
down vote
Everyone agrees that using an unsalted hash is very bad, and that sha256 is not an ideal hash function. However this wisdom relates to the storage of passwords, not their transmission.
We don't know how the password is validated on the target device.
For all we know the data is subsequently passed through a password stretching function, salted and hashed on the target device (which would be secure) or it is simply compared with a stored literal value (insecure).
If the communications with the router is always via HTTPS as inidicated in the question, then this adds nothing to the protection of the data in transit and is redundant. If the communication were via HTTP, it could be argued that it prevents some very trivial attacks (but not, for example, a simple replay attack).
answered 14 mins ago
symcbean
15.2k2965
Everyone agrees that using an unsalted hash is very bad, and that sha256 is not an ideal hash function. However this wisdom relates to the storage of passwords, not their transmission.
We don't know how the password is validated on the target device.
For all we know the data is subsequently passed through a password stretching function, salted and hashed on the target device (which would be secure) or it is simply compared with a stored literal value (insecure).
If the communications with the router is always via HTTPS as inidicated in the question, then this adds nothing to the protection of the data in transit and is redundant. If the communication were via HTTP, it could be argued that it prevents some very trivial attacks (but not, for example, a simple replay attack).
answered 14 mins ago
symcbean
15.2k2965
answered 14 mins ago
symcbean
15.2k2965
answered 14 mins ago
symcbean
15.2k2965
answered 14 mins ago
symcbean
15.2k2965
15.2k2965
add a comment |Â
add a comment |Â
MyWays is a new contributor. Be nice, and check out our Code of Conduct.
MyWays is a new contributor. Be nice, and check out our Code of Conduct.
MyWays is a new contributor. Be nice, and check out our Code of Conduct.
MyWays is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f194460%2fcracking-double-encrypted-router-password%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
9
It's not necessary to crack at all if you want to access the router, as you can just send the
ZTQ1ZDkwOTU3ZWVjNzM4Nzc…string directly (instead of entering it in the input field)– Bergi
12 hours ago
If the attacker is able to read the data transmitted, he might also be able to to a mitm attack. So he can change the hmtl, so it will also transfer the unencrypted password.
– davidbaumann
7 hours ago
Note that this being client side, there may still be proper password hashing on the router itself. This does not bode well for that possibility, of course.
– jpmc26
5 hours ago