Today's article is a fun article about PDFs...

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
11,953
Reaction score
10,548
Credits
98,830
You can password-protect a PDF. In fact, you can apply a couple of passwords.

You can also crack that password. This article shows you how:


So, if you have enough time you can brute force a PDF to find the password.
 


Also, it took way too much work, but the newsletter (article notifications) is working properly again.

I need to clear it up, but it is working - or at least worked properly for the last article. So, if you're signed up for article notifications (and you should be!) then that feature is working again.
 
Hi,

i think with enough time and enough power you can crack every password if there is no bruteforce protection.

Pretty much true, but long and complicated passwords are difficult to process and would take a very long time. But, with enough time they can be cracked.

I'm fond of this:

password_strength.png
 
Through 20 years of effort, we've successfully 'trained' everyone to use 'passwords' that are hard for humans to remember but easy for computers to guess

Amen.

AIn't that the truth.
 

I've seen modern websites with maximum password lengths. Though, that's possibly not their fault.

We no longer live in the era of 8-bit databases. You'll still find limitations. I think MySQL limits passwords to 32 characters or something like that. However, you really shouldn't store passwords. You should salt them and store the hash value. So, there's that...
 
I use lokal password managers with looooong passwords. So i think iam relative save.
Me too but it depends on password manger.

1. Does it support autotype?
2. Does it avoid clipboard?
3. Does it have virtual keyboard?
4. Does it have password generator?
5. Does it encrypt password database?
6. Does it have self-protection against taking screenshots
7. Does it have self-protection against brute forcing?

etc..

If answer to all these questions is yes it's good password manger and you're good to go.
 
The password used here was: thecatinthehatsatonthemat. It's very easy to remember, but evidently not so quickly "crackable" by computer:
passwd.jpg

 
@osprey
Can we get link to this site please?

There are a zillion such sites out there, should that one not work for you.

And, yup, those long passwords are gonna take a whole lot of time to crack.

Oddly, nobody did the exercise in the article and cracked the password for the included file. If they did, they didn't share the results. (It's a very short password, taking only a few minutes to crack.)
 
Oddly, nobody did the exercise in the article and cracked the password for the included file. If they did, they didn't share the results. (It's a very short password, taking only a few minutes to crack.)
It has been more than 10 years when I last time attempted brute forcing, I was obsessed by brute forcing routers on public networks in my town and writing my own programs and still have GB's of wordlists on my external HDD.
I even have large WI-FI antena and 3m cable to catch as many networks in the city as possible lol but don't use it.

Surely someone who never done this will be more interested to explore, there is many brute forcing tools for different tasks, for routers it was called hydra, not sure if it still exists.

There are a zillion such sites out there, should that one not work for you.

And, yup, those long passwords are gonna take a whole lot of time to crack.
I just tested my password manager generator combo and it says 400K years to crack, sample password is |vU9Z=d?j55L
I'm not sure if it should be prolonged because quantum computers might easily reduce those years to much less.
 
There's a human element that the computer estimation of password cracking time is unable to take into consideration when it makes its calculation.

For example, the password: JohnSmithJohnSmithJohnSmith, has an estimated computer cracking time of "3 hundred septillion years" on the website mentioned in post #9, however, if my name was John Smith, and a malevolent individual knew my name, then it's interesting to speculate how long it would take to "crack" that password since there's such an obvious quality to it.
 
It has been more than 10 years when I last time attempted brute forcing, I was obsessed by brute forcing routers on public networks in my town and writing my own programs and still have GB's of wordlists on my external HDD.
I even have large WI-FI antena and 3m cable to catch as many networks in the city as possible lol but don't use it.
I used to do get into routers via ethernet by using an ip scanner to scan similar range to my own and spamming every router with the "user, password", "admin, admin", "admin, administrator" combos. Scarily I had a success rate of about 20%
 
I used to do get into routers via ethernet by using an ip scanner to scan similar range to my own and spamming every router with the "user, password", "admin, admin", "admin, administrator" combos. Scarily I had a success rate of about 20%
Almost every router model has default username and password, so you start with that prior brute forcing. :)
 
It has been many years...

The following story is all alleged. It examines a history of what might have been and in no way confirms guilt for any party. It is for amusement purposes only.

A long time ago, IT was less sophisticated than it is today. You could scan the public IPv4 addresses and find printers exposed to the public.

Certain printers, like HP printers, had an easy-to-manipulate firmware - not signed or anything like that.

So, first, you could print remotely to these printers without much effort. That was fun - but not the most fun you could possibly have.

See, they often left the default login credentials. They'd never change those credentials.

Remember the HP from above?

Well, those often had a display. We're talking professional printers here and there was a display on them.

Remember the unsigned firmware? Well, it could be read and edited in plain text.

If you were even a little clever, you could log in and upload new firmware of your own design.

So, you could lock the printer and write a message on the screen that said something like, "Insert 25¢ To Continue".

Locking the printer was frowned upon, but funny messages were just funny. They could still use the printer unless you mangled the firmware you uploaded. Admins could easily restore the hardware.

You could print to the printers, leaving funny messages that helpfully instructed admins on how to fix their network so that the printer was no longer available on the public internet.

Of course, I admit to nothing...

Allegedly...

The Internet was a lot of fun back then. It was a bit like the wild west. The odds of getting in trouble were really low and, in some cases, they hadn't even created laws that would cover your actions.

I'd definitely not suggest doing this today. If you find a printer online, just smile and move on. You can maybe send 'em a single page of text telling them that their printer is online and that they should probably fix that - but even that is risky behavior these days.
 
As an addendum to the subject of pdf files and passwords, I found it useful at times to be able to remove the known password when sending the pdf file on to another recipient. This was possible at least in the two pdf readers that I used, xpdf and evince, where the user knows the password in the first place.

In both of those pdf readers, once the correct password was entered and the file opened, if the user then used the "print to file" function to copy the file to the filesystem, that copied file could then be opened without the use of the password, and then be sent on to other recipients free of the password. That has been useful to me.
 
You can also likely find an 'export as PDF' type of option and just not apply a new password.
 
Me too but it depends on password manger.

1. Does it support autotype?
2. Does it avoid clipboard?
3. Does it have virtual keyboard?
4. Does it have password generator?
5. Does it encrypt password database?
6. Does it have self-protection against taking screenshots
7. Does it have self-protection against brute forcing?

etc..

If answer to all these questions is yes it's good password manger and you're good to go.
Partial yes but not all. Some options i have disabled. But i think a password manager is much saver than the most passwords users give.
 

Staff online


Top