2

I'm not a cryptograhpy expert, I am a web developer trying to determine the origin of a Wordpress blog hack, and how likely it is that it was brute forced.

The administrator account username had been changed from the default "admin" and the password was, I believe, 8-10 characters comprising mixed case alphanumeric characters and symbols (the password has since been changed and extended in length).

Out of curiosity, I was looking at sites which supposedly estimate how long it would take to crack passwords. Supposedly:

Example Password: Vr%*zSR7mb

  • Length: 10 characters
  • Character Combinations: 77
  • Calculations Per Second: 4 billion
  • Possible Combinations: 7 quintillion

58 years to crack

But what does this mean in real world terms?

The site seemed to have been hacked by a rival company with a terrible website and poor English, which I would guess originates from Eastern Europe, Africa or Asia (basically, not even a real rival but someone attempting to make business in the same industry). All they did was post 2 entries of poorly written content promoting their own site.

If it takes 58 years to brute force the password, it's obviously not feasible that the password was hacked with a brute force according to that estimate.

  • How many calculations can one computer make?
  • What kind of computing power does the average hacker have access to?
  • How is a hacker able to leverage the use of multiple machines?

If a rival wanted to hack a website, how easy is it for someone with little experience to download and use tools to brute force a password? How easy is it to pay someone cheap money in a poorer country to perform the hack for you?

The bottom line here is I feel like a brute force attack on what is a fairly useless blog, in order to post fairly useless content which probably won't yield any return at all, is not very likely.

The problem is I don't know enough about the reality of brute force attacks, and how easy they are to perform. If it's something anyone can quickly and simply run, within a short amount of time, then it sounds possible that's what happened. Otherwise, I would like to be able to rule out a brute force attack and look at more likely options such as someone's machine being compromised with a key logger.

Mike Edward Moras
  • 18,161
  • 12
  • 87
  • 240
BadHorsie
  • 823
  • 1
  • 9
  • 11

1 Answers1

4

If the password was 8-10 random characters with alphanumerics and some symbols, a lower bound estimate of the entropy would be something like 48 bits (eight random base 64 characters). Coupled with WordPress' weak 8-round MD5, that's just over 50 bits of security. Not terribly secure.

A low-resource attacker like you assume could maybe crack it in a couple of weeks. If they had nothing else to do with their computer. Or they could buy some cloud computing resources to tackle the job. According to this blog post, an Amazon GPU instance (from a couple of years ago) could calculate about two billion MD5 hashes per second. With eight instances you'd have the search space covered in 24 hours. And that costs maybe a hundred bucks if that. (You could also do it quicker with more instances without a significant cost increase.)

However, if you assumed the high end of 10 characters out of all printable ASCII (95 possibilities), you would have a 65 bit strong password. Which would cost more like ten million dollars to brute force. So the actual entropy is rather important. If the initial password wasn't generated with a random number generator, its entropy was probably much less than something like the site you linked would predict.

While it is possible, brute forcing the password sounds like one of the less likely ways a WordPress blog would be compromised. An unpatched vulnerability in WordPress itself, some plugin, PHP, the SQL database or some other software seems more likely. Or in the case or a shared host, even a privilege escalation from another account.

Community
  • 1
otus
  • 32,462
  • 5
  • 75
  • 167