Comments on UNHash talk at 31c3

[atom]

For those who haven't seen it, here's a link to the talk:

http://mirror.netcologne.de/CCC/congress...ing_hd.mp4

My comments on this:

• The first 10 minutes is mostly about default password stuff
  
• Default password stuff is mostly interessting for pentesters, not so much for forensics
  
• UNHash specific background seem to start at ~ 10:20
  
• I disagree, you can't crack (preimage) MD5 with only pen and paper (10:48)
  
• Agree, don't use brute-force for slow hashes (11:15)
  
• How can you crack passphrases? Easy, with PRINCE (11:39)
  
• UNHash introduces new rule syntax (11:46)
  
• A candidate generator should be able to produce non-english passwords, too (12:45)
  
• Agree, machine learning algorithm will fail for passwords (13:26)
  
• Postgres involved in this?! For large wordlists > 100 billion this propably will fail (14:56)
  
• Writing classifier is bad as it takes time and personal that knows about syntax (17:30)
  
• My gutfeeling tells me problems with escaping is preprogrammed (18:00)
  
• Theres no specific benefit for UNHash to use any wordlists you like. That's true for nearly all candidate generators (hashcat, prince, jtr, ...) (20:15)
  
• It would be interessting to know how fast UNHash can produce new candidates as this is one of the most important factors in password cracking (21:00)
  
• Author announced details about comparison but either he didn't do it or I missed it (21:21)
  
• Meassurement of guessing efficiency is still not standartized, but it's obvious is will go more into the guesses/cracks direction than it goes into time/cracks as this will work for all algorithms
  

My impression is that UNHash is near to tools like wordhound, they could be called preprocessors.
I somehow missed the link how the talk on default passwords on the start is related to UNHash.