MegaCracker

If you are here to crack Maga's confirmation link challenge, you should know that it will cost more in energy usage than what they will pay you. Since they only gave that link so that they could say "see no one can crack this". **IF** it is even remotely crackable it is a sentence or at least eight random words. My guess is it is output from /dev/urandom or someone smacking the keyboard for a minute.

MegaCracker v0.2a multi threaded and fixed a few bugs. On a i7-2600 I get 4820 c/s (single hash and 100 hashes) without precomputed data and 4.59 Mc/s (single hash) and 317 Kc/s (100 hashes) with precomputed data.

MegaHash List I precomputed some passwords so you can crack these faster.

Generate/Analyze

Email:
Password:

Password key:N/A
Master key:N/A
Confirmation Link Hash:N/A
Confirmation Link Hash (for MegaCracker):N/A
Login Hash:N/A

Confirmation Link:

Hex:N/A
Master key:N/A
Password hash:N/A
Unknown:N/A
Email:N/A
Spacer:N/A
Name:N/A
Unknown:N/A

Info

There is your password, password key, master key, confirmation link hash, and login hash. To derive your password key you do (65536 * (passwordLength + 15) / 16) rounds of AES128 encryption. The master key is generated randomly and is AES128 encrypted with your password key and stored at Mega. The hash found in the confirmation link is 64 bits of random data and 64 bits of zeros AES128 encrypted with your password key. The login hash is your email address compressed with xor, encrypted 16,384 times with your password key, and truncated to 64 bits.

"str_to_a32()" is not Unicode safe. This is used to convert your password into an array of 32 bit numbers. This limits the key space since Unicode character values larger than 255 leak over. So passwords "bĀ" and "cĀ" are equivalent (Ā is U+0100). Not as bad as $2x$ but still not good.


The confirmation link hashes are salted, but they are salted after key stretching which means it's really fast when you look at many users.
Attacking the confirmation links:

UsersProperly SaltedMegaDifference
165,53765,537Same
10655,37065,54610.0x
1006,553,70065,63699.8x
1,00065,537,00066,536985x
10,000655,370,00075,5368,680x
100,0006,553,700,000165,53639,600x
1,000,00065,537,000,0001,065,53661,500x

Note that "properly salted" and "Mega" columns are number of rounds of AES128. Note you can sort of compare PBKDF2 to Mega's KDF by looking at the "difference" column. If you were to tuned PBKDF2 to take the same amount of time as Mega's KDF. Although there are speed differences depending on the platform of the cracking rig.


Good news is that the login hashes are salted in the middle of key stretching.
Attacking the login hashes (assuming they don't do any server side hashing):

UsersProperly SaltedMegaDifference
181,92081,920Same
10819,200229,3763.57x
1008,192,0001,703,9364.81x
1,00081,920,00016,449,5364.98x
10,000819,200,000163,905,5365.00x
100,0008,192,000,0001,638,465,5365.00x
1,000,00081,920,000,00016,384,065,5365.00x

Bad news is the login hashes are much harder than checking a file.
Attacking the files:

UsersProperly SaltedMegaDifference
165,53765,539Same
10655,37065,56610.0x
1006,553,70065,83699.5x
1,00065,537,00068,536956x
10,000655,370,00095,5366,860x
100,0006,553,700,000365,53617,900x
1,000,00065,537,000,0003,065,53621,400x

Hey it could be worse they could be like LastPass¹:

UsersProperly SaltedMegaLastPass
1xx1
1010*x10+x10
100100*x100+x100
1,0001,000*x1,000+x1,000
10,00010,000*x10,000+x10,000
100,000100,000*x100,000+x100,000
1,000,0001,000,000*x1,000,000+x1,000,000

¹ LastPass can throw an error that tells the client to send a salted double SHA256 of your password. "SHA256(SHA256_lower_case_hex(email + password) + password)" to be exact.
² "x" is the hardness of the key stretching.
³ Mega uses AES and LastPass uses SHA256. On CPUs, 1x AES is 8.7x faster than 3x SHA256 (benchmarked with Q9300). With less than 8,500 users LastPass is weaker otherwise Mega is weaker. On GPUs 1x AES is roughly 1.5x faster than 3x SHA256. With less than roughly 100,000 users LastPass is weaker otherwise Mega is weaker.