Equipped To Survive Equipped To Survive® Presents
The Survival Forum
Where do you want to go on ETS?

Page 3 of 3 < 1 2 3
Topic Options
#214726 - 01/11/11 02:31 AM Re: Things you need to know about passwords. [Re: chaosmagnet]
Art_in_FL Offline
Pooh-Bah

Registered: 09/01/07
Posts: 2432
Originally Posted By: chaosmagnet
This article was written in August of 2007. Computers are dramatically faster than they used to be. Also, some bad guys are using botnets for password cracking. This means that some bad guys can apply several orders of magnitude more computing power to password cracking than they were able to when the article was written.
...
In offline password cracking, the attacker is not subject to any of those limitations and password security needs to be significantly greater to prevent attacks from succeeding. Many authentication systems are subject to offline attacks.


The speed, processing power, of the computer used to crack a password doesn't make any difference. The process is not CPU dependent and is simply the input of a simple list of logical guesses. As mentioned in the article the main limitation is the speed with guesses can be made. The two main limitations are the speed of the connection and any limitation placed on how many attempts can be made in any set amount of time by the securing system. The basics are as relevant now as they were in 2007.

Top
#214728 - 01/11/11 02:50 AM Re: Things you need to know about passwords. [Re: chaosmagnet]
speedemon Offline
Journeyman

Registered: 04/13/10
Posts: 98
Originally Posted By: chaosmagnet
Originally Posted By: speedemon
You aren't going to brute force a random 6 character password, there are simply too many combinations.


I have myself successfully brute-forced thousands of six character and longer passwords, using John the Ripper on a multicore PC. One 6 character password typically takes under a minute. I'd be surprised if a completely random 6 character password with all four character types would take an hour. Feel free to post the Unix or Windows hash of a 6 character random password, and I'll be glad to take a (forgive me) crack at it.

Six character passwords are too short.

It's worth stating again that I only crack passwords with written authorization from my customers.

Like I said, IGNORING THE SYSTEM. You're talking about a specific program that is cracking a password file. Not to mention, a program like that requires access to the machine in the first place, which would probably make it a pointless endeavor to recover passwords, you already have access to the data.

We could go on all day about specific circumstances where this works, and that doesn't. In the end, it doesn't help at all because most people will tend to form the opinion that it doesn't matter and they will keep using weak passwords.

You want a specific example where a 6 character password will work? Try and crack 256 (try 128 for that matter) bit AES where the key was hashed from a 6 character password. Never going to happen.

In the end, if you want true data security, authentication to prevent access to the system is not the answer. Encryption is the only thing that will prevent access to your data, and even that depends on the implementation of the algorithm itself (plenty of examples of encryption software with holes).

Top
#214741 - 01/11/11 11:59 AM Re: Things you need to know about passwords. [Re: Art_in_FL]
Eugene Offline
Carpal Tunnel

Registered: 12/26/02
Posts: 2997
You don't need access to the system, you can gather the password hash over the network.
And yes a 6 charcter is pretty eacy to crack, 8, 10, 12, etc take longer but not all that much longer.

Top
#214751 - 01/11/11 02:21 PM Re: Things you need to know about passwords. [Re: Art_in_FL]
chaosmagnet Offline
Sheriff
Carpal Tunnel

Registered: 12/03/09
Posts: 3842
Loc: USA
Originally Posted By: Art_in_FL
The speed, processing power, of the computer used to crack a password doesn't make any difference. The process is not CPU dependent and is simply the input of a simple list of logical guesses. As mentioned in the article the main limitation is the speed with guesses can be made. The two main limitations are the speed of the connection and any limitation placed on how many attempts can be made in any set amount of time by the securing system. The basics are as relevant now as they were in 2007.


This is true for online password attacks, and not true for offline password attacks. Many systems are vulnerable to offline password attacks.

Top
#214755 - 01/11/11 02:41 PM Re: Things you need to know about passwords. [Re: speedemon]
chaosmagnet Offline
Sheriff
Carpal Tunnel

Registered: 12/03/09
Posts: 3842
Loc: USA
Originally Posted By: speedemon
Like I said, IGNORING THE SYSTEM. You're talking about a specific program that is cracking a password file. Not to mention, a program like that requires access to the machine in the first place, which would probably make it a pointless endeavor to recover passwords, you already have access to the data.


There are offline password attacks that do not depend on prior access to the system. There have also been ways to use unprivileged access to obtain hashed passwords, which can lead to successful privilege escalation attacks.

Quote:
We could go on all day about specific circumstances where this works, and that doesn't. In the end, it doesn't help at all because most people will tend to form the opinion that it doesn't matter and they will keep using weak passwords.


That's where policy, enforcement, security education and token-based authentication can help. I have customers who use and enforce strong password policies. In many cases it took significant effort to implement due to end-user resistance.

Quote:
You want a specific example where a 6 character password will work? Try and crack 256 (try 128 for that matter) bit AES where the key was hashed from a 6 character password. Never going to happen.


Cracking AES is exceptionally difficult and expensive, and likely to be infeasible for some time to come. But we weren't talking about encryption keys, we were talking about account passwords. These are frequently stored as hashes. While there are no hash-reversal attacks that I'm aware of, there are some good attack modalities. These attacks work a lot better with six character passwords than they do with longer passwords of roughly equivalent complexity.

Quote:
In the end, if you want true data security, authentication to prevent access to the system is not the answer. Encryption is the only thing that will prevent access to your data, and even that depends on the implementation of the algorithm itself (plenty of examples of encryption software with holes).


Encryption plays a critical part of information security in many systems. As you say, most successful attacks against encryption work because of weak implementation rather than weak encryption (WEP being a notable counterexample).

Unfortunately encryption by itself does not result in secure systems. While I'd put software and configuration vulnerabilities ahead of authentication issues, weak authentication continues to pose a significant threat to information security. Data secured by strong encryption but weak authentication can be quite vulnerable.

Top
Page 3 of 3 < 1 2 3



Moderator:  Alan_Romania, Blast, chaosmagnet, cliff 
November
Su M Tu W Th F Sa
1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
Who's Online
1 registered (Doug_Ritter), 821 Guests and 6 Spiders online.
Key: Admin, Global Mod, Mod
Newest Members
Aaron_Guinn, israfaceVity, Explorer9, GallenR, Jeebo
5370 Registered Users
Newest Posts
Missing Hiker Found After 50 Days
by Ren
Yesterday at 02:25 PM
Leather Work Gloves
by KenK
11/24/24 06:43 PM
Satellite texting via iPhone, 911 via Pixel
by Ren
11/05/24 03:30 PM
Emergency Toilets for Obese People
by adam2
11/04/24 06:59 PM
Newest Images
Tiny knife / wrench
Handmade knives
2"x2" Glass Signal Mirror, Retroreflective Mesh
Trade School Tool Kit
My Pocket Kit
Glossary
Test

WARNING & DISCLAIMER: SELECT AND USE OUTDOORS AND SURVIVAL EQUIPMENT, SUPPLIES AND TECHNIQUES AT YOUR OWN RISK. Information posted on this forum is not reviewed for accuracy and may not be reliable, use at your own risk. Please review the full WARNING & DISCLAIMER about information on this site.