Skip to navigation

PCPro-Computing in the Real World Printed from www.pcpro.co.uk

Register to receive our regular email newsletter at http://www.pcpro.co.uk/registration.

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.

// Home / Blogs

Posted on June 1st, 2011 by Jon Honeyball

How a cheap graphics card could crack your password in under a second

Graphics Cards

I was pointed in the direction of a blog posting talking about the use of GPU processors to launch brute-force attacks on passwords. GPUs are extremely good at this sort of workload, and the price/performance ratio has changed dramatically over the past few years. What might have seemed impossible even 36 months ago is now perfectly do-able on your desktop computer.

In this report, the author takes a fairly standard Radeon 5770 graphics card (you’ll find it on our A-List under Value Graphics Card), and uses a free tool called ighashgpu to run the brute-force password cracking tools on the GPU. To provide a comparison point with the capabilities of a standard desktop CPU, he uses a tool called “Cain & Abel”.

The results are startling. Working against NTLM login passwords, a password of “fjR8n” can be broken on the CPU in 24 seconds, at a rate of 9.8 million password guesses per second. On the GPU, it takes less than a second at a rate of 3.3 billion passwords per second.

Increase the password to 6 characters (pYDbL6), and the CPU takes 1 hour 30 minutes versus only four seconds on the GPU. Go further to 7 characters (fh0GH5h), and the CPU would grind along for 4 days, versus a frankly worrying 17 minutes 30 seconds for the GPU.

Is an IT manager really going to manage to get the CFO to log in using “fR4; $sYu 29 @QwmQz” without the combination ending up on a Post-it note in his wallet?

Now, I cannot imagine anyone managing to mandate a nine-character, mixed-case, random-character password on an organisation. But if you did, and you weren’t hanging from a tree by the end of the first working day, the CPU would take 43 years versus 48 days for the GPU.

He then went on to add in mixed symbols to create “F6&B is” (there is a space in there). CPU will take 75 days, GPU will take 7 hours.

What does this tell us? well, the stark reality is that even long and complex passwords are now toast. If you think you were being wise by forcing users to have randomisation in their passwords, then think again. It is utterly futile.

Yes, you can force your users to have a 15-character password consisting of random numbers and letters, and throw in punctuation as well. This is great as an idea, but we know that most users think that a password like “Barry1943Manilow” where 1943 was the year he was born, is complex and hard to remember. Is an IT manager really going to manage to get the CFO to log in using “fR4; $sYu 29 @QwmQz” without the combination ending up on a Post-it note in his wallet? Or stuck to the side of the screen? Because anything much less than this is going to be open to attack over the next few years.

A GPU of the type used by this chap is not unusual or high end. It is standard-issue stuff. Indeed, I have just sat through the AMD presentation here at Computex in Taiwan, and they made a big deal about putting GPU power into netbooks offering 500Gflops, without denting its 12-hour battery life. And that’s shipping within months.

All I can say is this: you have been warned. It is time to think long and hard about password security, and how you do your authentication. This has crept up on us in the background, and we really haven’t been paying attention. Nor has Microsoft, frankly, who should be having a whole raft of alternative, hardened solutions in place ready for its business customers to roll out.

What are the solutions? To be honest, I’m not sure. A combination of TPM, biometrics, passwords and maybe something else entirely new will be needed. But it’s clear that a complex password that users will actually accept for day-to-day authentication, and keep secret, might be history.

Tags: , , , ,

Posted in: Random

Permalink

Follow any responses to this entry through the RSS 2.0 feed.

You can skip to the end and leave a response. Pinging is currently not allowed.

70 Responses to “ How a cheap graphics card could crack your password in under a second ”

  1. AnonnyMuss Says:
    June 1st, 2011 at 10:09 am

    With a solution like LastPass you can have complex, randomised, multi-symbol passwords. You only then need to remember one very long passphrase as a master password.

    Also, to an uninformed person like me, how does brute-forcing play in a world where password systems lock out for 24 hours+ after 3-5 wrong attempts?

     
  2. Tom A Says:
    June 1st, 2011 at 10:09 am

    Surely most sysadmins set a ‘3 tries and then wait 10 minutes’ restriction. 12 incorrect tries and you’re locked out please phone IT support. Can’t see the GPU doing that…

     
  3. jon honeyball Says:
    June 1st, 2011 at 10:11 am

    you would think so. But often this is not the case, especially in the SMB space

     
  4. nagisa Says:
    June 1st, 2011 at 10:30 am

    It’s not hard to remember complex password… Just take a regular word and press buttons one button to the right for example… That will make long, remeberable and complex password. Also I guess hashing on GPU is done on MD5 – most unsecure hash… If it were done in sha512 or sha256(+salt added), then it would take way more time to crack it.

     
  5. Dave Says:
    June 1st, 2011 at 10:34 am

    Previous posters: this program isn’t directly attempting to log in to anything.

    Passwords are stored as the output from a cryptographic function (unless you’re Sony…). User puts the plaintext password into the function, it encrypts it, and if it matches the hash, we know it’s the right password since each hash is unique.

    Let’s say you’ve got access to a database of usernames and passwords, stored as hashes. With a program like this, you try every possible permutation of password until you generate a hash that matches one of those stored in the database. Bingo, you now know the plaintext password associated with that username, and potentially with that email address and so on.

    There’s no immediate issue with things like Chip ‘n’ PIN because the hashing and checking function takes place on the card’s chip, which will lock out after three wrong attempts.

     
  6. Paul Says:
    June 1st, 2011 at 10:38 am

    Wonder how it would fare with part-password questions? Enter characters 3,6,9,11….

     
  7. Danny Thomas Says:
    June 1st, 2011 at 10:41 am

    This is precisely why security needs to be holistic and not just rely on single measures. Brute force attempts are very possible with today’s hardware. Therefore the systems need to also monitor and alert on suspicious behaviour. The tools and techniques are out there, but much of industry is still reluctant to pay the cost.

     
  8. ErrolM Says:
    June 1st, 2011 at 10:49 am

    Sadly I have to agree with Jon. Working with many SMB’s and charities in London, we find security and password management to be a major issue. If passwords change regularly or are too complicated you’ll find reminders on the screen. Don’t enforce regular changes and everyone knows each others password for convenience. Ahhhhhh!!

     
  9. David Wright Says:
    June 1st, 2011 at 10:51 am

    How does this work, when the accounts are set to disable / lock themselves out, when the user enters the wrong password several times in a row?

    Most places where I have worked have had a minimum length 8 characters, must include upper and lower case and a special symbol or number. And after half a dozen to a dozen attempts, the account is locked, until the administrator releases the account.

    And a lot of internet services now have a lockout, where the user has to enter a captcha, if they constantly give incorrect passwords.

     
  10. David Wright Says:
    June 1st, 2011 at 10:52 am

    I see Tom also asked the same question… That is what comes, when you start replying, then get called to a meeting for half an hour! :-D

     
  11. Varemenos Says:
    June 1st, 2011 at 10:59 am

    a 2 way authentication is the best solution.

     
  12. John Williams Says:
    June 1st, 2011 at 11:10 am

    @Tom A – It wouldn’t necessarily make any difference. You obviously can’t try passwords at a rate of 3.3 billion passwords per second across the network. You have to have access to the file containing the password hashes, so any policy regarding the number of tries is academic.

     
  13. P J Bryant Says:
    June 1st, 2011 at 11:17 am

    of course, if you’ve given up your NTLM hashes already; then there’s probably a bigger issue at stake here.

     
  14. TimS Says:
    June 1st, 2011 at 11:20 am

    Could we have some information about who might be at risk from this? Websites? Desktops?

     
  15. Miles Says:
    June 1st, 2011 at 11:33 am

    Should I say Keepass? (other password stores are available) All my important passwords are at least 20 characters long, upper & lower case, numbers, punctuation and if the website / software allows, special characters too. Not uncrackable but… I have given all our directors Keepass and they use it to good effect. I have it on my home pc, work pc and phone and have clear clipboard upon paste turned on. Very simple solution for using “proper” passwords. No need for post it notes etc

     
  16. jon honeyball Says:
    June 1st, 2011 at 11:50 am

    A big threat might be

    a) an ex server you forgot to wipe, or one that is stolen?

    b) a disgruntled employee with more access than you thought they had?

    and so forth

     
  17. Steve Adey Says:
    June 1st, 2011 at 12:36 pm

    “Is an IT manager really going to manage to get the CFO to log in using “fR4; $sYu 29 @QwmQz” without the combination ending up on a Post-it note in his wallet?”

    Surely this is more secure than a 6-8 letter password. This is 2 level security, first you’ve got to find the post-it note and then you have to find the pc.

     
  18. Thomas Bennett Says:
    June 1st, 2011 at 12:55 pm

    A threat scenario for this:

    c) someone capturing the NTLM hashes off your WiFi. As I recall, Elcomsoft has demonstrated the capability to break WPA encryption using a GPU.

    We should all invest in SecureID tokens… oh!

     
  19. AnonnyMuss Says:
    June 1st, 2011 at 1:02 pm

    One good thing about complex passwords is that they seem to not be vulnerable to social engineering in the way that memorable dates, pet’s names etc are.

    It’s notable that most password store software these days includes password generators

     
  20. Peter Says:
    June 1st, 2011 at 2:16 pm

    This is “worrying” to put it mildly. I tend to agree that the only real solution is going to be ‘multi factor’ authentication (and NOT as proposed by Mr Adey!).

    The ’something you know, something you have’ paradigm should at the very least slow-down the baddies.

    Finally, in “Corporate” security terms, physical security is possibly the biggest risk. Banks and others may have their servers in hardened bunkers (or they may not), but physically stealing servers, disks or WHY is quite effective….

     
  21. Rohit Says:
    June 1st, 2011 at 4:03 pm

    Bloggers have been writing articles like this since the beginning of time. “We’ve been lucky until now, but hardware improvements are changing that.” or “Finally the long-promised end of passwords is here.” Etc, etc etc. Not happening.

    The file of password hashes is well-protected. If a disgruntled admin can steal the hashes, why wouldn’t he just instal some spyware on the box instead?

     
  22. Kenzie Says:
    June 1st, 2011 at 5:13 pm

    I’m curious as to how long my 62 character gmail password would fare against a GPU attack.

     
  23. Ron Says:
    June 1st, 2011 at 8:42 pm

    The problem with “enforced gibberish” passwords is that our brains are singularly bad at remembering gibberish.

    Thus, the Post-It notes.

     
  24. asdf Says:
    June 1st, 2011 at 9:00 pm

    @kenzie
    Probably not that long if somebody hooked up a fair few GPU’s.

     
  25. kevin Says:
    June 1st, 2011 at 10:13 pm

    The most common fear with password policies is the complexity – especially for end users – yet it can be the most simple thing to remember.

    ie,

    Liverpool is the best football club in the world and Everton are not.

    could be

    lItbfc1tw!aEaN

    for a 14 character complex password. Use your favourite lyrics from a song, phrase from the bible or whatever.

    You say it in your head whilst typing and this prevents the users writing it down.

    It’s about educating users from fearing security.

     
  26. Marco Zamora Says:
    June 2nd, 2011 at 1:03 am

    The answer, for now, is two-factor auth with auth tokens. Three popular solutions are already here, with varying degrees of complexity and necessary infrastructure: tokens communicated on a sideband (e.g. SMS message or phone call), tokens generated with a crypto keyfob, or using smartcards for PKI signing.

    This is where everyone will be going, especially considering that financial regulations in the US and in many other countries are starting to mandate two-factor auth.

    Then, when everybody’s fed up with carrying around ten fobs, three smartcard readers, ten smartcards, and a cellphone, there will emerge a standard, vendor-neutral PKI solution using commodity crypto devices that authenticate with your personal method of choice: biometrics, passphrases, challenge-response questions, or singing your favorite opera while gargling.

    Imagine this not-too-farfetched scenario:

    You select a “keychain vendor” (a certificate authority) which hangs onto your public key. The identity on all of your online accounts is tied to a particular public key. Several cert authorities would exist under the DNS registrar business model; probably even the existing DNS registrars using DNS extensions for cert lookups.

    You load your private keys onto a commodity device bought at RadioShack or BestBuy. The authentication and authorization is done on the device, communicating with whatever service you’re using to connect via an independent connection to the net, or via local connectivity such as Bluetooth or NFC.

    The gadget would display the info from the auth challenge (”Facebook is charging UserID $5.00 for 10 sheep in Farmville using Visa Xxx…”), you would authorize it (using biometrics, a passphrase, or whatever other method), the challenge is signed, stamped for expiration and purpose according to your policy (”Yes, but only for black sheep, for delivery tomorrow when I harvest my artichokes”), sent back, authenticated against your public key.

    Your private key is secure on the device: read-only via hardware and you keep your readable copy in a safe-deposit box. Authorization is self-contained onboard: fingerprint or retina scanner, keyboard or touchpad, microphone with breathalyzer to avoid beer goggles.

    The device might be your smartphone, but I would be leery of depending on a carrier/vendor’s hardware: I’d rather use open source hardware, or certified by a vendor neutral org and sold via reputed channels.

    Pipe dream? I don’t think so: the huge advances in password crackability and market pressures for a simple, consumer-friendly, standard auth solution will make it happen in less than ten years, I think.

     
  27. Natasha Says:
    June 2nd, 2011 at 8:03 am

    Can someone please explain why a GPU produces more guesses per seconds? I ask this because I thought nothing was faster than the CPU and it’d seem that using a GPU as a CPU is faster. Why not just do away with the CPU then?

     
  28. Natasha Says:
    June 2nd, 2011 at 8:14 am

    Just to add to my question, I hope I’m getting this right. The test was CPU vs GPU and not: CPU vs (GPU+CPU).

     
  29. Stan Says:
    June 2nd, 2011 at 8:18 am

    Web sites that place restrictions on password length and complexity need to rethink their policies.
    The best solution appears to be the combination of “something you Know and something you Have” i.e. an Excellent Password + (e.g.) USB containing suitable Code.
    Note that some available systems may not be totally reliable, and if your machine is stolen kiss goodbye to your access security.
    Factor in Disc Encryption for improved security.
    Because you do not have piles of money in the bank that there is nil need to be concerned. You do have an “Identity” and anyone who has had theirs stolen will tell you how devastating that can be.
    @kevin
    I use a similar system and can memorise a Password of 36 characters of combined Alpha Upper and Lower Case, Numerals, Punctuation and Keyboard Symbols (holding the shift key down for selected input).
    I am an old ‘geezer’ from the generation that did not have access to computing until halfway through life. If I can do so can you.
    Doing nothing is not an option!

     
  30. Chris Says:
    June 2nd, 2011 at 8:37 am

    There is a standard solution: use a hash with a configurable work function. Here’s one example:
    http://codahale.com/how-to-safely-store-a-password/

    Of course that doesn’t help me if someone walks off with my windows laptop. I guess a workaround for now is physical security, or third-party whole-disk encryption.

     
  31. FragPl0x Says:
    June 2nd, 2011 at 8:41 am

    Really interesting. Seems for the moment however the same is true as before, long complex passwords, brute force detection and blocking techniques, and captchas. Although I’m sure this article is kind of ignoring the fact that this would have to be A) a hardware hack, any software hack leaves multiple seconds wait between guesses to wait for a reply and B) would almost certainly crash most computers / servers. This assumes you’ve already maanged to hack the computers and retrieve the hash. C) Multiple keys may be mapped to the same hash value, making brute force unreliable. SO in conclusion, yes this is interesting, yes it’s a possible threat in the future, but only for incredibly strong computers / servers with minimal other security, and a previous poster hit the real nail on the head which is with a nice long complicated salt (which noone has to remember), brute forcing hashes is made completely obsolete…

     
  32. russv Says:
    June 2nd, 2011 at 9:24 am

    I have taken to using a geometric pattern of keys which can be moved across the keyboard (and no, it’s not a straight line!). This generates a random password and all I have to remember is the first letter and the shape. I also repeat the pattern twice for each password making it more complex but no more difficult to remember.

     
  33. ESmith Says:
    June 2nd, 2011 at 10:36 am

    @Natasha.
    You are nearly right. CPUs are faster at day to day stuff as they also have some form of logic in their design. GPUs do not have this since rendering graphics is also pure maths (mostly), thus when a maths heavy process like rendering or brute force cracking is tried on a GPU, It will work faster since it has many more cores than a CPU (stream processors or CUDA cores) all dedicated to maths, so can run many more MATHEMATICAL calculations per second

     
  34. Happyskeptic Says:
    June 2nd, 2011 at 10:48 am

    Another security article without context. For a start to get at the NTLM hashes you’d already need to have administrator access to the system or network, ie. you’d already have complete control incl. the ability to reset the passwords to anything you want.

    Secondly the weakness of the algorithms used in NTLM have been known for a long time. That’s why Active Directory uses kerberos instead, and on the Unix side most Linux and BSD distributions have switched to blowfish for password hasing. The algorithms in blowfish and kerberos can’t be brute forced in any useful (ie. non geological time scale) amount of time.

     
  35. Local Says:
    June 2nd, 2011 at 11:30 am

    The easiest way to get hold of the Network Administrator password used to be a combination of being friendly to them, (most of the time they are the focus of derision) and a bit of tinkering with Network cables. Ask them to sort out a problem on the pc, get them to logon, kill the network as they try to authenticate and capture a local store of the password. Voila.Take it home and crack away.

    This is why there should be a physical component involved too, like a USB Dongle, Card scanner or Finger print scanner.

     
  36. Andy Says:
    June 2nd, 2011 at 12:12 pm

    Remember that a typical laptop stores a local copy of the Active Directory credentials (otherwise you wouldn’t be able to logon to your laptop without first being connected to the comapany’s network). With physical access to the laptop, not knowing any passwords, you could grab the hash-of-a-hash, and theoretically crack it. Even easier if the laptop stores LM Hashes as well as NT Hashes.

     
  37. Greg Gillies Says:
    June 2nd, 2011 at 1:11 pm

    Gaining access to random Gmail or Network accounts is not really the problem here. A more worrying scenario is that it’s not just passwords which are stored in hashed databases/files. Take the recent Sony compromise, where 100+ million accounts were stolen. Sony played down the attack by stating “although credit card details were stolen, they were encrypted, so you’ll be fine – just change your password”. Spend a couple of hundred quid on a few of Nvidia’s finest, and Mrs Hacker now has 100 million credit cards to play with.

     
  38. Gopher Baroque Says:
    June 2nd, 2011 at 2:34 pm

    If the brute force attack is just trying random password guesses, shouldn’t passwords that are easy to remember be just as secure as hard-to-remember ones?

     
  39. nononon Says:
    June 2nd, 2011 at 3:25 pm

    wont it just lock your account out after 3 attempts

     
  40. Howard Bates Says:
    June 2nd, 2011 at 5:18 pm

    At the risk of being controversial …

    It is very easy to secure any computer system to any degree of security. The problem is that such a system is always used and administered by humans. In my experience, most organisations understand little and care even less about their security requirements and do little or nothing to educate their users. Very sad because with a bit of thought and effort, it could all be quite cheap and easy. The key lies in educating and campaigning.

     
  41. Glyn Says:
    June 2nd, 2011 at 5:32 pm

    The only real solution is two factor auth. Be that mobile / NFC / broken RSA devices or similar.

     
  42. Neil Says:
    June 2nd, 2011 at 8:39 pm

    Three form authentication is better. Something you know, something have and something you are. i.e. password, fob and biometrics. The trouble is if you have something valuable enough to steal the bad guys will find a way to steal from you.

     
  43. peter Says:
    June 2nd, 2011 at 10:08 pm

    My company enforces a password system of at kleast 8 characters and a mix of capital letters, lower case letters and numbers, and none of which can form a recognisible word (and that includes using 1 for l etc. And you have to change it every month and never allowed to repeat it. After three wrong passwords, you havbe to get a system admin to personally unlock your account. I did ask why such a conviluted password system if any brute force cannot guess even common names in three goes, and the only answer was ‘its more secure’. I pointed out the in fact it is less secure as every person in the company has their password written down, but that was just met with a look as if I had grown two heads.

    They once instituted a policy of instantly sackable offence if anyone wrote their password down, but this was quitely dropped whey the IT dept complained that they were doing nothing else but resetting passwords all day long.

    Why does no-one look at the big picture when setting password policy?

     
  44. Dave Says:
    June 2nd, 2011 at 11:08 pm

    It surprises me that people think they can secure a computer or network when in reality this is just not possible, yes you can make it more and more difficult to crack but that’s about all.

    Computers were not designed to be secure and given the resources, time and knowledge any system can be cracked… there is no way round this by tagging on Biometrics, tokens or anything else.

    Indeed the harder you make it for a user (using multiple measures) to log into the system then the chances of cracking don’t become smaller they become greater due to users brains and the implementers lack of knowledge and increased confidence in the system, so miss the obvious .

    This means that only a one-time-pad type system unknown to the computer and the user would work… impossible? maybe not with the introduction of quantum computers but then of course we’re back to square one.

    If you want to keep something secret, don’t store on a computer.

     
  45. Michael Ejercito Says:
    June 3rd, 2011 at 12:53 am

    I suspect that agencies like MI5 and the CIA have hacked millions of passwords already.

     
  46. Stokegabriel Says:
    June 4th, 2011 at 8:00 am

    John wrote:”In this report, the author takes a fairly standard Radeon 5770 graphics card (you’ll find it on our A-List under Value Graphics Card)”

    Should have gone to Specsavers, the Value Graphics card is a Radeon HD5570, not a 5770. Careless!!

     
  47. Michael Says:
    June 5th, 2011 at 12:08 am

    The one thing in this article that incensed me so is the author’s seeming unwillingness to believe that people don’t create complex passwords in organizations, and even more so the fact that the users would have a difficult time remembering/utilizing them! In my workplace, since the time of my joining, such passwording has been the norm, having to use multiple passwords for all the required sensitive information to access it. If your organization (and its info) is important to you, you will do what’s neccessary to protect it, regardless the (personal) inconvenience. Boohoo if script kiddie et al are inconvenienced.

     
  48. cm Says:
    June 5th, 2011 at 10:00 pm

    http://codahale.com/how-to-safely-store-a-password/

    Use bcrypt?

     
  49. Bert Smith Says:
    June 6th, 2011 at 12:50 am

    This password cracking speed is based on Windows NTLM passwords… The passwords used by modern unix are much stronger, and would take orders of magnitude longer to crack.

    But why even bother cracking NTLM? Windows passwords are the EQUIVALENT OF PLAINTEXT and can be used to authenticate while still in their encrypted form. Once you have the hashed password, you simply use it as-is, no cracking required, exactly the same as if you found a plaintext unencrypted password. Google for “pass the hash” and you can find plenty of tools for doing this.

     
  50. Cracked Says:
    June 6th, 2011 at 8:35 am

    Who still uses NTLM?

     
  51. Gavin Says:
    June 7th, 2011 at 1:26 am

    Isn’t password science great. You can increase the password ‘strength’ by increasing the numbers of factors used with the password, the three biggies are

    1) something you have ie, a swipe card.
    2) something you are ie, a finger print.
    3) something you know ie, a password.

    Or another way to look at it would be

    1) Something that can be stolen
    2) Something that can be cut off
    3) Something that can be tricked or tortured out of you…

    And I’m not sure I’d be trusting RAS with the keys to our doors any time soon!

    The password system is basically broken at a fundamental level if you increase complexity now what is the answer in 2 years time when video cards are twice as fast for half the price? I’m sure the answer can’t be similar to the giant ice cube sketch in Al Gore’s ‘An Inconvenient Truth’. ‘let’s just make passwords longer and longer every year thus solving the problem for ever’.

    If you are trying to protect your system from the internet and the user has their password on a post-it on the underside of their mouse mat it doesn’t matter as long as the password is a descent one because the only people with access would be those that have passed through building security. If someone is going to brute force externally they would surely try to brute force a username with a given password like ‘Password123’ trying every combination of letters that is reasonable looking for a hit, chances are this would not kick off any password attempt limits which are based on password attempts against any single account, no hits first time then retry with ‘Password1*’ chances are the counter on any valid usernames has reset by then.

    Personally I use KeePass generating passwords unique to sites / services etc to the maximum complexity allowed by that provider and stored on fully encrypted (TrueCrypt) machines.

     
  52. bob Says:
    June 8th, 2011 at 5:12 am

    Currently all us military/gov passwords are required to be 14+ character monstrosities, complete with upper and lower case, numbers and symbols, AND must be changed every 30-90 days.

    And as a nerd subjected to this, I can only laugh at the assumption that this makes it “safer”. All it has done is lead to everyone writing down their password near the computer, or sharing a single login/password to avoid the shear hassle of trying to to remember these ever-changed “super passwords” and simply login and get some productive work done.

     
  53. Argo Says:
    June 8th, 2011 at 3:19 pm

    @Gavin, Miles: I use KeePass too, but unfortunately, a file that’s locked by a password is exactly the sort of thing that a brute force attack can crack without ever being locked out. And no network latency. So, if someone ever gets hold of your KeePass file, they’ve got everything.

     
  54. jj Says:
    June 13th, 2011 at 4:16 am

    As far as the user’s are concerned, they can actually even right down the passwords and still trick the bad guy. Just make a list of 20 random passwords on your reference sheet which u stick near ur monitor [challenge him :D ]. Just make sure only you know which one u use – all u have to do is remember whether u r using the 12th one or th 17th one. Also, just make sure u r not using the exact password written out there. [otherwise he will be able to try each of ur password each day after u reset the invalid attempt count by logging in yourself]
    Again, don’t tell anyone which character u r changing n wat u r changing it to.

    N u can even use the same list of passwords for ever.

    All u hav to do is innovate :)

     
  55. jj Says:
    June 13th, 2011 at 4:23 am

    Again, now as we all know that we are changing one character from the listed password, the hacker can still run his code with all those twenty passwords and varying them a little and crack it in a few. So, don’t just stick to changing a character. Be innovative on what change you are actually gonna to do the listed password to get your original password and KEEP IT A SECRET.

     
  56. Erix Says:
    June 13th, 2011 at 3:24 pm

    You won’t get your users to type and remember 23@88jiohgtrQQx, but you will get them to swipe a finger on a sensor every day. I know because my customers are happy to do it every morning, they didn’t particularly enjoyed typing a password anyway even when they were considered ‘safe’. Check this out: http://www.youtube.com/watch?v=Fd5mJazxbtE

     
  57. Jim Says:
    June 23rd, 2011 at 1:07 pm

    The point being missed here is that the GPU is used to brute force the password – trying every combination. On that basis “Barry1943Manilow” is just as secure as “Jh3k2J9w0JM3f8Wa”. The GPU has to try all combinations of upper/lower/numbers and so for this 15 character password, even at 3 billion guesses a second, the GPU would take millions of years to crack it (unless this combination is in the hackers password dictionary). Of course, social engineering would help here (if you know the person is a Barry Manilow fan), but that is not how the GPU works.

    Have a look at Steve Gibsons take on this at https://www.grc.com/haystack.htm.

     
  58. Yuhong Bao Says:
    June 26th, 2011 at 8:51 pm

    “of course, if you’ve given up your NTLM hashes already; then there’s probably a bigger issue at stake here.”
    Remember you can use the raw hash directly to login in most Windows network protocols.
    “someone capturing the NTLM hashes off your WiFi.”
    No Windows network protocols I know of transmit the raw NT hash in plaintext though.

     
  59. stokegabriel Says:
    November 24th, 2011 at 6:33 pm

    Password cracking has been a worry for me since I read an article in PCP about Elcomsoft software: http://www.elcomsoft.com/products.html. rather more worrying is the way that many on-line banking services rely only on a pin no, often only a 4 digit one.
    One other observation about brute force attacks on passwords, many report how long it would take to crack a password based on the fact that the correct password will be the last possible combination tried, a most unlikely result, it could just as easily be the first combination tried.

     
  60. stokegabriel Says:
    November 24th, 2011 at 6:36 pm

    Re post No 58, I believe the wireless WEP protocol transmits the password in plain text. WEP being a wireless network protocol.

     
  61. Jamie Says:
    November 30th, 2011 at 8:25 am

    You’ve only cracked a password if you have entered it into the system and gained access. Just duplicating it proves nothing. It doesn’t matter if you can generate a billion passwords a second, if you can only try one per second the password is safe.

     
  62. Moo Says:
    December 4th, 2011 at 8:16 pm

    With brute force attacks when you have access to the HASH file, using GPU’s is very fast and by-passes the lock out function.. However, most OS’s these days you would need physical or root access to the machine to do this. If you have a public facing log-on, i.e FTP/RDP/SSH I would always use more than 8 characters with numbers and punctuation or you are asking for trouble. Also disabling accounts like Administrator(Windows), root(*nix) is just common sense and create a custom account with the same access. If they are trying to brute force your username and a complex password, we prob need alien technology. Also, assuming you use complex passwords, most hacks are actually known software/os vulnerabilitys that you haven’t patched.

    And to get round the CEO will never accept a complex password, try certificates on a USB or one of the random number key based tags.

     
  63. Beesley Says:
    January 31st, 2012 at 12:53 pm

    Your safest password… 4 random words, separated by a single space. Example: this used machine gun

    Its amazing to me people haven’t figured this out yet…

    Learn2Computer.

     
  64. Beesley Says:
    January 31st, 2012 at 12:54 pm

    Truth -

    http://preshing.com/20110811/xkcd-password-generator

     
  65. Michael S Says:
    March 23rd, 2012 at 4:17 pm

    Considering how serious this sounds, until a real solution can be implemented, how difficult would it be for Microsoft, et al to give administrators the ability to enforce the use of multiple passwords in a single login by simply checking a box on the global or group policy?

     
  66. Michael S Says:
    March 23rd, 2012 at 4:18 pm

    It would also seem more important than ever for admins to keep the user IDs just as cryptic and secret as the password.

     
  67. Roger Says:
    June 28th, 2012 at 8:59 pm

    Password extender algorithms, such as PBKDF2, fix this problem by forcing the attacker to perform a certain amount of computations for each password that is to be tested.

     
  68. dan Says:
    August 30th, 2012 at 2:58 pm

    Just a heads up.. There are thousands of small Chinese companies that are teaching the Chinese how to hack computers all over the world under the guise of systems protection..

    I have a fairly large company. I do business in China and I fly back and forth 5-6 times year. About 6 months ago someone had complete access to my computer. The way that ordering a container works is you will get a PI (performa Invoice) then you will pay half once it is FOB (freight on board) which means they have loaded the container and it is at the docks and ready to ship. Then you pay the remainder once it arrives in my case in Los Angeles. harbor.

    What this guy did was watch my skype conversations so he knew the mannerisms of my partner/manufacturer in China. Somehow he was also able to spoof his exact email which was a hotmail account.

    At the time my partner in China was building a new house I knew this because I had just visited and we also talked about it on skype.

    It is very (extremely) commonplace to filter $$ through a separate account to keep the Govt from finding out and charging 60% taxes.

    So the hacker got on skype as well as the exact rmail address, re-sent the “new” PI with a new bank account to transfer the $$ to. I didn’t think twice about it. So we did a Bank of America transfer of $17,800 (first half of the container price.

    2 days later I was on skype and my real partner asked when I was going to deposit the $$.. I said ” I did it 2 days ago” I instantly knew what had happened my secretary gathered all of the skype conversations, all of the emails and email headers and hopped on a plane to Shanghai. Tjhe Shanghai Police were of no help because it was in a different provence like California dealing with a Colorado problem.

    So I Hopped on a High speed train to Ningbo, my partner met me there,it was too late to deal with it (7-8 pm)

    The next morning we drove 5 hours to the podunk town and went to the police station, after 4 hours of translation we went to the bank and the day before the money had been with drawn..

    The thief was a Chinese descent but lived in Venezuela. So we had a name and a passport number.

    We couldn’t call Interpol lol… over a money scam .. So long story short I was using malwarebytes , AVG and he still had complete control of my computer. I am unsure how to disable this feature in windows 7. But maybe someof you have some insight. The $17,000k hurt us. We were able to recover in a month but it hurt bad, Payroll, office, product liability insurance.. So just beware.. Because they have complete control of your computer.
    DAN

     
  69. Ade Says:
    February 28th, 2013 at 11:24 pm

    Haha, that’s funny, so it would take hackers 7 years to break into my bank account, only to find out I haven’t got any money,
    serves em right.

     
  70. TomS Says:
    November 9th, 2013 at 9:10 am

    A human could – at best – attempt about 1 different password every few seconds. Why then is there any case for allowing passwords to be entered faster than that? By limiting the speed at which passwords can be entered – maybe to 1 every 3 seconds – we could easily stop most of these hacking methods. I mean, over 50 billion attempts per second?! Why is that even allowed?!

     

Leave a Reply

Spam Protection by WP-SpamFree

* required fields

* Will not be published

Authors

Categories

Archives

advertisement

SEARCH
SIGN UP

Your email:

Your password:

remember me

advertisement


Hitwise Top 10 Website 2010