Hardware Assisted Brute Force Attacks: Still For Dummies

J. Stoever brings up an important point.

Here at where I work we’re wrapping up a CISP/PABP compliance pass, and they have a ridiculous set of things one is supposed to do, both process- and implementation-wise, in order to get certified for credit card processing.

However, none of their requirements can prevent the most common way people’s CC data actually gets stolen in the environment we work with - keylogging software or hardware attached to the POS computer.

(Or, for that matter, Iwaiters swiping your card on their own reader/i or photographing it with their phone camera.

People are all fired up worried about someone cracking their eBay password, yet they hand a Icomplete stranger/i their actual physical card most every time they go out to eat!)

What happens when you start using these GPUs to implement rainbow tables? That’s what worries me.

This is more or less how Google’s translator works.

And have you seen how well that doesn’t work?

http://blogoscoped.com/archive/2007-10-23-n54.html

That’s just 5 dictionary words and a common number (recent year). It’s “brainlessly easy to memorize” because has a very low amount of entropy. Maybe the average rainbow table out there now won’t get it, but it just requires a different type of (no more sophisticated) attack.

The attack you’re describing is completely improbable to the point of ridiculousness. Just because you can describe something does not make it so. I can describe lots of things that sound very appealing, but are impossible in practice-- that’s called “The God Algorithm”. Show me one single real world implementation of a pass-phrase cracker that could break:

‘I drive a 1998 Ford Contour.’

If that kind of attack is so “unsophisticated”, show me a tool that can do it.

Elecom’s product attacks not just Windows Vista passwords, but a wide variety of passwords on a lot of different products (MS Word/Excel, Acrobat, Quicken, etc), as you can see here:

http://www.elcomsoft.com/edpr.html

The length of the pass phrase is irrelevant! The relevant thing is the length of the stored, hashed value, or the password/phrase, whichever is shorter

This isn’t quite right. Even in a rainbow table attack, you’re attacking using cleverly linked pre-computed hashes from generated passwords – you never actually “attack” the hash itself.

In a traditional brute force attack, you’d never see the hash-- your code is using generated passwords and repeatedly attempting to open the PDF, or access the website, or what have you.

Am I the only one thinking how much more BS-RAC I could get in SETI@Home with this?

My password: (N#c@bub,Iv{*{P\=|7RbBZYjIb37m{:!3R4i_BKK8$3-g`wOaR_qDK=Psjd3\0iwVjHG"L4IssY

So with my character set of [a-z][A-Z][0-9][+|’;/.,}{:"?`_)(*^%$#@!~=-][] there are 94 possible characters and a password length of 80 characters, so that makes 94^80 password possiblities.

This comes out to: 70,831,801,567,220,716,246,837,892,378,
711,076,995,107,590,018,336,991,237,446,
616,560,952,575,252,565,205,806,113,305,
457,006,260,943,190,445,617,340,073,590,
087,132,329,381,328,917,490,245,668,948,
227,915,776

Which took an hour this morning to figure out without any advanced calculators.

It also comes to: 7.08x10^157

How many hours would it take you to crack that?

(not my real password, just generated a similar one.)

Easy to remember pass-words or pass-phrases are OK if you only have a few to remember.

How many of you use the same password or passphrase on more than one website?

Those who do are now reliant on someone’s website for their security. If they store passwords in plain text then they will know your Username/Password for all the other sites on which you use that combination.

I do not trust other websites to hold my passwords secure and I no longer trust myself to remember multiple passwords.

My solution was to buy Roboform. I now have one password to remember and Roboform remembers everything else. Logging on to websites which require a username/password is now so easy.

Passphrases can be made even more bulletproof if you transpose keys on the keyboard.

So HORSE for example, becomes JPTDF if you transpose one key to the right on the keyboard, and Y($W# if you transpose one key towards the front (up?) of the keyboard.

Transposition makes it nearly impossible for anyone looking over your shoulder to memorize what you are typing as well as people are looking for a pattern to memorize.

back to my password being cracked. It is 80 characters long, with 94 possible characters being used

I don’t think we need to crack it; I doubt anyone with this password would ever be able to log in to their computer in the first place. So in that sense, it’s perfect security.

Socrates. You are now reliant on your computer not crashing and burning. Be sure to archive your roboform identities folder and store it on a few flash drives(make regular backups). As far as I know there is only a windows version of roboform. So much for using roboform where ever you happen to be.

Anyway, back to my password being cracked. It is 80 characters long, with 94 possible characters being used: (N#c@bub,Iv{*{P\=|7RbBZYjIb37m{:!3R4i_BKK8$3-g`wOaR_qDK=Psjd3\0iwVjHG"L4IssY

If you were able to test 1 Googol of possible passwords per second(10^100), then it would still take you up to 4.08x10^41 Eons to crack my password. (Well, an average of half that or: 2.04x10^41 Eons) (And Eons being defined as 550 million years each) Good luck, since the Universe is only about 2.49x10^1 Eons old! In other words, we will likely have severl big bangs and big crunches by the time you crack the password, perhaps you should focus that time on something more useful like building a time machine to go back and watch me type the password in?

HAHAHHAHAHA just try to crack it, I dare you Marty McFly … hahhahahahahahahahahahahaha!

I just thought I’d point out that Charles Darke’s comments mention NTLM but apply to LM, which no self-respecting admin has used in years. I’m sure most readers of this site would know, but…

How I tell people to secure up their passwords: One or two words in english and one or two words in a foreign language. Never going to be cracked in a reasonable time. Then I tell them about actual security, which has nothing to do with password length and everything to do with not giving it out (or changing it right after), getting a new one every now and then, using a password manager, and avoiding anything they didn’t sign up for.

“4.08x10^41 Eons […] (Well, an average of half that or: 2.04x10^41 Eons)”

and

“2.49x10^1”

I don’t think you understand how math works.

J. Stoever, I don’t think you understand how comprehension works. You obviously are referring to my use of notation. I would just say the number “25”, but stupid people like you wouldn’t understand the difference in magnitude between the number 25 and say the number 4.0x10^50 so to make it easier for the people who are just a bit smarter than you, I wrote it as 2.49x10^1. The “^1” isn’t necessary, but again it is to help morons see the magnitude and be able to compare more easily. Sorry I confused you. I did not mean to over-estimate the intelligence of the readers of this blog, J. Stoever, but it should be obvious to even the average reader, which was my intention, to see the magnitude of a number by looking at the exponent to which it was raised in scientific notation.

If you were confused about why it would take an average of half the maximum time to crack a password that is simple. When you crack a password, you could guess the correct answer on the first try or you could guess the answer on the last attempt. The average will fall somewhere in the middle… So if you’re confused and talking out your arse about 4.08x10^41 divided by 2 to get 2.04x10^41, perhaps you should go back to 4th grade and read a math book?

Enjoy your ignorance!
~Good Day to you Sir!

Mike wrote nearer the top about random salts (unless I misunderstood, also possible).

That’s all well and good, but how does the software then check that your password is correct? Unless it stored the random values in the database too, but that defeats the point really.

Ben, you can put the salt in the hash. The attacker won’t know this

lets say you make a random salt which is 5 char long for each password hash.

to make the string to put in the db, or wherever you do this

String salt = makeRandomSalt(); // makes a random 5 char string
String passwordHash = salt + md5( salt + password );

now when you want to check this you grab the first 5 characters as the salt. Remake the hash and check it against the hash you have in your db.

This way you can store the hash in the db and it will not be viewable to the cracker. Random length salts also works ^^

You can of course also just store a salt in the software (Hardcoded). Though then as soon as a cracker finds the salt he can generate a rainbow table and crack all passwords used in that software.

To continue on the topic of password length, I usually use phrases. Have done so for a few years now. It’s a lot easier to remember. I usually put in a comma, or a '. A normal phrase can be “Idon’tlikecheese” or even “Sometimesit’stemptingtoclimbawall”

they are easy enough to remember, and are highly secure

In the future there will be only one password that will pass all of the security checks for randomness, number of characters, and the use of digits.

That password is:
mxl%lct7

You should all change your passwords to use this new one now.

I’m not sure what all the other comments said… but I read this and heard “Microsoft use a crap method to encrypt their passwords”… again.

Who really uses brute forcing attacks anyway? I mean, don’t get me wrong, they can work, but it seems to me that as an attack vector it’s really a last resort. The best method, and in fact it’s always been the best, is to take advantage of human stupidity.

What if they try to use a few computers to distribute the work and on each computer have more then one GPU?

it can significantly lower the runtime…
10 computers with 2 GPU will make 20 time less runtime. but still not short enough
can you also add the CPU to the GPU calculations??

Lol you just generate a rainbow table on 40 PC in one month and you have all the passwords and that is that ,no brute force,no time to change the password.