Harden Up: Can We Break Your Password With Our GPUs?

[Chiefcrowe]

http://www.tomshardware.com/reviews/password-recovery-gpu,2945.html

 

[Gamingphreek]

I was wondering when someone would do a test like that!

I wonder what kind of performance they would get by using rainbow tables.

-GP

 

[Modelworks]

This is why the best security feature of anything that requires passwords is delays between retries as well as limits on the number of attempts.
Make the time between login attempts 10 seconds and the number of total attempts at 3 before a supervisor is involved and you stop all this password guessing stuff.

 

[Gamingphreek]

This is why the best security feature of anything that requires passwords is delays between retries as well as limits on the number of attempts.
Make the time between login attempts 10 seconds and the number of total attempts at 3 before a supervisor is involved and you stop all this password guessing stuff.

If you can manage to grab an image of the encrypted data involved though, you could potentially circumvent that sort of logon policy.

-GP

 

[JeffCos]

Never used either of those programs myself, but elcomsoft password recovery & a 5770 GPU has amazed me with the speed at which it cracks.

 

[Modelworks]

If you can manage to grab an image of the encrypted data involved though, you could potentially circumvent that sort of logon policy.

-GP

If people have physical access to your data enough to copy it then you have bigger problems than passwords.

 

[Gamingphreek]

If people have physical access to your data enough to copy it then you have bigger problems than passwords.

I suppose that would require physical access

 

[LiuKangBakinPie]

Don't need a gpu to crack passwords you get in a dictionary.
Let them try and crack on like this
JbeN#jbq1

See you in a hundred years Tom

The toughest security techniques are always cracked on pre historic hardware. RSA key anyone? They offered a reward. Some researchers hooked up a supercomputer with a script and got beaten by a japanese guy with a pentuim 3.

 

[Gamingphreek]

Don't need a gpu to crack passwords you get in a dictionary.
Let them try and crack on like this
JbeN#jbq1

See you in a hundred years Tom

The toughest security techniques are always cracked on pre historic hardware. RSA key anyone? They offered a reward. Some researchers hooked up a supercomputer with a script and got beaten by a japanese guy with a pentuim 3.

Did you not read the article?

http://www.tomshardware.com/reviews/password-recovery-gpu,2945-6.html

Your password has 1 more character in it (9) then their 1-8 range and there 1-8 range takes ~168 days. It wouldn't take *that* much longer for the 1 extra character.

Not only that, that is with 1x GPU working. Toss one of the Fermi based computing platforms in there with a 10's of GPU's and that number drops like a ton of bricks.

Now brute force using rainbow tables with the aforementioned process and watch the password disintegrate before your eyes.

-GP

 

[LiuKangBakinPie]

Did you not read the article?

http://www.tomshardware.com/reviews/password-recovery-gpu,2945-6.html

Your password has 1 more character in it (9) then their 1-8 range and there 1-8 range takes ~168 days. It wouldn't take *that* much longer for the 1 extra character.

Not only that, that is with 1x GPU working. Toss one of the Fermi based computing platforms in there with a 10's of GPU's and that number drops like a ton of bricks.

Now brute force using rainbow tables with the aforementioned process and watch the password disintegrate before your eyes.

-GP

again a password in a dictionary is nothing to crack. Random charachters upper case lower case your not going to crack it easily.
long passwords like mynameisphil or names or any word in a Dictionary will be easy to crack

To try every possible combination of ASCII characters from a password length of 1 to 7 would take over 13 years.

 

[FishAk]

Random charachters upper case lower case your not going to crack it easily.

You seam to be missing the main thrust of the article;

When we slap two GeForce GTX 570s together and enable SLI, Zip 2.0 encryption starts to look like Play-Doh. Thanks to optimized code, we can push 1.5 billion passwords per second. This is a bit insane. Now we've cut the search time for a one- to eight-character password using all ASCII characters down to almost two months.

Mind you this is only running through the search space for the password, and doesn't include actually trying it.

If the password is salted, and hashed through a couple thousand iterations (such as the case with TrueCrypt), than the checking of each password is slowed down. This makes determining when the correct password has been found take considerably longer. How much longer? I don't know.

Also, the likelihood that the password is in the first half of the search space, is the same as in the last half. So generally, you could consider it likely you will find the password before searching to the end of the space. This makes the two month search- in practice- likely someplace between 15 and 45 days.

Note this is with ordinary off-the-shelf components that are easily affordable to many people, and not restricted to highly motivated and wealthy entities.

Personally, I use only a single space as my password. It's easy and fast to enter. Who in their right mind would start looking at the search space for a single character?

 

[Gamingphreek]

again a password in a dictionary is nothing to crack. Random charachters upper case lower case your not going to crack it easily.
long passwords like mynameisphil or names or any word in a Dictionary will be easy to crack

We all know that a dictionary attack is easy to crack, but once again you missed the point of the article.

*They are not using a dictionary attack* they are simply trying all combinations of passwords.

-Kevin

 

[LiuKangBakinPie]

You seam to be missing the main thrust of the article;



Mind you this is only running through the search space for the password, and doesn't include actually trying it.

If the password is salted, and hashed through a couple thousand iterations (such as the case with TrueCrypt), than the checking of each password is slowed down. This makes determining when the correct password has been found take considerably longer. How much longer? I don't know.

Also, the likelihood that the password is in the first half of the search space, is the same as in the last half. So generally, you could consider it likely you will find the password before searching to the end of the space. This makes the two month search- in practice- likely someplace between 15 and 45 days.

Note this is with ordinary off-the-shelf components that are easily affordable to many people, and not restricted to highly motivated and wealthy entities.

Personally, I use only a single space as my password. It's easy and fast to enter. Who in their right mind would start looking at the search space for a single character?

please tell me what winzip version did they use? Did I see winzip 2.0 or is my eyes deceiving me?

With WinZip encryption, it is important to understand older versions of WinZip, pre-version 9, uses its own proprietary encryption, which simply broken. Essentially data archived with WinZip version 8 or below, using “WinZip Encryption” with passwords of any strength can very easily be recovered. WinZip version 9 and above has the option to use an industry strength and NIST approved encryption algorithm, namely AES (Advance Encryption Protocol). The application provides the choice of several strengths (bit length – the longer the stronger), AES-128, AES-192 and AES-256, you may as well pick the strongest bit levelAES-256, although AES-128 is currently strong enough to the do the job to industry best practice and standards.

http://blog.itsecurityexpert.co.uk/2008/01/winzip-encryption-password-security.html
Again nice try uncle Tom. Testing winzip versions that is flawed. You don't need 2 gpus for that.

 

[FishAk]

I'll be the first to admit I don't know everything about encryption.

That said, it's my understanding that they aren't breaking the encryption per se, but instead, finding the password that was used to make the encryption key.

As covered in the article, the reason some encryption schemes are better than others, is that the password is mixed with some other stuff, then hashed a bunch of times to make the encryption key. The computations that must be made to get to the key from the password, the longer it will take to brute force the encryption.

The effect of this is quite varied. If the wrong password is entered in a website 3 times, the user can be locked out till verified some other way. This makes brute forcing impossible. However, if the attack can test passwords with unlimited speed or frequency, it is only limited by hardware involved, which gets better with time.

 

[Gamingphreek]

please tell me what winzip version did they use? Did I see winzip 2.0 or is my eyes deceiving me?

http://blog.itsecurityexpert.co.uk/2008/01/winzip-encryption-password-security.html
Again nice try uncle Tom. Testing winzip versions that is flawed. You don't need 2 gpus for that.

Seriously what in the world is your problem!? You keep assuming this air of superiority over everyone, but you consistently post shallow little tidbits.

First off, he tested Zip 2.0 encryption on Winzip 15.5.

Not only that, he also tested AES-128 and AES-256 to round out the test case scenario in which he proves that GPGPU computing can make even our best encryption begin to fall apart.

-GP