Think that your eight-character password consisting of lowercase characters, uppercase characters and a sprinkling of numbers is strong enough to protect you from a brute force attack?
Jon Honeyball writing for PC Pro has a sobering piece on how the modern GPU can be leveraged as a powerful tool against passwords once considered safe from bruteforce attack.
[...]The results are startling. Working against NTLM login passwords, a password of “fjR8n” can be broken on the CPU in 24 seconds, at a rate of 9.8 million password guesses per second. On the GPU, it takes less than a second at a rate of 3.3 billion passwords per second.
Increase the password to 6 characters (pYDbL6), and the CPU takes 1 hour 30 minutes versus only four seconds on the GPU. Go further to 7 characters (fh0GH5h), and the CPU would grind along for 4 days, versus a frankly worrying 17 minutes 30 seconds for the GPU.
It gets worse. Throw in a nine-character, mixed-case random password, and while a CPU would take a mind-numbing 43 years to crack this, the GPU would be done in 48 days.
When the only thing PCs did, was play games and run small business software, all was fine. As soon as someone suggested hooking them up to each other, by some means other than cassette tape. Even they could have carried a virus. But the likelihood is extremely small. Home PCs and even business main frames, were never designed NOT to share things they shouldn’t, with each other. For the longest time, it was a chore just to get them to work at sharing what they should. So naturally, making things harder, or next to impossible, to get at, by those who shouldn’t. Wasn’t even a remote consideration, for quite some time. And so it’s been a slow wake up call for everyone, just how vulnerable the whole thing is. And slow, because the emphasis hasn’t been on adapting safer communication practices. But on how easy and fun it is to put one’s whole live on the internet. Trust the Cloud with it all. The Cloud is good. Never mind that its security is the weakest that can be gotten away with.
“the cat sat on the mat and crapped” makes a good password, trillions of centuries to crack apparently
#40
Not an accurate accessment in my opinion. First, the issues here are not related to operating systems but to the hashing algorithms being used and the design of the Internet. I would agree that the Internet (IPv4 certainly) was not designed with security in mind. However, the issue here is that even if you do use the industry standard algorithms you could be vulnerable. The computing power via grid computing and the storage power are progressing faster than the mathematical algorithms. Unix and Windows have both evolved to the point where they can be configured to provide quite good security. The primary problem isn’t with the operating systems.
#21, I agree it doesn’t make any sense. Does TrueCrypt (or any authentication system) allow someone to try 3 billion password attempts in 1 second? Couldn’t TrueCrypt and other systems thwart these brute-strength attacks by simply gradually slowing down after each successively incorrect password?
#21
Couldn’t TrueCrypt and other systems thwart these brute-strength attacks by simply gradually slowing down after each successively incorrect password?
No because a hacker doesn’t need the TrueCrypt application to crack your data. In any attack, you assume the attacker has the cypher (your encrypted data) and the algorithm. Thus, if a hacker copies your TrueCrypt partition, they can write a routine that will go through billions of combinations to crack it without ever launching TrueCrypt.
The bigger issue, is that with enough machines cranking, all the hash values can be computed and stored in a database in a fixed amount of time. Once that is done, then a simple database query returns the text for the hash, and you have constant time password lookup.
Once the hash is exposed, nothing is safe, no matter what the algorithm for computing the hash is.