[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] How a cheap graphics card could crack your password in under a second...!

To: list@xxxxxxxxxxxxx
Subject: Re: [LUG] How a cheap graphics card could crack your password in under a second...!
From: Simon Waters <simon@xxxxxxxxxxxxxx>
Date: Thu, 02 Jun 2011 21:16:33 +0100
Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx
Openpgp: id=8F455606

On 02/06/11 17:39, Martijn Grooten wrote:
> On Thu, Jun 2, 2011 at 1:29 PM, Roland Tarver wrote:
>> Just saw this http://url.drogon.net/z and this http://url.drogon.net/00.
> 
> They're making it sound a lot worse than it is. The passwords that can
> be cracked in "under a second" are five characters and consist only of
> letters (upper- and lower-case) and numbers. A seven character
> password with the same restrictions already takes them 17 minutes,
> while a five character password which also contains symbols (&, .,
> space etc.) takes them 7 hours.

It could do with more background to improve clarity.

It describes as an NTLM password, but NTLM itself is now defunct (the
protocols crytographic security also too some major blows in in 2010 so
no one is going back there), it was disabled by default in Windows Vista
but advised against for a long while where admins have the choice.

I believe if it is all modern Windows version then the hashes are
protected, so your system admin can try and find your passwords this way.

However it is hardly surprising the 5 character passwords can be brute
forced quickly, we've seen brute force attacks on 40 bit encryption
technologies. Even if you allows all 7 bit ASCII in a password 5
characters is only 35 bits, only upper and lower-case and numbers have
62 characters, so 6 bits per characters, so a 5 character password has
30 bits only.

We've already abandoned 56 bit encryption technologies because of the
march of brute force, so having a password with less information than
that is clearly futile.

Using only upper & lower-case letters and numbers to attain 56 bits
means you want 10 characters or more.

Browser universally use 128 bit encryption for SSL, to match that level
of security you'd want a 22 character password using upper and lower
case letters and numbers.

The practical upshot is firewall off the networks using windows networking.

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq

References:
- [LUG] How a cheap graphics card could crack your password in under a second...!
  - From: Roland Tarver
- Re: [LUG] How a cheap graphics card could crack your password in under a second...!
  - From: Martijn Grooten

Prev by Date: Re: [LUG] Knoppix Distro
Next by Date: Re: [LUG] How a cheap graphics card could crack your password in under a second...!
Previous by thread: Re: [LUG] How a cheap graphics card could crack your password in under a second...!
Next by thread: Re: [LUG] How a cheap graphics card could crack your password in under a second...!
Index(es):
- Date
- Thread