Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Wed 01 Oct 2014, 02:32
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Cheap GPUs are rendering strong passwords useless?
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 2 [22 Posts]   Goto page: 1, 2 Next
Author Message
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 11081
Location: Arizona USA

PostPosted: Wed 01 Jun 2011, 23:44    Post subject:  Cheap GPUs are rendering strong passwords useless?
Subject description: Maybe not.
 

http://www.zdnet.com/blog/hardware/cheap-gpus-are-rendering-strong-passwords-useless/13125?tag=nl.e589
I would have said, "ARE cheap GPUs rendering strong passwords useless?" And the answer, I think, is no.

Quote:
Take a cheap GPU (like the Radeon HD 5770) and the free GPU-powered password busting tool called ’ighashgpu‘ and you have yourself a lean, mean password busting machine. How lean and mean? Very:

The results are startling. Working against NTLM login passwords, a password of “fjR8n” can be broken on the CPU in 24 seconds, at a rate of 9.8 million password guesses per second. On the GPU, it takes less than a second at a rate of 3.3 billion passwords per second.

Increase the password to 6 characters (pYDbL6), and the CPU takes 1 hour 30 minutes versus only four seconds on the GPU. Go further to 7 characters (fh0GH5h), and the CPU would grind along for 4 days, versus a frankly worrying 17 minutes 30 seconds for the GPU.


So what? Unless I missed something, there's no way for a password-guessing algorithm to know it guessed right except to try the password on whatever access-control mechanism it is trying to break. If the mechanism limits password trials to no more than one per second, say, then that pretty much ought to take care of the problem. Again, I might be unaware of some development in password-cracking that allows trying passwords out outside the access-control mechanism. I can't even imagine how that would be possible without the cracking algorithm already knowing the password.

Last edited by Flash on Sun 05 Jun 2011, 11:36; edited 1 time in total
Back to top
View user's profile Send private message 
nooby

Joined: 29 Jun 2008
Posts: 10557
Location: SwedenEurope

PostPosted: Thu 02 Jun 2011, 00:03    Post subject:  

I forgot my password on a yahoo email account.

I had no access to these machines but while I tried out different passwords manually I noticed them did not like that one failed at it three times in a row. They started to give me chaptas and such or asking what middle name my Mom had or what town my Dad was born or something.

To allow me to guess next password.

Other places them had a three failures and you're locked out of trying for 15 minutes so the gpu need to be at it for a long long time if it has to wait 15 minutes or to solve the chaptas now and then.

yes I did come in. it took me some two months to remember the password. Very poor brain I say. I wrote it down but have no idea where so it is gone again for good I guess.

_________________
I use Google Search on Puppy Forum
not an ideal solution though
Back to top
View user's profile Send private message 
Bruce B


Joined: 18 May 2005
Posts: 11109
Location: The Peoples Republic of California

PostPosted: Thu 02 Jun 2011, 08:55    Post subject:  

Here is a cute quote from the page Flash linked us to.

    It gets worse. Throw in a nine-character, mixed-case random password, and while a CPU would take a mind-numbing 43 years to crack this, the GPU would be done in 48 days.


Swell, then use an 11 character mixed case random password and change it frequently.

Or how about a more appropriate 16 byte password?

~

_________________
New! Puppy Linux Links Page
Back to top
View user's profile Send private message 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 11081
Location: Arizona USA

PostPosted: Thu 02 Jun 2011, 22:52    Post subject:  

I should have read a few of the comments. Turns out that the way a password program works, it stores the encrypted password in a "hash" file which can be accessed by, e.g., a Puppy CD (assuming the drive is not encrypted.) Once you have the password "hash" and the algorithm which generates the hash, you can simply keep trying passwords until you get the one which generated the hash. So the real problem is access control to the stored hash file.

Still, there's hope:
Quote:
passwords are so yesterday, use pass-sentences instead
Why work so hard to remember and enter such complex password when you can use pass-sentences? Yes people, you can put space in your password. A simple, easy-to-remember, easy-to-type but also impossible-to-crack pass-sentence like "I love the Miami Heat!" is 22 characters long with space characters (space) and symbol (!) and I am sure you can come up with your favorite sentence with numbers in it too.
ZDNet Gravatar
SonofChef

Even if you know the password hash, it would take an awfully long time to crack a 22-character sentence.
Back to top
View user's profile Send private message 
nooby

Joined: 29 Jun 2008
Posts: 10557
Location: SwedenEurope

PostPosted: Fri 03 Jun 2011, 03:19    Post subject:  

quote
"I love the Miami Heat!" is 22 characters long with space characters (space) /quote

Has he tested that the space character is allowed in a password?

_________________
I use Google Search on Puppy Forum
not an ideal solution though
Back to top
View user's profile Send private message 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 11081
Location: Arizona USA

PostPosted: Fri 03 Jun 2011, 08:04    Post subject:  

If it isn't, just leave it out. The point is, a sentence is easier to remember than a truly random sequence. I hadn't thought of that.
Back to top
View user's profile Send private message 
abushcrafter


Joined: 30 Oct 2009
Posts: 1447
Location: England

PostPosted: Fri 03 Jun 2011, 08:24    Post subject:  

nooby wrote:
quote
"I love the Miami Heat!" is 22 characters long with space characters (space) /quote

Has he tested that the space character is allowed in a password?
I read an article on "pass-sentences". One of the things it said is it you can't use spaces then what you using is rubbish!

[Edit]Here it is http://www.baekdal.com/tips/password-security-usability. Unfortunately it has the usual "hack" mistake. Replace "hack" with "crack".

“hack, hacker, hacking, hacked, etc” does not mean nasty evil stuff. Cracker is the word you want. See:
http://www.catb.org/~esr/faqs/hacker-howto.html#what_is
http://www.gnu.org/philosophy/words-to-avoid.html#Hacker
http://www.wired.com/threatlevel/2010/05/hackers-wante/

_________________
adobe flash is rubbish!
My Quote:"Humans are stupid, though some are clever but stupid." http://www.dependent.de/media/audio/mp3/System_Syn_Heres_to_You.zip http://www.systemsyn.com/
Back to top
View user's profile Send private message Visit poster's website 
DPUP5520

Joined: 16 Feb 2011
Posts: 801

PostPosted: Fri 03 Jun 2011, 08:42    Post subject:  

eh, my reply didn't post so i'll try again

Ok for my 2 cents:
People have been using GPU enhanced methods to crack md5/wpa/ntlm and others for years now , its nothing new. now what he didn't metion is "salted" hashes ie wpa encryted password hashes where the salt (network name) is stored in the password hash making it take longer to crack unless you create a specific password list using that salt (which would also take forever) to make the "cracking" go faster, either way it would still take years and years (like a couple hundred) to crack a simple 9 digit alphanumeric-special_character password unless you had a good idea what the password might be or whats in it. And as pointed out numerous times on this forum it's too easy to wipe a user password on a windows machine, which leaves us with encrypted files which depending on the program used to encrypt them alot can also be easily crack(truecrypt was proved to be vastly unreliable for encrypting single files and folders a few years back no matter how long the password).

Edit: @abushcrafter Yes thank you for pointing that out not all people that use these methods are evil or bad people and alot of people do not realize that calling people that do evil things to people's computers/networks hackers gives the real hacking/programming community a bad rep, most crackers are script kiddies anyway.

_________________
PupRescue 2.5
Puppy Crypt 528
Back to top
View user's profile Send private message 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 11081
Location: Arizona USA

PostPosted: Fri 03 Jun 2011, 09:45    Post subject:  

abushcrafter wrote:
I read an article on "pass-sentences". One of the things it said is it you can't use spaces then what you using is rubbish!

[Edit]Here it is http://www.baekdal.com/tips/password-security-usability...

Where does it say that? Confused

It seems to me that, even if you had to leave out the spaces, a sentence composed of several words would be better for resisting a dictionary attack than would a single word the same length. And of course easier to memorize.
Back to top
View user's profile Send private message 
DPUP5520

Joined: 16 Feb 2011
Posts: 801

PostPosted: Fri 03 Jun 2011, 10:25    Post subject:  

Flash wrote:
It seems to me that, even if you had to leave out the spaces, a sentence composed of several words would be better for resisting a dictionary attack than would a single word the same length. And of course easier to memorize.


You are quite right Flash, however it depends on the program whether or not it will let u use spaces in the password hash it's not a limitation of any generic hash. On the other hand you are also right that a passphrase is more resistant to a dictionary attack than a random word or combination of letters/numbers/special characters IF it is a phrase that means nothing to you, otherwise social engineering comes into the picture and programs like *** can be used to create custom dictonary attacks geared towards you.

_________________
PupRescue 2.5
Puppy Crypt 528
Back to top
View user's profile Send private message 
Bruce B


Joined: 18 May 2005
Posts: 11109
Location: The Peoples Republic of California

PostPosted: Fri 03 Jun 2011, 14:07    Post subject:  

Subject related link Sony Hacked again

~

_________________
New! Puppy Linux Links Page
Back to top
View user's profile Send private message 
PaulBx1

Joined: 16 Jun 2006
Posts: 2308
Location: Wyoming, USA

PostPosted: Sat 04 Jun 2011, 13:35    Post subject:  

The problem with passphrases is that they are long to type in, but that is just really an annoyance if you think about it. It's not as if you spend a significant portion of your day typing passphrases.

Diceware.com has a nice method that I use, although I don't restrict myself to their number of words. Gets rid of the social engineering attack, and isn't that much harder to memorize either.

Quote:
Swell, then use an 11 character mixed case random password and change it frequently.

The problem with frequent changes of passwords is that it completely ignores human limitations. We are not computers. Laughing

Quote:
assuming the drive is not encrypted

That is a problem. There should be no way the attacker can access the password hash file. If he can, that seems like a security leak to me. I don't see why encrypting entire drives is not the default or at least an easy option to enable, but I guess we are getting there, slowly. I wish we could get away from using cryptoloop for pupsaves though.
Back to top
View user's profile Send private message 
Luluc


Joined: 16 Mar 2011
Posts: 200

PostPosted: Sat 04 Jun 2011, 17:24    Post subject:  

I have a good password recipe: free association of words to build up a long and completely unpredictable word. Two examples:

1) Today is Saturday. Saturday is Sabbath. I think that both Saturday and Sabbath are commonly associated with the number 7. Sabbath ends in "bath" which also reminds me of Bash, the Bourne Again Shell. Using free association I can come up with this, among endless other possibilities,

2 wash my 7 consoles with soap on Jewish holiday

Replace "soap" with some soap brand name if it sounds better. Add punctuations or more numbers, or something.


2) Puppy Linux: dog, penguin, cats, computer, machine

The dog in the cog wheel quacks like a p3ingu1n

It's always good to add numbers, so I replace "penguin" with "p3ngu1n".

Mixed case also makes the password more secure, but you should probably just capitalize words, it's easier to remember them that way.

2 Wash My Console, 7 Soaps On Jewish Holiday!!!

The Dog In The Cog Wheel, Yes, It Quacks Like A P3ingu1n

If spaces are not allowed, just don't use them. Loss of one character is no big deal.

2WashMyConsole,7SoapsOnJewishHoliday!!!
TheDogInTheCogWheel,Yes,ItQuacksLikeAP3ingu1n

Good luck, GPU.
Back to top
View user's profile Send private message 
shariebeth

Joined: 26 Jan 2010
Posts: 271
Location: Florida

PostPosted: Sun 05 Jun 2011, 08:23    Post subject:  

Excellent articles and tips about passwords.
Thank you Flash for bringing this to attention. I know too many people who think they have "safe" passwords that apparently aren't. Not even counting the people I know who pick things like "abc123" and the like. Ugh.
I picked up some good ideas myself from this. I have a notebook with all the passwords written down, as until now the only way I thought I could have a safe password was some long bizarre combination that was totally impossible to remember. I'll definitely be passing this info on to everyone I know.
Thanks!
Back to top
View user's profile Send private message 
d4p


Joined: 12 Mar 2007
Posts: 407

PostPosted: Mon 06 Jun 2011, 12:43    Post subject:  

maybe coincident?

http://news.techworld.com/security/3228701/fbi-hackers-fail-to-crack-truecrypt/
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 2 [22 Posts]   Goto page: 1, 2 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0970s ][ Queries: 11 (0.0047s) ][ GZIP on ]