Cheap GPUs are rendering strong passwords useless?

[Flash]

http://www.zdnet.com/blog/hardware/chea ... ag=nl.e589
I would have said, "ARE cheap GPUs rendering strong passwords useless?" And the answer, I think, is no.

[quote]Take a cheap GPU (like the Radeon HD 5770) and the free GPU-powered password busting tool called ’ighashgpu‘ and you have yourself a lean, mean password busting machine. How lean and mean? Very:

The results are startling. Working against NTLM login passwords, a password of “fjR8n

[nooby]

I forgot my password on a yahoo email account.

I had no access to these machines but while I tried out different passwords manually I noticed them did not like that one failed at it three times in a row. They started to give me chaptas and such or asking what middle name my Mom had or what town my Dad was born or something.

To allow me to guess next password.

Other places them had a three failures and you're locked out of trying for 15 minutes so the gpu need to be at it for a long long time if it has to wait 15 minutes or to solve the chaptas now and then.

yes I did come in. it took me some two months to remember the password. Very poor brain I say. I wrote it down but have no idea where so it is gone again for good I guess.

[Bruce B]

Here is a cute quote from the page Flash linked us to.

• It gets worse. Throw in a nine-character, mixed-case random password, and while a CPU would take a mind-numbing 43 years to crack this, the GPU would be done in 48 days.

Swell, then use an 11 character mixed case random password and change it frequently.

Or how about a more appropriate 16 byte password?

~

[Flash]

I should have read a few of the comments. Turns out that the way a password program works, it stores the encrypted password in a "hash" file which can be accessed by, e.g., a Puppy CD (assuming the drive is not encrypted.) Once you have the password "hash" and the algorithm which generates the hash, you can simply keep trying passwords until you get the one which generated the hash. So the real problem is access control to the stored hash file.

Still, there's hope:

passwords are so yesterday, use pass-sentences instead
Why work so hard to remember and enter such complex password when you can use pass-sentences? Yes people, you can put space in your password. A simple, easy-to-remember, easy-to-type but also impossible-to-crack pass-sentence like "I love the Miami Heat!" is 22 characters long with space characters (space) and symbol (!) and I am sure you can come up with your favorite sentence with numbers in it too.
ZDNet Gravatar
SonofChef

Even if you know the password hash, it would take an awfully long time to crack a 22-character sentence.

[nooby]

quote
"I love the Miami Heat!" is 22 characters long with space characters (space) /quote

Has he tested that the space character is allowed in a password?

[Flash]

If it isn't, just leave it out. The point is, a sentence is easier to remember than a truly random sequence. I hadn't thought of that.

[abushcrafter]

quote
"I love the Miami Heat!" is 22 characters long with space characters (space) /quote

Has he tested that the space character is allowed in a password?

I read an article on "pass-sentences". One of the things it said is it you can't use spaces then what you using is rubbish!

[Edit]Here it is http://www.baekdal.com/tips/password-security-usability. Unfortunately it has the usual "hack" mistake. Replace "hack" with "crack".

“hack, hacker, hacking, hacked, etc

[DPUP5520]

eh, my reply didn't post so i'll try again

Ok for my 2 cents:
People have been using GPU enhanced methods to crack md5/wpa/ntlm and others for years now , its nothing new. now what he didn't metion is "salted" hashes ie wpa encryted password hashes where the salt (network name) is stored in the password hash making it take longer to crack unless you create a specific password list using that salt (which would also take forever) to make the "cracking" go faster, either way it would still take years and years (like a couple hundred) to crack a simple 9 digit alphanumeric-special_character password unless you had a good idea what the password might be or whats in it. And as pointed out numerous times on this forum it's too easy to wipe a user password on a windows machine, which leaves us with encrypted files which depending on the program used to encrypt them alot can also be easily crack(truecrypt was proved to be vastly unreliable for encrypting single files and folders a few years back no matter how long the password).

Edit: @abushcrafter Yes thank you for pointing that out not all people that use these methods are evil or bad people and alot of people do not realize that calling people that do evil things to people's computers/networks hackers gives the real hacking/programming community a bad rep, most crackers are script kiddies anyway.

[Flash]

I read an article on "pass-sentences". One of the things it said is it you can't use spaces then what you using is rubbish!

[Edit]Here it is http://www.baekdal.com/tips/password-security-usability...

Where does it say that?

It seems to me that, even if you had to leave out the spaces, a sentence composed of several words would be better for resisting a dictionary attack than would a single word the same length. And of course easier to memorize.

[DPUP5520]

It seems to me that, even if you had to leave out the spaces, a sentence composed of several words would be better for resisting a dictionary attack than would a single word the same length. And of course easier to memorize.

You are quite right Flash, however it depends on the program whether or not it will let u use spaces in the password hash it's not a limitation of any generic hash. On the other hand you are also right that a passphrase is more resistant to a dictionary attack than a random word or combination of letters/numbers/special characters IF it is a phrase that means nothing to you, otherwise social engineering comes into the picture and programs like *** can be used to create custom dictonary attacks geared towards you.

[Bruce B]

Subject related link Sony Hacked again

~

[PaulBx1]

The problem with passphrases is that they are long to type in, but that is just really an annoyance if you think about it. It's not as if you spend a significant portion of your day typing passphrases.

Diceware.com has a nice method that I use, although I don't restrict myself to their number of words. Gets rid of the social engineering attack, and isn't that much harder to memorize either.

Swell, then use an 11 character mixed case random password and change it frequently.

The problem with frequent changes of passwords is that it completely ignores human limitations. We are not computers.

assuming the drive is not encrypted

That is a problem. There should be no way the attacker can access the password hash file. If he can, that seems like a security leak to me. I don't see why encrypting entire drives is not the default or at least an easy option to enable, but I guess we are getting there, slowly. I wish we could get away from using cryptoloop for pupsaves though.

[Luluc]

I have a good password recipe: free association of words to build up a long and completely unpredictable word. Two examples:

1) Today is Saturday. Saturday is Sabbath. I think that both Saturday and Sabbath are commonly associated with the number 7. Sabbath ends in "bath" which also reminds me of Bash, the Bourne Again Shell. Using free association I can come up with this, among endless other possibilities,

2 wash my 7 consoles with soap on Jewish holiday

Replace "soap" with some soap brand name if it sounds better. Add punctuations or more numbers, or something.


2) Puppy Linux: dog, penguin, cats, computer, machine

The dog in the cog wheel quacks like a p3ingu1n

It's always good to add numbers, so I replace "penguin" with "p3ngu1n".

Mixed case also makes the password more secure, but you should probably just capitalize words, it's easier to remember them that way.

2 Wash My Console, 7 Soaps On Jewish Holiday!!!

The Dog In The Cog Wheel, Yes, It Quacks Like A P3ingu1n

If spaces are not allowed, just don't use them. Loss of one character is no big deal.

2WashMyConsole,7SoapsOnJewishHoliday!!!
TheDogInTheCogWheel,Yes,ItQuacksLikeAP3ingu1n

Good luck, GPU.

[shariebeth]

Excellent articles and tips about passwords.
Thank you Flash for bringing this to attention. I know too many people who think they have "safe" passwords that apparently aren't. Not even counting the people I know who pick things like "abc123" and the like. Ugh.
I picked up some good ideas myself from this. I have a notebook with all the passwords written down, as until now the only way I thought I could have a safe password was some long bizarre combination that was totally impossible to remember. I'll definitely be passing this info on to everyone I know.
Thanks!

[d4p]

maybe coincident?

http://news.techworld.com/security/3228 ... truecrypt/

[DPUP5520]

Yes I remember that article, I read it a few months back, however there are two points there.

1. Truecrypt was not the only encryption program used to encrypt the drives
2. The ENTIRE drive/system was encrypted

Those drives if I remember correctly were encrypted using 6.3 though I can't remember what the other program used was.

[Swaphead]

I've read this thread with lots of interest (but not much understanding
)

I'm confused by the terms "password hash" and "password hash file".

Are we talking about a cracker gaining access to a file (or one item in a file) on (say) a Bank's website? Is that negligence on the bank's part?
Or is this standard practice because the information is encrypted?

Or are we talking about a cracker gaining access to (say) my machine?
I got lost when we started talking about Puppy and hard-drive encryption.
(I was probably lost already!)

[Flash]

Swaphead, here's how I understand it:

The passwords are encrypted by a program which I'll call a hash algorithm because the encrypted password is called a hash and I don't know why. For some reason, probably convenience, the encrypted (hashed) passwords are stored in a file outside the main data base, the password hash file. The main data base may or may not be encrypted. (It seems to me that if it is encrypted, the encrypted passwords ought to be stored within it in such a way that they are not seen as a separate file.) And yes, you are right; it is negligence to allow access to the password hash file. Once a cracker has that file and the hash algorithm, he can run stuff through the hash algorithm until he hits on something that matches an entry in the stolen file. That's a password, which he can then use to gain access to that account in the main data base.

[Swaphead]

Swaphead, here's how I understand it:

The passwords are encrypted by a program which I'll call a hash algorithm because the encrypted password is called a hash and I don't know why. For some reason, probably convenience, the encrypted (hashed) passwords are stored in a file outside the main data base, the password hash file. The main data base may or may not be encrypted. (It seems to me that if it is encrypted, the encrypted passwords ought to be stored within it in such a way that they are not seen as a separate file.) And yes, you are right; it is negligence to allow access to the password hash file. Once a cracker has that file and the hash algorithm, he can run stuff through the hash algorithm until he hits on something that matches an entry in the stolen file. That's a password, which he can then use to gain access to that account in the main data base.

Thanks, Flash

I see what was confusing me most -
it's the hacker's knowledge of / or access to/ the hash algorithm.
I am no mathematician, but it seems to imply that sites are using a very limited number of widely known algorithms, or else
they are making the hash algorithm as easily available as the hash file.

[Mechanic_Kharkov]

And as pointed out numerous times on this forum it's too easy to wipe a user password on a windows machine, which leaves us with encrypted files which depending on the program used to encrypt them alot can also be easily crack(truecrypt was proved to be vastly unreliable for encrypting single files and folders a few years back no matter how long the password).

Please, show some link to such prove. I use TrueCrypt and it's important to me! But I typically use it to encrypt partitions, handle encrypted file containers, not for single file / folder. And anyway it's very interesting to know it prior that anybody else can get the ICE broken.

If You mean discovery of Bruce Schneier that affects TC's "Plausible Deniability" mechanism only, that is not critical and really is not an issue of TrueCrypt Itself, but disk writing programs, saving data in unencrypted locations.
And how lame are FBI hackers in this case?

And what about GPUs - bravo! Respect to I. Golubev!
How they (GPU developers) could know what their devices would be used for... Really much faster.