Harden Up: Can We Break Your Password With Our GPUs?

Page 2 - Seeking answers? Join the Tom's Hardware community: where nearly two million members share solutions and discuss the latest tech.
Toggle sidebar Toggle sidebar
Status
Not open for further replies.
Just for comparison: the 7z format supports encryption with AES-256 and uses 524288 SHA-256 transformations to generate a key. In practice it's safer than rar.
 
[citation][nom]rpmrush[/nom]This reminds me of Bitcoin GPU crunching. 6990s are favored right now. I wonder how many were sold specifically to Bitcoin miners? I tried it with my dual 6850s but the heat was rediculous. I didn't like the stress on my hardware so I gave up mining. I'm sure it's the same with password software. Maxing out your GPUs. Great for Winter, not Summer![/citation]
you can use all that power to do some folding 😉
 
[citation][nom]srgess[/nom]Im surprise they haven't tested Elcom solution, they are faster for recovery password with any competition with some process. You can put make a network resource. So lets say you have a lots of money and put 10-20 4 SLI GTX 590 computer or Tesla computer available resource to get a super computer , password cracking will pass from days to second. Imagine Top supercomputer in the world and its just a beginning. Soon we gonna have to have password with 20 + alpha numeric and special character. Or data crash after 10 attempt.[/citation]
ok here is even a easier way to secure your data...have two separate machines, one to save your stuff which never get connected to the web, and the other is the one that you use every day and connected to the web, just don't save any sensitive data on it....problem fixed....and very cheap
 


Elcomsoft was one of the first people we turned to. Unfortunately, the distributed version of their cracking program doesn't support archive encryption.
 



EC2 has not been ignored, it's just not practical. Read my forum post.

http://www.tomshardware.com/forum/2945-56-harden-break-password-gpus#t66039

As for tables, please look more in depth. The article provides speed and time tables for Zip 2.0, AES-128, and AES-256 brute-force cracking.
 
Yes, but if you have a keylogger installed, you're password's strength is irrelevant. And who uses encrypted archives anyway ? If we want to keep secret stuff away from others, we create secret encrypted partitions, a-la truecrypt.
 
So how properly would this work with other languages? Me being Dutch it would probably only work if my passwords consisted of numbers only.
 


As an update to a previous post: it looks like WinZip and WinRAR both support unicode passwords, and AccentZip/AccentRAR support multiple languages for password cracking.

Though, I'm not sure if Dutch is one of them. You have the same 26 letter alphabet, but strength increases if you include tremas and other written inflections (i.e. ruïne, bèta). (provided you use them)
 
That's how it's mostly done.
The issue here is that the "recovery" software doesn't utilise the "decryption program" at all, but does all the crunching on its own on the side.
As you can see at the top of page 8 the typical "log in" process is to type a password which gets hashed and the program check to see if the hashed value is equal to the "key".
For "recovery" the hash process is well known, and the key is retrieved from the meta data of the archive. The recovery program then (internally) just generate a "password", run it through the hash and compare the result to the key. Once it find a password that generate the correct key the process is finished and the password is displayed to the user.

Here the security lies in the safe storage of the resulting hash sum combined with the allowable number of attempts.
As long as a would be hacker don't know the hash sum (s)he can't test more than three numbers before being locked out.

 
Two comments:
First, this seems to apply to a special case where testing the validity of the generated key can be done by decrypting the data. How would it apply to login passwords or the full-disk encryption mentioned in the article?

Second, if the biggest way to slow the effort is the number of hash steps in the key-generation algorithm, rainbow tables scare me more than they did before.
 
Toms, passwords don't get hacked through brute force. Usually what they do is generate rainbow tables (takes a good few months to generate a 4GB rainbow table for upto 8 passwords), and these passwords can be hacked in a matter of minutes!

For reference, I could hack a 6 digit password within 20 minutes on a pentium 2, 233Mhz, using rainbow tables!
 
not to mention what I can do when they are actually loaded on an SSD, ran from a corei processor, with GPGU acceleration.
Theoretically I could crack any 12 digit passwords within a week!
 
ProDigit10, rainbow tables only work on unsalted passwords. These were used by microsoft for 'lan' style passwords. IIRC, vista and win7 don't use these. And if you use a 14 character password or longer, even windows xp disables the lan encryption.

Your rainbow tables are effectively useless against aes-128, aes-256, and even des. They simply precompute password hashes, and generating the tables takes quite a long time.

Using rainbow tables has nothing to do with gpu acceleration.
 
[citation][nom]jeff77789[/nom]"While it would take a longer time to find a password made up of nine or 10 passwords, it's definitely doable between a few gaming buddies. "9 or 10 characters?[/citation]

No. Since you indicating what you think to be a grammatical error...
The article is correct. Once you reach the number 10 (not ten), then you move to digital.

Example:
http://www.ehow.com/how_5083296_write-numbers-using-apa-guidelines.html
 
[citation][nom]tomdpham[/nom]With 300,000 possible words, there are 90 billion two-word combinations. Imagine if you use a sentence![/citation]


Yes but that's the same as having an alphabet with 300k letters and a password with only two characters. It's not the length of the password that matters, it's password strength. That's why it's easy to defeat a dictionary-based password. A word is essentially treated as a letter. "PasswordPasswordPassword" takes the same amount of time to check as "123". It's not the checking that's slow, it's the SHA-1 transformations.

For example, "tobeornottobe" is made up of 6 words. The SHA-1 transformations (for WinZip AES-256) take the same amount of time to generate a decryption key made up of 6 letters such as "123456." Each entry in the master dictionary ("to" "be" "or" "not" "to" "be") that you're checking passwords from is a static variable. So when you're dealing with words, the computer treats them the same as letters.
 
Keeper Password and Data Vault manages your passwords and built a password generator to for increased encryption security. By creating longer and more complex passwords, the encryption becomes exponentially stronger.

http://www.callpod.com/software
http://blog.callpod.com/
 
someone send a copy of this article to Sony, I hear they dont understand the principles of encrypting data
 
At my company we're required to change our passwords every 3 months, they have to have lower upper number and special characters and a length of 8+ characters. I have passwords for 10 machines that are required to all be different. I'm not allowed to reuse passwords when I update them. I've been at my company for a couple of years now so I've already used ~80 or so different passwords. There is no possible way for me to remember all of these, so I'm stuck with just having the current ones listed on a post-it note beside my machine.

Basically, I'm just saying that increased password security just means that people will have to come up with a way of remembering their passwords.
 
Status
Not open for further replies.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom