Can We Break Your Password With Our GPUs?

http://www.tomshardware.com/reviews/password-recovery-gpu,2945.html

AES is running out of time

 

This article is purely about brute force password guessing using GPUs. Nothing new.
Interestingly, the article discusses passwords up to 12 characters so of course, if you have a room full of computers with fast GPUs you can brute force a 12 character password in months or possibly weeks.

AES is still as secure as ever. Never use a password less than 16 characters and use 20+ character passwords when possible. A 20 character random password will not be brute forced in your lifetime.

 

Thanks for the link. Interesting read. I wonder how soon this might become common? For true hackers, it's going on now. But they are limited in numbers. Which bides some time for the masses. But that will change...

 

The thing about the article is not the encryption used or length of passwords but what parallel computing brings to the table. Programs able to make use of 2 gpu setups. What about 3 or 4? The number of passwords crunch per second is getting bigger and its a huge amount comparing to 2 or 3 years ago. Well there is a hole in 256 AES which reduces the time for brute forcing even more. 128 AES is safer than 256. But the question is why are we relying so long on a 7 year old encryption technique? they are waiting for someone to crack it or for it to become in hardware range which is really awefull.

 

Let them try breaking my 28 character triple encryption (Serpent-Twofish-AES) volume. Not that they'll find me and gain access in the first place.

 

What the hell are you hiding? lol

I don't bother encrypting anything -- nothing to hide.

 

last time RSA security said that a bloke with a P3 made them eat their words and he won a nice cash prize. The blokes from the university were still feeding scripts into their Supercomputer crunching through billions and billions passwords a seconds. So don't look at the brute force. Look at it as a old algebra equation which no one hasn't worked out yet. Few came close though and I expect its just a matter of time

 

AES-128 bit is only stronger in theory. There are NO real world attacks against AES or any other AES contender for that matter.

About the known attacks:

Source: WikiPedia

For that matter in order to crack an AES-256 bit key (NOT the password) you would need to calculate every posible key (2^256 combinations). This would take longer than the age of th universe. Now provided that was possible and you had the CPU power to do so you would need a HUGE amount of power. By huge I mean approximently the power of the sun. Now take that and turn that into money - No one would waste their time cracking a AES-256 bit key when passwords are far easier to crack.

https://secure.wikimedia.org/wikipedia/en/wiki/Brute-force_attack#Theoretical_limits
Note 256 bit key there. Good luck with that.


Yes CPU's and GPU's are getting faster and faster but consider now the Von Neumann-Landauer Limit Which states:

Also take into account that even with our technology improvin there is a point in time where it will not be improving enough. Unless a HUGE scientifc breakthrough is made or a vulnerability in AES is found it is unbreakable.

99.9% of anyone trying to break in will always aim at the weakest link - your password. GPU's and CPU's (and rainbow tables) aid cracking passwords (not keys). Strong password? Than YOU are the weak link and all an attacker needs to do is trick you into giving away your password. Until you can crack AES in a few years it isn't practical as most passwords would be cracked before hand (lots of people use crap passwords with encryption)

 

Didn't see this when I posted. I stand by my above post but wanted to add that I agree with this statement. Any day someone COULD find a flaw in AES but that goes for any algorithym sadly. Also if you don't like AES check out CAST5 it has been impervious to all theoritical attacks so far (Making it stronger than AES)

 

Also wouldn't the program you used come into play? Some have failsafes against Bruteforce that would further slow it down don't they?

 

"wait 5 seconds before reentering password"

and bruteforcing just got destroyed

 

its over 2 years old now
http://www.schneier.com/blog/archives/2009/07/another_new_aes.html
heres to asp.net Aes encrypted or not
http://visualstudiomagazine.com/articles/2010/09/14/aspnet-security-hack.aspx

There is plenty of software bugs for attackers to use to bypass breaking the keys. That's what keeps me awake at night, not the algorithms

 

Why should I tell you something I'm hiding?

 

Now where do you keep the password?

 

In my brain.

 

Read the full article:

So basically this is nothing. I use AES 256 with 14 rounds (min. Keypass I use about 10,000) like most people and software (TC, PGP, etc.).

 

Don't you worry about the size of the wrench? --http://xkcd.com/538/-- (j/k, I know the link was posted recently in another privacy thread but couldn't resist)

 

lol your understanding it wrong. A year or two ago a password with 7 random character was SECURE. Now its in hardware range. Look at the 2nd link. Doesn't matter how strong the encryption. A simple flaw in a application lets you bypass it. Do you think the AVG joe uses a password like this:
6hEoI!Zwi2WQZKvm

Nope. They use passwords like places and all those you get in a dictionary and all they're passwords like lastpass are based on 1 security setup. Thats your email. I get into your email I get into your keepass lastpass whatsoever. So how secure is a persons email?

 

Very interesting

 

Not understanding anything wrong. I was talking about cracking AES not passwords. I think you are confusing the two. Yes a 7 character password is nothing (especially with rainbow tables). BUT all mine are at minimum 34 characters long (with the sole exception of site (like forums) that don't matter).

Now name one vulnerability found in either PGP WDE or TrueCrypt that allowed an attacker to access the data AND supply a LINK to support it. I am not talking about external attacks either (DMA/Cold boot don't count). only attacks on the program itself.

Now of course it's possible but since both programs are under public review and PGP goes through it's own review board as well (Bruce Schnirer is on there as well as countless other respected security analysts) it is slim and has yet to happen.

Also I don't even expect a person who doesn't use a secure password to know or use encryption. If they don't care about their passwords why would the encrypt their HDD?

Keypass and last pass are VERY different things. Last pass is online storage for an encrypted Database while KeyPass is OFFLINE. I use key pass and store it on an Encrypted IronKey. Again KeyPass has never had a flaw that exposed data either (also open source).

Last pass is online (why I don't use it) but that isn't a flaw. Last Pass is secure. You can not only use two factor authentication on it but also use two factor on your email account. I use it on my gmail account as well as a ~40 char. Password (randomly generated). Let's se someone defeat that.

 

Found some more information I would Like to share:

Those so called attacks on AES only apply if AES is used as a Hash function in so called Davies-Meyer mode. This is futher explained by Justin Troutman here:

Source

Sorry for the slight bumb, I wanted to clear up the confusion on that attack ( as it was mentioned earlier).

 

Yes thats you using the long password not the avg joe. The avg joe think this is a secure password AdECdEc - Because its uppercase and lowercase.
Lastpass the stuff gets encrypted on your pc and the key is on your pc. Not on the servers.

 

Are we talking about web security? For that why brute force when you can rip the webconfig file and session cookie? They dont use brute force much these days. They don't need to SQL injection

 

1) As I said i doubt any that thinks adECdEc is a good password is using Encryption LOL (Ok, maybe one or two people but not most; one of the first things TrueCrypt and other encryption programs tell you to do is use a long and complex password). But fine you're right.

2) I know what LastPass does. It is different for two reasons (IMHO at least) Keypass is offline only - LastPass backsup the encrypted database online. Keypass supports multiple algorithms (AES, Serpent) - LastPass only supports AES256. You are right but I should have clarified what I meant

 

HTTPS would stop session hijacking provided there is no MITM. Also this is why you should always use a VPN or a home network protected with WPA2.