Can We Break Your Password With Our GPUs?

Discussion in 'privacy problems' started by Spooony, Jul 6, 2011.

Thread Status:
Not open for further replies.
  1. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
  2. chiraldude

    chiraldude Registered Member

    Joined:
    Jul 3, 2010
    Posts:
    157
    This article is purely about brute force password guessing using GPUs. Nothing new.
    Interestingly, the article discusses passwords up to 12 characters so of course, if you have a room full of computers with fast GPUs you can brute force a 12 character password in months or possibly weeks.

    AES is still as secure as ever. Never use a password less than 16 characters and use 20+ character passwords when possible. A 20 character random password will not be brute forced in your lifetime.
     
  3. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    Thanks for the link. Interesting read. I wonder how soon this might become common? For true hackers, it's going on now. But they are limited in numbers. Which bides some time for the masses. But that will change...
     
  4. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
    The thing about the article is not the encryption used or length of passwords but what parallel computing brings to the table. Programs able to make use of 2 gpu setups. What about 3 or 4? The number of passwords crunch per second is getting bigger and its a huge amount comparing to 2 or 3 years ago. Well there is a hole in 256 AES which reduces the time for brute forcing even more. 128 AES is safer than 256. But the question is why are we relying so long on a 7 year old encryption technique? they are waiting for someone to crack it or for it to become in hardware range which is really awefull.
     
  5. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Let them try breaking my 28 character triple encryption (Serpent-Twofish-AES) volume. Not that they'll find me and gain access in the first place.
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    What the hell are you hiding? lol

    I don't bother encrypting anything -- nothing to hide.
     
  7. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
    last time RSA security said that a bloke with a P3 made them eat their words and he won a nice cash prize. The blokes from the university were still feeding scripts into their Supercomputer crunching through billions and billions passwords a seconds. So don't look at the brute force. Look at it as a old algebra equation which no one hasn't worked out yet. Few came close though and I expect its just a matter of time
     
  8. x942

    x942 Guest

    AES-128 bit is only stronger in theory. There are NO real world attacks against AES or any other AES contender for that matter.

    About the known attacks:

    Source: WikiPedia

    For that matter in order to crack an AES-256 bit key (NOT the password) you would need to calculate every posible key (2^256 combinations). This would take longer than the age of th universe. Now provided that was possible and you had the CPU power to do so you would need a HUGE amount of power. By huge I mean approximently the power of the sun. Now take that and turn that into money - No one would waste their time cracking a AES-256 bit key when passwords are far easier to crack.

    https://secure.wikimedia.org/wikipedia/en/wiki/Brute-force_attack#Theoretical_limits
    Note 256 bit key there. Good luck with that.


    Yes CPU's and GPU's are getting faster and faster but consider now the Von Neumann-Landauer Limit Which states:
    Also take into account that even with our technology improvin there is a point in time where it will not be improving enough. Unless a HUGE scientifc breakthrough is made or a vulnerability in AES is found it is unbreakable.

    99.9% of anyone trying to break in will always aim at the weakest link - your password. GPU's and CPU's (and rainbow tables) aid cracking passwords (not keys). Strong password? Than YOU are the weak link and all an attacker needs to do is trick you into giving away your password. Until you can crack AES in a few years it isn't practical as most passwords would be cracked before hand (lots of people use crap passwords with encryption)
     
  9. x942

    x942 Guest

    Didn't see this when I posted.:oops: I stand by my above post but wanted to add that I agree with this statement. Any day someone COULD find a flaw in AES but that goes for any algorithym sadly. Also if you don't like AES check out CAST5 it has been impervious to all theoritical attacks so far (Making it stronger than AES)
     
  10. cm1971

    cm1971 Registered Member

    Joined:
    Oct 22, 2010
    Posts:
    727
    Also wouldn't the program you used come into play? Some have failsafes against Bruteforce that would further slow it down don't they?
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    "wait 5 seconds before reentering password"

    and bruteforcing just got destroyed
     
  12. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
    its over 2 years old now
    http://www.schneier.com/blog/archives/2009/07/another_new_aes.html
    heres to asp.net Aes encrypted or not
    http://visualstudiomagazine.com/articles/2010/09/14/aspnet-security-hack.aspx

    There is plenty of software bugs for attackers to use to bypass breaking the keys. That's what keeps me awake at night, not the algorithms
     
  13. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Why should I tell you something I'm hiding?
     
  14. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
    Now where do you keep the password?
     
  15. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    In my brain.
     
  16. x942

    x942 Guest

    Read the full article:

    So basically this is nothing. I use AES 256 with 14 rounds (min. Keypass I use about 10,000) like most people and software (TC, PGP, etc.).
     
  17. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    Don't you worry about the size of the wrench? --http://xkcd.com/538/-- (j/k, I know the link was posted recently in another privacy thread but couldn't resist)
     
  18. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
    lol your understanding it wrong. A year or two ago a password with 7 random character was SECURE. Now its in hardware range. Look at the 2nd link. Doesn't matter how strong the encryption. A simple flaw in a application lets you bypass it. Do you think the AVG joe uses a password like this:
    6hEoI!Zwi2WQZKvm

    Nope. They use passwords like places and all those you get in a dictionary and all they're passwords like lastpass are based on 1 security setup. Thats your email. I get into your email I get into your keepass lastpass whatsoever. So how secure is a persons email?
     
  19. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    Very interesting :D
     
  20. x942

    x942 Guest

    Not understanding anything wrong. I was talking about cracking AES not passwords. I think you are confusing the two. Yes a 7 character password is nothing (especially with rainbow tables). BUT all mine are at minimum 34 characters long (with the sole exception of site (like forums) that don't matter).

    Now name one vulnerability found in either PGP WDE or TrueCrypt that allowed an attacker to access the data AND supply a LINK to support it. I am not talking about external attacks either (DMA/Cold boot don't count). only attacks on the program itself.

    Now of course it's possible but since both programs are under public review and PGP goes through it's own review board as well (Bruce Schnirer is on there as well as countless other respected security analysts) it is slim and has yet to happen.

    Also I don't even expect a person who doesn't use a secure password to know or use encryption. If they don't care about their passwords why would the encrypt their HDD?

    Keypass and last pass are VERY different things. Last pass is online storage for an encrypted Database while KeyPass is OFFLINE. I use key pass and store it on an Encrypted IronKey. Again KeyPass has never had a flaw that exposed data either (also open source).

    Last pass is online (why I don't use it) but that isn't a flaw. Last Pass is secure. You can not only use two factor authentication on it but also use two factor on your email account. I use it on my gmail account as well as a ~40 char. Password (randomly generated). Let's se someone defeat that.
     
  21. x942

    x942 Guest

    Found some more information I would Like to share:

    Those so called attacks on AES only apply if AES is used as a Hash function in so called Davies-Meyer mode. This is futher explained by Justin Troutman here:

    Source

    Sorry for the slight bumb, I wanted to clear up the confusion on that attack ( as it was mentioned earlier).
     
  22. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
    Yes thats you using the long password not the avg joe. The avg joe think this is a secure password AdECdEc - Because its uppercase and lowercase.
    Lastpass the stuff gets encrypted on your pc and the key is on your pc. Not on the servers.
     
  23. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
    Are we talking about web security? For that why brute force when you can rip the webconfig file and session cookie? They dont use brute force much these days. They don't need to SQL injection
     
  24. x942

    x942 Guest

    1) As I said i doubt any that thinks adECdEc is a good password is using Encryption LOL (Ok, maybe one or two people but not most; one of the first things TrueCrypt and other encryption programs tell you to do is use a long and complex password). But fine you're right.

    2) I know what LastPass does. It is different for two reasons (IMHO at least) Keypass is offline only - LastPass backsup the encrypted database online. Keypass supports multiple algorithms (AES, Serpent) - LastPass only supports AES256. You are right but I should have clarified what I meant ;)
     
  25. x942

    x942 Guest

    HTTPS would stop session hijacking provided there is no MITM. Also this is why you should always use a VPN or a home network protected with WPA2.
     
Loading...
Thread Status:
Not open for further replies.