Brute Force Password Attack...

[Quantos]

Here is the link to the full story.

http://securityledger.com/new-25-gpu-monster-devours-passwords-in-seconds/

[truenorth]

Currently the page returns"service is temporarily unavailable" with Opera. May only be as stated--time will tell.truenorth

[patio]

Try 2 or 3 times...it loaded for me after that...

[truenorth]

Just tried the link again after about 2 hours and connected 1st go.If i understand the thrust it is emphasizing the current ability to recover lost passwords (lost through being forgotten).But surely the vulnerability of passwords being a protective device are also compromised by this ability. I wonder if this also has ramifications for the alleged security of data transmission on encrypted sites? Ah well the constant contests between the mice and the mousetrap builders continues.truenorth

[BC_Programmer]

If i understand the thrust it is emphasizing the current ability to recover lost passwords

No. It is emphasizing the ability to crack them. Lost passwords should, by definition, be unrecoverable.

Most of it is rife with inaccuracies, even after the edit. For example the LM hash, to my recollection hasn't been used extensively since NT4. And being able to crack an NTLM password (or even LM, really) requires root level or physical access to the machine in order to read the SAM file, at which point you can simply remove said password anyway.

the quote regarding 14char passwords falling in 6 minutes was for LM encrypted

I always see articles and stuff referring to password security and how long it takes to brute force and so forth, and they always seem to use the LM hash. Despite what the article says, the last version to use LM by default was Windows 2000, to my recollection, if not NT4. 2000 and XP support LM hashes but only if they are networked with NT4 or 2000 machines that use the LM hash, despite what the article and the edit say (that it's used on XP)


The typical method of storing passwords is of course to never store the password at all. Instead, the password is sent through a one-way hash. The idea here is that you store the hash, and then when you want to verify a password you hash the input and compare it to the stored value to see if they match. The idea here being to increase security in the event that the database of stored hashes is acquired by malevolent parties.

Usually, the passwords are salted in some way. This is done to essentially add entropy, and needs to be something that will remain the same. Some authentication systems designed only for use on one machine will use that machines network Mac Address. Others will salt the password hash using the username or userid as it exists in the system. etc. The purpose being to make it so even if two users were to have the same password, their hashes would not be identical for other reasons.

This is a cryptographically secure system, as long as the hash algorithm is cryptographically secure.


Most attacks of cryptographically secure systems are done via brute-forcing of the password, which is, essentially, checking every single possible password and Salt combination, and seeing if the hash goes through. In order for this attack to be feasible you <need> the hashes, so the database of the website or service will need to be compromised. Otherwise, you're only way to check against them would be to use their API or service, and I've personally yet to see a service that doesn't lock you out from repeated attempts to login with the wrong password.

With access to the Hashes, they are still relatively safe, but it is possible to attack the hashed value of a password using rainbow tables. These are gigantic, pre-computed hash-values for every possible combination of characters. Each one has to be tailored to any individual salting method applied by the service on question, and they are often upwards of 8GB in size. An attacking PC can calculate these hashes on the fly, but using a massive table of already-calculated information is helpful because hash algorithms are typically very processor intensive, so such a table allows an attack to proceed a lot faster, particularly if the machine in question has the memory to keep most of or all of said table in RAM.


There are already Rainbow tables available for the NT Hashes, making it possible to brute force a good percentage of peoples Windows XP, Vista, 7, and 8 Passwords.

However, the actual hash data is not something that Windows just gives to any program that asks for it. Usually you need to reboot into a LiveCD or other OS, or run a program with LocalSystem privileges to get read/write access to the files where the hashes are stored. So if a hash is in a position to be compromised using rainbow tables it's already a breach.

regarding SSL and encrypted websites: they use a Public/Private key symmetric algorithm, which means that in order to get the data needed to reverse-engineer the encryption using brute force you would need to perform a Man in the middle attack of some sort. The method of SSL connections however makes such an attack difficult because there are checks in place that try to determine if something is fishy (within the confines of TCP, that is)

[DaveLembke]

When it comes to brute force attacks to find correct passwords, I thought this was detered by processes that monitor how many failed logons before consecutive attempts are rejected or how many times an account attempts to logon within a given period of time before attempts are rejected from being considered for authentication.

If you have physical access to their laptop etc, you already own it, to boot it off of Linux distro etc, but for non physical access in which you are making remote attempts, it would take forever I would think unless you are snagging the easy to crack accounts with bad/weak passwords.

Sure if you have a system that is willing to take any and all authentication attempts no matter how fast they inquire with a user/password combination its just a matter of time before its cracked depending on length and complexity of the password itself. But systems that block authentication for like 3 minutes after too many consecutive failed logins, I would think would take 10,000 years or more to crack since you would need to test say 3 logons, wait 3 minutes, test another 3, wait 3 minutes ......... a process that would take A LONG TIME vs throwing up to say 10 per second at it.

 I suppose if you had an army of computers, a hacker owning a bunch of zombies, or army of threads to the server all trying to authenticate at the same time with multiple user accounts, multiple passwords you might have better luck getting in since its like having a warehouse full of slot machines and being able to run them all at the same time with an unlimited supply of quarters to play. If you played just 1 machine you might hit a jackpot (777) in 2 or 3 days, but if you could play them all at the same time, your probably going to get a couple jackpots a day. Jackpot here would be cracking the users credentials with a team of computers/threads and only the easy ones to crack by dictionary attack or bad commonly used passwords would jackpot as a successful authentication and your odds at slot machines are way better than users passwords.

If the system tested 3 times and failed and moved on to another user and tried 3 times quickly, but yet kept a database of attempted passwords that failed in relation to users and moved onto the next from list or next random, I suppose this could be a brute force approach, but it wouldnt be targetting 1 specific user, because the 3 minute timeout that disallows further authentication would reject for at least that say 3 minutes for example, and if a 4th attempt is tried within the 3 minutes, the timer is reset and so its not like after 3 minutes the server would allow another 3 to be accepted, every attempt after the timeout is reached would reset the timeout counter so it would never count down to 0 and reenable the authentication for another 3 if 3 is the magic number of allowed attempts per timeout interval.

So in this case the more computers/threads and bandwidth you had and all able to interface with a common database among all to avoid redundant attempts is probably the only brute force i can see against a system that has lockout protection. Or is there another method I am not aware of?

[BC_Programmer]

When it comes to brute force attacks to find correct passwords, I thought this was detered by processes that monitor how many failed logons before consecutive attempts are rejected or how many times an account attempts to logon within a given period of time before attempts are rejected from being considered for authentication.

This is talking about brute forcing the hash value after it's been acquired. Website database leaks are quite common.

[DaveLembke]

Went back to read it in full, and just saw that somone else also noted that there was a typo that this is NOT for online attacks, just saw this at the bottom when going back to read this a 2nd time ...

I think you are missing two “not”s in this paragraph:

“Tools like Gosney’s GPU cluster are suited for an “online” attack scenario against a live system. Rather, they’re used in “offline” attacks against collections of leaked or stolen passwords that were stored in encrypted form, Thorsheim said. In that situation, attackers are limited to a set number of password attempts – hardware and software limitations are all that matter.”

And the editor corrected it with this:

Tools like Gosney’s GPU cluster aren’t suited for an “online” attack scenario against a live system. Rather, they’re used in “offline” attacks against collections of leaked or stolen passwords that were stored in encrypted form, Thorsheim said. In that situation, attackers aren’t limited to a set number of password attempts – hardware and software limitations are all that matter.

Thanks for clarification BC, time for a cup of coffee to wake up and read the contents correctly. This graveyard shift is painful..LOL

[Quantos]

I have a few questions about this, and the ability to really secure a computer.

I use TrueCrypt to encrypt what I think are my sensitive documents, and I have a 31 character password to access it.  I don't do online banking, or enter personal information on the internet.  Is there a way to make it so that these passwords aren't stored on my computer? You know, even if they are encrypted.

I guess the second question is a little subjective.  I'm really not that fascinating with government or trade secrets, so to simplify it right down to basics, I have is this - How secure do I really need to be?

[BC_Programmer]

I use TrueCrypt to encrypt what I think are my sensitive documents, and I have a 31 character password to access it.  I don't do online banking, or enter personal information on the internet.  Is there a way to make it so that these passwords aren't stored on my computer? You know, even if they are encrypted.

They aren't stored on your computer (as far as I know). TruCrypt doesn't work the same way, since it doesn't really use a hash that it keeps around.

Usually, encryption and decryption is more akin to SSL; when it saves a file, it uses the password and uses it to encrypt, in a reversible way, that piece of data before writing it; to decrypt, it uses the provided password and reverses the procedure. If the passwords don't match, the result will be garbage.

I guess the second question is a little subjective.  I'm really not that fascinating with government or trade secrets, so to simplify it right down to basics, I have is this - How secure do I really need to be?

Personally I just use a different, randomly generated password for all sites I visit. The biggest "danger" is with using the same password in various locations, because then a breech of security at one place could cause your other accounts to be compromised.

A personal Example is that until recently I used the same password for everything. Apparently, one of those things was a blog that ran on gawker, because the gawker blog network was hacked and all the passwords were acquired by hackers. My first clue was when my website cpanel was locked out because somebody was trying to brute force it, which prompted me to change my password on everything else. My cpanel didn't use the same password, it's password was randomly generated, so that was safe. Now all my passwords are randomly  generated.

[Quantos]

Thanks BC, I appreciate it.

[DaveLembke]

From BC's statement:

Now all my passwords are randomly  generated.

*This has got to make it fun logging on. I tried a similar randomly generated password generator which was like an output of: 5Gt8!Wb$29hP for 12 random characters upper/lowercase/numbers/ and special characters and I found that unless I had it written down somewhere's I'd be in trouble. I wrote a quick C++ program that had 12 randomly generated characters with a seeded timer for each character generated to make it as random as I possibly could by adding user random timing in when an input is processed to grab the next character. I didnt like riding the algorithm, since as you know rand without a seed will always spit out the same output in the same order if anyone else mimic'ed the generator for 12 digits concatonated without a seed. So definately had to seed it. Then concatonate the output from the 12 variables holding each character that landed on the input condition.

*Sure you could use your own randomness picking all characters off the top of your head, but I thought this C++ program would be a fun 25 minute time waster to code up and perfect for something that serves a purpose even if one is not really necessary.

At first this program was a neat way to create complex passwords, but it became a pain having to look at a sticky note tucked away in a hidden spot ( not under keyboard...LOL )

So while I still use complicated passwords like this for important stuff, I use lesser complex for my system logon which are easy to remember and secure enough for a system that is only online when I am at the computer.

If your remembering the randomly created passwords, is there a trick to memorizing them with the jumble that they appear as or like me you have a hidden sheet of paper and have to refer to it to get it correct? Usually I can remember it, but then get the cases wrong so 5Gt8!Wb$29hP would be 5Gt8!wB$29hP or something incorrect as such.

My wife hates when I have her logon on my behalf to check on something when I am on the road, she says my passwords are retarded... I laugh and say no they are strong. 

[BC_Programmer]

From BC's statement:
*This has got to make it fun logging on. I tried a similar randomly generated password generator which was like an output of: 5Gt8!Wb$29hP for 12 random characters upper/lowercase/numbers/ and special characters and I found that unless I had it written down somewhere's I'd be in trouble. I wrote a quick C++ program that had 12 randomly generated characters with a seeded timer for each character generated to make it as random as I possibly could by adding user random timing in when an input is processed to grab the next character. I didnt like riding the algorithm, since as you know rand without a seed will always spit out the same output in the same order if anyone else mimic'ed the generator for 12 digits concatonated without a seed. So definately had to seed it. Then concatonate the output from the 12 variables holding each character that landed on the input condition.

*Sure you could use your own randomness picking all characters off the top of your head, but I thought this C++ program would be a fun 25 minute time waster to code up and perfect for something that serves a purpose even if one is not really necessary.

This is my program. For that purpose.

Code: [Select]

class Program
    {
        static Random rgen = new Random();
        static String ValidChars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890!#$%^&*()_";
        static string GeneratePassword(int length, string allowedChars)
        {
            return new string(Enumerable.Range(0, length).Select
                (a => allowedChars[rgen.Next(allowedChars.Length)]).ToArray());
        }
        static void Main(string[] args)
        {
            String RandomString = GeneratePassword(20,ValidChars);
            Console.WriteLine(RandomString);
            Console.ReadKey();

        }
    }


If your remembering the randomly created passwords, is there a trick to memorizing them with the jumble that they appear as or like me you have a hidden sheet of paper and have to refer to it to get it correct? Usually I can remember it, but then get the cases wrong so 5Gt8!Wb$29hP would be 5Gt8!wB$29hP or something incorrect as such.

I Have them as a text file on my hard drive. Normally I just have Firefox remember them for me. I do have my E-mail and webhost passwords memorized, though, simply because I've put them in enough times.  Other passwords are easier to remember but only because they are passphrases (sometimes I'm too lazy to use the generator even, so I just make up a phrase).


You might think having them in a text file is "dangerous", because malware could easily get at it. That's true. However, a piece of malware would have to specially configured to find where I keep the file, or be a special RAT with an actual person on the other end looking for them. But at that point you've already lost anyway.

[soybean]

If your remembering the randomly created passwords, is there a trick to memorizing them with the jumble that they appear as or like me you have a hidden sheet of paper and have to refer to it to get it correct?

I don't use "randomly created passwords" due to the difficulty I would have remembering them.  For non-sensitive passworded websites such as forums, I use only 2 or 3 different passwords.  For sensitive websites such as any type of financial-related site, I create passwords that have some meaning to me, such as a mix of letters and numbers from the name and zip code of a city I have some connection with.  I keep these passwords in a PC file but I replace some of the characters with asterisks and keep just a few characters that are actually in the password to help me recall the full password.