6
   

GPU processors and internet passwords

 
 
Reply Mon 20 Jun, 2011 09:38 pm

http://www.pcpro.co.uk/blogs/2011/06/01/how-a-cheap-graphics-card-could-crack-your-password-in-under-a-second/

Word to the wise, one of my buddies who studies this sort of thing tells me that people should be using 16-character passwords on the internet at this point, that is, for any sort of an internet account used for banking or anything of any consequence.
  • Topic Stats
  • Top Replies
  • Link to this Topic
Type: Discussion • Score: 6 • Views: 8,454 • Replies: 35
No top replies

 
BillRM
 
  2  
Reply Mon 20 Jun, 2011 10:07 pm
@gungasnake,
An online attack is limited to a few guesses a second at most as no matter how fast your hardware is the bank or whatever is not going to response must faster then that to your guesses.

Normally you can not do an off line attack on your bankings or other such web sites passwords unless the bad guys had already gotten into the banking site and downloaded the harsh of everyone passwords. If they that far into a bank network the game in over in any case.

Off line attacks can be done for WPA2 wireless encrypted and of course such things as full disk encrypted by PGP or Truecrypt if they gotten a hold of your computer.

And even then most such programs harsh your password/passphase no once but thousands of times slowing down an attack by that must.

In other word the risk is over stated to say the least.

BillRM
 
  1  
Reply Mon 20 Jun, 2011 10:12 pm
@gungasnake,
Here is a link that give some great information on passwords and how to created a very strong passwords/passphases that a human can remember.

https://www.grc.com/haystack.htm
0 Replies
 
gungasnake
 
  1  
Reply Tue 21 Jun, 2011 05:48 am
@BillRM,
Quote:
An online attack is limited to a few guesses a second at most as no matter how fast your hardware is the bank or whatever is not going to response must faster then that to your guesses.


That clearly is not the way the thing works. In real life the Russian mafia or somebody manages to steal an entire list of encrypted passwords from a bank or credit card organization and THEN they start doing the thing with the GPU arrays...
maxdancona
 
  1  
Reply Tue 21 Jun, 2011 06:08 am
@gungasnake,
Yet somehow the banking system continues to run efficiently without customers or banks losing all their money.

I am with Bill.

A good password is important.

However, the most common mistake is using the same password in multiple sites. If you are using the same password on Able2Know that you use with your bank, you should change your bank password immediately.
0 Replies
 
rosborne979
 
  1  
Reply Tue 21 Jun, 2011 06:15 am
@gungasnake,
gungasnake wrote:

Quote:
An online attack is limited to a few guesses a second at most as no matter how fast your hardware is the bank or whatever is not going to response must faster then that to your guesses.


That clearly is not the way the thing works. In real life the Russian mafia or somebody manages to steal an entire list of encrypted passwords from a bank or credit card organization and THEN they start doing the thing with the GPU arrays...

Even if someone steals a list of encrypted passwords, they have no way to decrypt them without trying their "guesses" against the target, and in reality that means going through the IO port you are trying to log into.

The article you referenced only reports the ability of the GPU to crunch numbers at bus speed, not any normal IO port speed.

The observation that a GPU is faster than a standard CPU at decryption is interesting, but not relevant to real world hacking through network connections.

One place this would be useful (and I'm sure it is) would be if you're trying to decrypt some type of cypher into a known language with known words.
maxdancona
 
  1  
Reply Tue 21 Jun, 2011 06:38 am
@rosborne979,
Quote:

Even if someone steals a list of encrypted passwords, they have no way to decrypt them without trying their "guesses" against the target, and in reality that means going through the IO port you are trying to log into.


This is incorrect.

The encrypted passwords are "hashes", they look like large strings of characters such as "ASFa87w23598asgha9fg987y432523sdljfsdi". If you give me your actual password, everyone knows how to convert a plaintext (unencrypted) password into a hash. In fact that is how they check that your password is correct, they convert your password into the hash and then compare with the correct hash.

The reason this works is it is a one way function . It is very easy (and fast) to turn a password into a hash. It is very difficult (and time consuming) to turn a hash into the plaintext password.

But once I have the hash, and I have a GPU array (or any other way of trying millions of passwords quickly) then I can do all of the work on my own computer without needing to access the target computer or the network.

I simply, on my own computer, turn each of the hundreds of millions of potential passwords into a hash, and then compare each of these hashes with your password hash (which I have). Once I find a match I have your password.

So yes. If I have your encrypted password and a lot of computing power, I can crack your password without any problem with network speed.
DrewDad
 
  1  
Reply Tue 21 Jun, 2011 08:17 am
@gungasnake,
Use a password manager like LastPass.
0 Replies
 
Walter Hinteler
 
  1  
Reply Tue 21 Jun, 2011 08:34 am
@gungasnake,
gungasnake wrote:

That clearly is not the way the thing works. In real life the Russian mafia or somebody manages to steal an entire list of encrypted passwords from a bank or credit card organization and THEN they start doing the thing with the GPU arrays...


That's more the fault of your bank or credit card organisation.

If someone gets my passwords and my personal pins - well, okay, she/he can look at my account.

But to do anything with it, she/he must have additionally my cell phone and use the special pin(s) I get as text-message within couple of minutes.

Well, this certainly might happen ....
gungasnake
 
  1  
Reply Tue 21 Jun, 2011 12:20 pm
The trick is figuring a 16-character pw which you can remember easily. To me that means three halfway big words strung together instead of two, needless to say I've already done that.
rosborne979
 
  1  
Reply Tue 21 Jun, 2011 01:57 pm
@maxdancona,
maxdancona wrote:

I simply, on my own computer, turn each of the hundreds of millions of potential passwords into a hash, and then compare each of these hashes with your password hash (which I have). Once I find a match I have your password.

So if you start converting passwords with the fewest numbers of characters into hashes you may run into the right hash fairly quickly if I only have a short password. But if I have a password of 10 characters or more, you'll never (well, almost never) get there, even with a GPU.
rosborne979
 
  1  
Reply Tue 21 Jun, 2011 01:59 pm
@gungasnake,
gungasnake wrote:

The trick is figuring a 16-character pw which you can remember easily. To me that means three halfway big words strung together instead of two, needless to say I've already done that.

The link that BillRM provided above gives good examples of long passwords that are easy to remember and just as effective.
0 Replies
 
maxdancona
 
  1  
Reply Tue 21 Jun, 2011 04:28 pm
@rosborne979,
Quote:
But if I have a password of 10 characters or more, you'll never (well, almost never) get there, even with a GPU.


You are missing the point. These days it is feasible to try trillions of passwords every second. and if one GPU takes too long, I can always buy 100 GPUs.

A strong 10 character password can be solved in a weeks or even days with a completely realistic array of hardware. And the power still keeps going up, and the price keeps going down.

It is a simple math problem the time it takes to find a password using brute force is the number of possible password and divide by the rate you can check a password.

The point is that we now have relatively inexpensive hardware that is capable of checking passwords at such a high rate that even your 10 character password isn't invincible from a determined attacker.
maxdancona
 
  1  
Reply Tue 21 Jun, 2011 04:35 pm
@gungasnake,
By the way, dictionary words strung together is a bad idea.

When I was a young programmer, my company had a new pointer and offered a bounty for anyone who could find any security flaws.

Me and a friend used a piece of software (actually called SATAN) to find one of the administrator passwords. We were going to run it for a week on a dedicated computer. It return a result after just one night. We got a few hundred dollars for the effort.

The password we found was two dictionary words with a number in the middle. A lot of people use dictionary words, so starting the search with combinations of dictionary words makes the search go much, much quicker. This was decades ago and the password cracking tools were already smart enough to string dictionary words together with numbers, and even to change Is into 1s and s into "$".

Randomness (or entropy) is more important than length. So A6&dg.$fg is a better password then SaunterIntercourseMongoose
gungasnake
 
  1  
Reply Tue 21 Jun, 2011 05:55 pm
@maxdancona,
IF you can remember it..... There's a happy medium there somewhere.
0 Replies
 
BillRM
 
  1  
Reply Tue 21 Jun, 2011 06:17 pm
@maxdancona,
Quote:
The password we found was two dictionary words with a number in the middle. A lot of people use dictionary words, so starting the search with combinations of dictionary words makes the search go much, much quicker. This was decades ago and the password cracking tools were already smart enough to string dictionary words together with numbers, and even to change Is into 1s and s into "$".


Five dictionary words with added special symbols and odd capitalizations order should stand for a few trillions years.
0 Replies
 
BillRM
 
  1  
Reply Tue 21 Jun, 2011 07:53 pm
@maxdancona,
Place the following five dictionary words plus padding in the GRC brute force calculator at https://www.grc.com/haystack.htm

<,314.>stand for a trillion yearS,,,,,

Very simple to remember because of it dictionary words and meaning.

Good luck however in creating a smart password software/hardware cracker who could deal with it in less then a trillion years.
rosborne979
 
  1  
Reply Tue 21 Jun, 2011 07:59 pm
@maxdancona,
maxdancona wrote:
The point is that we now have relatively inexpensive hardware that is capable of checking passwords at such a high rate that even your 10 character password isn't invincible from a determined attacker.
*If* someone already has the hash to work from, right? So they need to have stolen something to start with?
maxdancona
 
  1  
Reply Tue 21 Jun, 2011 08:00 pm
@rosborne979,
Point taken. That was the starting off point of this conversation.
0 Replies
 
maxdancona
 
  1  
Reply Tue 21 Jun, 2011 08:05 pm
@BillRM,
Yes and no.

The fact that there are dictionary words makes it less secure. Smart password cracking algorithms cut corners by counting dictionary words as tokens. In most password cracking algorithms the pattern "314" is also a token (since as pi it is part of lots of passwords).

The haystack program is considering your proposed password to be random characters rather than dictionary words, so the value it gives significantly higher than reality.

 

Related Topics

Clone of Micosoft Office - Question by Advocate
Do You Turn Off Your Computer at Night? - Discussion by Phoenix32890
The "Death" of the Computer Mouse - Discussion by Phoenix32890
Windows 10... - Discussion by Region Philbis
Surface Pro 3: What do you think? - Question by neologist
Windows 8 tips thread - Discussion by Wilso
GOOGLE CHROME - Question by Setanta
.Net and Firefox... - Discussion by gungasnake
Hacking a computer and remote access - Discussion by trying2learn
 
  1. Forums
  2. » GPU processors and internet passwords
Copyright © 2019 MadLab, LLC :: Terms of Service :: Privacy Policy :: Page generated in 3.99 seconds on 08/20/2019 at 04:32:44