No more passwords.

Tandum (Robin) · #1 11-06-2011, 02:46 AM

Or should I say, passwords are no good any more.

The whole idea of passwords is that they are encoded in a hash file and a brute force crack of the hash file would take so long that your password was safe.

It seems someone has written a brute force crack which uses the processor on a video card which has super fast ram and a lot of grunt to boot. Previously a 7 character password took a CPU 4days to crack via a brute force attack, a GPU takes just over 17 minutes.

Don't panic just yet, they need the password hash file first, however that files is normally readable by anyone as no one expected this sort of speed being available for an attack. I wonder if this is how playstation went under.

We live in an amazing age ... Read it here.

bartman (Bart) · #2 11-06-2011, 02:57 AM

Quote:

Originally Posted by Tandum

Don't panic just yet, they need the password hash file first, however that files is normally readable by anyone as no one expected this sort of speed being available for an attack.
We live in an amazing age ... Read it here.

Robin, what does this mean ( as in the above quote). The Hash file ( which I have heard of before) I thought was a comparison string to a files size/integrity.
So how can that be read by someone else?
Bartman

Tandum (Robin) · #3 11-06-2011, 03:49 AM

Login data is run through an algorithm to produce a number or a hash, hence the hash file. All operating systems do the same thing basically. The brute force attack knows the algorithm and matches guesses to the hash file. It used to take 6 months for a cpu to crack a 7 character password. How times have changed, and so quickly.

bartman (Bart) · #4 11-06-2011, 03:54 AM

Quote:

Originally Posted by Tandum

Don't panic just yet, they need the password hash file first, however that files is normally readable by anyone as no one expected this sort of speed being available for an attack.

Ummmm so I should change to a 21 character password..... btw what the eta on crackin that?
Bartman

Tandum (Robin) · #5 11-06-2011, 05:53 AM

From the article :
A nine-character, mixed-case random password, and while a CPU would take a mind-numbing 43 years to crack this, the GPU would be done in 48 days.

leon · #6 11-06-2011, 07:01 AM

There must be some mongrel people in the world who have nothing better to do than to destroy peoples lives and their personal belongings, steal their money because there to bloody lazy to work for their own, the list goes on and on.

And they reckon the human race has evolved to a specie that is superior to the animal world,

yea right,

at least a dog is honest and faithful.

Leon

Barrykgerdes · #7 11-06-2011, 09:16 AM

I have always assumed that passwords were the same as any other type of lock or security device. "Designed only to keep honest people out"

Where I need a password I use one that is simple and easy to remember. I don't commit anything to the system that would do any harm if compromised.

In other words if you find my password and pry into my material so what. You won't find anything of real value.

Barry

astronut (John) · #8 11-06-2011, 10:06 AM

The serious hackers are anarchists...they hate "our" world and everything in it!!

RickS (Rick) · #9 11-06-2011, 10:20 AM

I think we'll be using two factor authentication* more widely soon, probably using mobile phones as the "token". Unfortunately, as the recent RSA debacle has shown, that's not foolproof either.

Cheers,
Rick.

* Two factor authentication can be simply described as "something you have, something you know." An example is a bank card + PIN. You need both to get access.

mithrandir (Andrew) · #10 11-06-2011, 10:48 AM

Quote:

Originally Posted by RickS

I think we'll be using two factor authentication* more widely soon, probably using mobile phones as the "token". Unfortunately, as the recent RSA debacle has shown, that's not foolproof either.

The RSA breakin only affects people who use the tokens without a PIN. We've never done that. It has always been userid, password, RSA token and PIN. Without all four you get nowhere. My bank has been using the mobile phone to supply a token for ages.

Quote:

Originally Posted by astronut

The serious hackers are anarchists...they hate "our" world and everything in it!!

As a programmer who has been at it for about 40 years, can people please learn there is a difference between "hackers" and "crackers"?

Attacking password hashes is cracking. Because of these criminals we have moved to 12 character passwords which have to be changed every 90 days.

Hackers are those programmers who write clever solutions to problems. A "good hack" is programming to be proud of. An "ugly hack" or "kludge" is something that achieves the end but you would not want anyone to know you had anything to do with.

Calling "crackers" "hackers" is sloppy, and a symptom of the sensationalist times we live in.

AG Hybrid (Adrian) · #11 11-06-2011, 10:53 AM

Old news (about password saftey) tbh. Ive seen a guys computer here in Aus. He has Nvidia GTX 480's in 6 way SLi. If he uses the GPU's to process, he can brute force 17 million passwords a second. The reason why a GPU is better then a CPU is due to the efficiency of the architecture and the raw amount of data that can flow through it.

Besides rainbow tables have been around for years too. That makes things even faster. Strong encryption is really the best security alternative. Also pulling your ethernet cable out from your computer

RickS (Rick) · #12 11-06-2011, 12:25 PM

Quote:

Originally Posted by mithrandir

The RSA breakin only affects people who use the tokens without a PIN.

Since RSA have failed to release details of the vulnerability all we can do is speculate about who it does or doesn't affect...

Cheers,
Rick.

mithrandir (Andrew) · #13 11-06-2011, 01:11 PM

Quote:

Originally Posted by RickS

Since RSA have failed to release details of the vulnerability all we can do is speculate about who it does or doesn't affect...

It is not that hard to understand if you have a bit of experience with RSA tokens and the validation software.

Just using a token is not two factor authentication. It is something you have, but is not something you know and which is locked to the token.

Andrew

casstony · #14 11-06-2011, 03:35 PM

It wouldn't be the end of the world if we had to go back to cheques and drawing cash out in person. I think the modern ease of access to money encourages excessive spending and borrowing.

We have a seperate computer for internet financial transactions but the first time I experience a theft will be the end of the brave new world of money for me.

RickS (Rick) · #15 11-06-2011, 07:19 PM

Quote:

Originally Posted by mithrandir

It is not that hard to understand if you have a bit of experience with RSA tokens and the validation software.

Just using a token is not two factor authentication. It is something you have, but is not something you know and which is locked to the token.

Andrew

Highly respected security technologist and author, Bruce Schneier:

Quote:

The worry is that source code to the company's SecurID two-factor authentication product was stolen, which would possibly allow hackers to reverse-engineer or otherwise break the system. It's hard to make any assessments about whether this is possible or likely without knowing 1) how SecurID's cryptography works, and 2) exactly what was stolen from the company's servers. We do not know either, and the corporate spin is as short on details as it is long on reassurances.

IMHO a PIN does not offer any guarantee of protection against this. The IT department at the major security company that I work for also appears to have the same view. They scrapped all the RSA tokens.

Cheers,
Rick.