Go Back   IceInSpace > General Astronomy > General Chat
Register FAQ Calendar Today's Posts Search

Reply
 
Thread Tools Rate Thread
  #1  
Old 11-06-2011, 02:46 AM
Tandum's Avatar
Tandum (Robin)
Registered User

Tandum is offline
 
Join Date: Apr 2008
Location: Wynnum West, Brisbane.
Posts: 4,166
No more passwords.

Or should I say, passwords are no good any more.

The whole idea of passwords is that they are encoded in a hash file and a brute force crack of the hash file would take so long that your password was safe.

It seems someone has written a brute force crack which uses the processor on a video card which has super fast ram and a lot of grunt to boot. Previously a 7 character password took a CPU 4days to crack via a brute force attack, a GPU takes just over 17 minutes.

Don't panic just yet, they need the password hash file first, however that files is normally readable by anyone as no one expected this sort of speed being available for an attack. I wonder if this is how playstation went under.

We live in an amazing age ... Read it here.
Reply With Quote
  #2  
Old 11-06-2011, 02:57 AM
bartman's Avatar
bartman (Bart)
1 of 7 of 9

bartman is offline
 
Join Date: Sep 2009
Location: Perth
Posts: 1,968
Quote:
Originally Posted by Tandum View Post
Don't panic just yet, they need the password hash file first, however that files is normally readable by anyone as no one expected this sort of speed being available for an attack.
We live in an amazing age ... Read it here.
Robin, what does this mean ( as in the above quote). The Hash file ( which I have heard of before) I thought was a comparison string to a files size/integrity.
So how can that be read by someone else?
Bartman
Reply With Quote
  #3  
Old 11-06-2011, 03:49 AM
Tandum's Avatar
Tandum (Robin)
Registered User

Tandum is offline
 
Join Date: Apr 2008
Location: Wynnum West, Brisbane.
Posts: 4,166
Login data is run through an algorithm to produce a number or a hash, hence the hash file. All operating systems do the same thing basically. The brute force attack knows the algorithm and matches guesses to the hash file. It used to take 6 months for a cpu to crack a 7 character password. How times have changed, and so quickly.
Reply With Quote
  #4  
Old 11-06-2011, 03:54 AM
bartman's Avatar
bartman (Bart)
1 of 7 of 9

bartman is offline
 
Join Date: Sep 2009
Location: Perth
Posts: 1,968
Quote:
Originally Posted by Tandum View Post

Don't panic just yet, they need the password hash file first, however that files is normally readable by anyone as no one expected this sort of speed being available for an attack.
Ummmm so I should change to a 21 character password..... btw what the eta on crackin that?
Bartman
Reply With Quote
  #5  
Old 11-06-2011, 05:53 AM
Tandum's Avatar
Tandum (Robin)
Registered User

Tandum is offline
 
Join Date: Apr 2008
Location: Wynnum West, Brisbane.
Posts: 4,166
From the article :
A nine-character, mixed-case random password, and while a CPU would take a mind-numbing 43 years to crack this, the GPU would be done in 48 days.
Reply With Quote
  #6  
Old 11-06-2011, 07:01 AM
leon's Avatar
leon
Registered User

leon is offline
 
Join Date: Apr 2006
Location: Warrnambool
Posts: 12,801
There must be some mongrel people in the world who have nothing better to do than to destroy peoples lives and their personal belongings, steal their money because there to bloody lazy to work for their own, the list goes on and on.

And they reckon the human race has evolved to a specie that is superior to the animal world, yea right, at least a dog is honest and faithful.

Leon
Reply With Quote
  #7  
Old 11-06-2011, 09:16 AM
Barrykgerdes
Registered User

Barrykgerdes is offline
 
Join Date: Feb 2007
Location: Beaumont Hills NSW
Posts: 2,900
I have always assumed that passwords were the same as any other type of lock or security device. "Designed only to keep honest people out"

Where I need a password I use one that is simple and easy to remember. I don't commit anything to the system that would do any harm if compromised.

In other words if you find my password and pry into my material so what. You won't find anything of real value.

Barry
Reply With Quote
  #8  
Old 11-06-2011, 10:06 AM
astronut's Avatar
astronut (John)
2'sCompany3's a StarParty

astronut is offline
 
Join Date: Oct 2005
Location: Eagle Vale
Posts: 1,251
The serious hackers are anarchists...they hate "our" world and everything in it!!
Reply With Quote
  #9  
Old 11-06-2011, 10:20 AM
RickS's Avatar
RickS (Rick)
PI cult recruiter

RickS is offline
 
Join Date: Apr 2010
Location: Brisbane
Posts: 10,584
I think we'll be using two factor authentication* more widely soon, probably using mobile phones as the "token". Unfortunately, as the recent RSA debacle has shown, that's not foolproof either.

Cheers,
Rick.

* Two factor authentication can be simply described as "something you have, something you know." An example is a bank card + PIN. You need both to get access.
Reply With Quote
  #10  
Old 11-06-2011, 10:48 AM
mithrandir's Avatar
mithrandir (Andrew)
Registered User

mithrandir is offline
 
Join Date: Jan 2009
Location: Glenhaven
Posts: 4,161
Quote:
Originally Posted by RickS View Post
I think we'll be using two factor authentication* more widely soon, probably using mobile phones as the "token". Unfortunately, as the recent RSA debacle has shown, that's not foolproof either.
The RSA breakin only affects people who use the tokens without a PIN. We've never done that. It has always been userid, password, RSA token and PIN. Without all four you get nowhere. My bank has been using the mobile phone to supply a token for ages.

Quote:
Originally Posted by astronut View Post
The serious hackers are anarchists...they hate "our" world and everything in it!!
As a programmer who has been at it for about 40 years, can people please learn there is a difference between "hackers" and "crackers"?

Attacking password hashes is cracking. Because of these criminals we have moved to 12 character passwords which have to be changed every 90 days.

Hackers are those programmers who write clever solutions to problems. A "good hack" is programming to be proud of. An "ugly hack" or "kludge" is something that achieves the end but you would not want anyone to know you had anything to do with.

Calling "crackers" "hackers" is sloppy, and a symptom of the sensationalist times we live in.
Reply With Quote
  #11  
Old 11-06-2011, 10:53 AM
AG Hybrid's Avatar
AG Hybrid (Adrian)
A Friendly Nyctophiliac

AG Hybrid is offline
 
Join Date: Nov 2009
Location: Toongabbie, NSW
Posts: 1,598
Old news (about password saftey) tbh. Ive seen a guys computer here in Aus. He has Nvidia GTX 480's in 6 way SLi. If he uses the GPU's to process, he can brute force 17 million passwords a second. The reason why a GPU is better then a CPU is due to the efficiency of the architecture and the raw amount of data that can flow through it.

Besides rainbow tables have been around for years too. That makes things even faster. Strong encryption is really the best security alternative. Also pulling your ethernet cable out from your computer
Reply With Quote
  #12  
Old 11-06-2011, 12:25 PM
RickS's Avatar
RickS (Rick)
PI cult recruiter

RickS is offline
 
Join Date: Apr 2010
Location: Brisbane
Posts: 10,584
Quote:
Originally Posted by mithrandir View Post
The RSA breakin only affects people who use the tokens without a PIN.
Since RSA have failed to release details of the vulnerability all we can do is speculate about who it does or doesn't affect...

Cheers,
Rick.
Reply With Quote
  #13  
Old 11-06-2011, 01:11 PM
mithrandir's Avatar
mithrandir (Andrew)
Registered User

mithrandir is offline
 
Join Date: Jan 2009
Location: Glenhaven
Posts: 4,161
Quote:
Originally Posted by RickS View Post
Since RSA have failed to release details of the vulnerability all we can do is speculate about who it does or doesn't affect...
It is not that hard to understand if you have a bit of experience with RSA tokens and the validation software.

Just using a token is not two factor authentication. It is something you have, but is not something you know and which is locked to the token.

Andrew
Reply With Quote
  #14  
Old 11-06-2011, 03:35 PM
casstony
Registered User

casstony is offline
 
Join Date: Feb 2006
Location: Warragul, Vic
Posts: 4,494
It wouldn't be the end of the world if we had to go back to cheques and drawing cash out in person. I think the modern ease of access to money encourages excessive spending and borrowing.

We have a seperate computer for internet financial transactions but the first time I experience a theft will be the end of the brave new world of money for me.
Reply With Quote
  #15  
Old 11-06-2011, 07:19 PM
RickS's Avatar
RickS (Rick)
PI cult recruiter

RickS is offline
 
Join Date: Apr 2010
Location: Brisbane
Posts: 10,584
Quote:
Originally Posted by mithrandir View Post
It is not that hard to understand if you have a bit of experience with RSA tokens and the validation software.

Just using a token is not two factor authentication. It is something you have, but is not something you know and which is locked to the token.

Andrew

Highly respected security technologist and author, Bruce Schneier:

Quote:
The worry is that source code to the company's SecurID two-factor authentication product was stolen, which would possibly allow hackers to reverse-engineer or otherwise break the system. It's hard to make any assessments about whether this is possible or likely without knowing 1) how SecurID's cryptography works, and 2) exactly what was stolen from the company's servers. We do not know either, and the corporate spin is as short on details as it is long on reassurances.
IMHO a PIN does not offer any guarantee of protection against this. The IT department at the major security company that I work for also appears to have the same view. They scrapped all the RSA tokens.

Cheers,
Rick.
Reply With Quote
Reply

Bookmarks


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +10. The time is now 06:34 AM.

Powered by vBulletin Version 3.8.7 | Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.
Advertisement
Bintel
Advertisement