Harden Up: Can We Break Your Password With Our GPUs?
Table of contents
- 1. Need A Locksmith?
- 2. Test Setup
- 3. Archive Encryption: WinZip And WinRAR
- 4. Exploring Password Strength
Do you think your passwords are keeping your data nice and safe? Do you have archived files you don't want anyone to see? Let's see how fast we can crack your lock using our graphics cards. If anything, this is a wake-up call to lock down your valuables!
Locking your keys in the car is never fun. The last time that happened, I spent the better part of my day waiting for a locksmith. Happily, I can say that's one of those mistakes that I only made once; I haven't lost sight of my keys since.
The funny thing is that, for all of my deliberate effort, I simply cannot keep track of my digital keys (passwords) when I sit down at a computer. There are just so many of them, and we're trained to not use the same one on every site. Physical keys are just easier to keep track of. Even when you lose them, they're still somewhere. It's all a matter of retracing your steps. Besides, at least there are specialists (like locksmiths) to help lower that security barrier, if you really need them.
That's also true when it comes to passwords, at least to a certain extent. Whether it's your email or bank account, online password recovery is generally a painless process. There's usually some sort of a "Forgot Your Password?" link that allows you to reclaim access. However, the prospects for digital files are usually more forlorn. I recently discovered this while I was trying to access an old encrypted WinZip archive.
Before we dive too deep into password recovery, we should point out that there are many ways to protect your data. If you're looking for a more comprehensive solution, we would suggest something like TrueCrypt (check out Protect Your Data! TrueCrypt 7.0a's Performance, Analyzed), which is even more attractive now that it supports AES-NI instructions. Yet, archive encryption remains the most ubiquitous way to secure data. Whether you're someone in HR emailing the weekly payroll or Blake Lively trying to keep those personal iPhone photos a little more personal, encrypting an archive is fast and easy.
There is, however, a bit of a misunderstanding on just how secure your data can really be. If you're paranoid about security, you're naturally going to favour the strongest encryption scheme possible. The presumption is that a stronger encryption scheme is more difficult to break, suggesting that AES-256 is better than AES-128. That's not the whole truth. Think of encryption like a big vault. The thicker the armour, the harder it is to penetrate the safe. However, the security of a vault is only as good as the lock that secures it. That is what a password does. It's the vault's key. The longer your password, the more complicated the lock and the more secure your data is.
Most people assume that an eight-character-long password is good enough to keep hackers at bay. That's not exactly true either, and we're about to show you why.
Latest Software News
- 29/05 – Despite DRM-Free Version, Witcher 2 With DRM Most Pirated
- 28/05 – Steve Ballmer Has an 80-inch Windows 8 Tablet in His Office
- 28/05 – Marvel Heroes MMO Is Diablo But With Superheroes
- 26/05 – Elder Scrolls Online Won't Be Buggy Mess, Says Zenimax
- 25/05 – Yahoo! Releases Own Web Browser Dubbed 'Axis'
You could save some time by starting with 1s ;-)
How about grid or cloud computing?
As ever I can't remember which one, but there is a Linux flavour that changes the password hash algorithm based on the power of the CPU it is installed on. That way the process always takes around 2 seconds to validate your log on password ... i'm guessing winzip could use a similar technique to stop these attacks outright?
Have there been any accurate studies into the size of bot nets if those are still about (which I guess they are)? If you can 'easily' get a few thousand vulnerable computers involved things should be generally quite quick. Given the mention of Sony's network above - could one of the console networks get used for distributed computing like this?
How long does a full-ASCII password need to be in order to be harder to do the prime factorisation of public keys? (If this type of encryption uses that - I can't remember things quite well enough) I imagine if anyone was going to bend a lot of computing power to cracking passwords they're not going to do it for pointless files I might encrypt, they'd be interested in the big things.
The reason AES is much harder to crack than Zip2.0 is that the process for converting passwords to AES keys is deliberately made very much slower than the one for converting passwords to Zip2.0 keys.
Though Zip2.0 has some actual cryptographic breaks, so (if you have even not very much known-plaintext) it's possible to break the encryption without guessing passwords at all.
When cryptographers describe an encryption scheme as being secure, what they mean is that a brute-force attack utilising all the energy in the solar system with perfect efficiency would take longer than the time left until the heat-death of the universe. Unless a weakness is found in an encryption scheme (as happened with WEP for example) no amount of GPGPU is going to brute force an adequate password + good encryption algorithm.
Of course none of that matters when so many people use "QWERTY1234" as their password... and/or write it on a post-it and stick it to the screen!
When cryptographers describe an encryption scheme as being secure, what they mean is that a brute-force attack utilising all the energy in the solar system with perfect efficiency would take longer than the time left until the heat-death of the universe. Unless a weakness is found in an encryption scheme (as happened with WEP for example) no amount of GPGPU is going to brute force an adequate password + good encryption algorithm. Of course none of that matters when so many people use "QWERTY1234" as their password... and/or write it on a post-it and stick it to the screen!
Hehe, yes. The weakest point in every security system is allways the user.