Wednesday, June 08, 2011

The password you selected, 'penis,' is too short

fhxGH5h  Ain’t Close To Being A Safe Password Anymore
 
Cheap GPUs are rendering strong passwords useless

The results are startling. Working against NTLM login passwords, a password of “fjR8n” can be broken on the CPU in 24 seconds, at a rate of 9.8 million password guesses per second. On the GPU, it takes less than a second at a rate of 3.3 billion passwords per second.

    Increase the password to 6 characters (pYDbL6), and the CPU takes 1 hour 30 minutes versus only four seconds on the GPU. Go further to 7 characters (fh0GH5h), and the CPU would grind along for 4 days, versus a frankly worrying 17 minutes 30 seconds for the GPU.

It gets worse.
The password 'penis' is too short

All of which generates comments like —
  It is 57 years to crack all 10-char printable ASCII passwords with 4×5970 (95**10/33.1e9/3600/24/365.25 = 57.3 years).

Actually a real attack would take less than 9 years, because one must take into account GPU performance doubling every 1.5 years.

I'm filing this in the "If someone wants to break into your house badly enough, they will"  folder.

But, sign me:
Trllknffr&)nce2}}
via DVORAK
6/08/2011 12:43:00 PM 6 Comments

"If the number of Islamic terror attacks continues at the current rate, candlelight vigils will soon be the number-one cause of global warming. "
Argus Hamilton


Posted by at
Labels:

This will be the comment box

6 comments:

Anonymous said...

Actually, the next step is a physical key with a combination pin registered with your ISP. Goodbye privacy.

Casca

6/8/11, 1:19 PM
TheOldMan said...

Each attempt will take several seconds to fail and most reputable websites, eg. bank, cc, brokerage, stop taking attempts after three failures. So these timings are not accurate.

6/8/11, 1:33 PM
Anonymous said...

What about an alpha numeric password like: Pen15_8====>

6/8/11, 1:50 PM
Anonymous said...

The three strikes and you're out only works for direct on-line attempts. What if they've stolen a password file. Passwords are encrypted with a one-way method. IOW they cannot be decrypted back to clear text.

Since most people use the same small subset of passwords (guilty), if you can get one password file, you can march through a whole comp center or multiple social networking and/or online checking, Amazon, etc., etc. sites.

See The Cookoo's Egg by Cliff Stoll. Old but still relevant.

JLW III

6/8/11, 3:39 PM
Anonymous said...

With this RF ID chip implanted in my wrist, and the password I type in, I am secure.

CF in CO

6/8/11, 11:36 PM
Anonymous said...

When last doing admin, the password file was chunked into multiple pieces, with user identifiable stuff in one, and encrypted passwords in the other, and not readable by anyone but root{unix}, don't know re NT.
If it is a one-way encryption, how do you know when you've cracked this stolen password file? And what rewards are you gonna get for doing all this work?
Working at an ISP, we had a common LONG password that was changed when employees left, etc, and I think monthly. It was gobbldygook unless you tried to say it aloud, and then it would almost make sense. We were locked into sudo, and EVERY thing we did was logged, subject to inspection.
Relatedly, the fobs that generate an 8(?) digit number on a time-basis have apparently been cracked, and the supplier is voluntarily replacing some 2.5 million of them.
In case you are unaware, the login is challenged, and you have to know the password AND the currently valid number the fob has generated and is displaying for your id. The Pentagon uses a lot of these, as does NASA. Apparently the Chinese have gotten some code that makes breaking in a lot easier, so new fobs for everyone. At no charge... so there MUST be a danger of hacking.
I guess stealing a fob is better than an eye or a thumb for retinal or print validation...
tomw

6/9/11, 8:27 AM

Post a Comment

Post a Comment

Just type your name and post as anonymous if you don't have a Blogger profile.

Subscribe to: Post Comments (Atom)