SSD tools crack passwords 100 times faster

Ultra brute force attack

By John Leyden • Posted in Enterprise Security, 12th March 2010 14:42 GMT

Password-cracking tools optimised to work with SSDs have achieved speeds up to 100 times quicker than previously possible.

After optimising its rainbow tables of password hashes to make use of SSDs Swiss security firm Objectif Sécurité was able to crack 14-digit WinXP passwords with special characters in just 5.3 seconds. Objectif Sécurité's Philippe Oechslin told Heise Security that the result was 100 times faster than possible with their old 8GB Rainbow Tables for XP hashes.

The exercise illustrated that the speed of hard discs rather than processor speeds was the main bottleneck in password cracking based on password hash lookups.

<SNIP>http://www.theregister.co.uk/2010/03/12/password_cracking_on_crack/

Are we all doomed to become the victims of identity theft or at least have our last threads of privacy destroyed?

out of your files. Anyone that gets access to the password file on your system can brute force out the password. This is not news, its just happening faster than it used to.

A Trojan could send it off system, someone who had complete physical access to the system could also get to it. Reality is, if you want to seriously protect things, serious encryption is needed

http://en.wikipedia.org/wiki/Rainbow_table#Defense_against_rainbow_tables

Use newer operating systems (like Vista or Windows 7) which have 64bit salt making any rainbow table computation virtually impossible.

User complex passwords. Hackers may attempt to reduce rainbow table calcuation times by creating a partial rainbow which only has certain words (dictionary) or password lengths (every password up to 10 characters) or not using special characters. If you password isn't in the rainbow table it can't be used.

Secondary passwords or other mechanisms for your system log on and email?

I run dual full version internet security packages (AVG security and PC Tools Sypware package) and every once in a while, I will go out and do a full system screen using trojan-specific scanners or a malware specific scan using something like malwarebytes antimalware. I know the companies suggest not combining protections, but I learned the hard way that relying on a single internet package can get you in trouble and the two working in concert seems to be synergistic in what it picks up. But, I have to do certain things online, including some internet purchases from trusted sites that don't have phone order alternatives. I do save important confidential documents and files on a external hard drive that has some encryption protection and always run current virus/malware checks on my computer before attaching that drive.

I know you said everything is a balance, but I'd like to be closer to the more secure than the majority of more vulnerables, for sure.

Your thoughts?

password that uses upper and lower case letters, numbers, and special characters (?/*&%$#@,.~{}[]).

A 14-digit password constructed thusly is for all practical purposes uncrackable.

A password that uses only numbers, or actual words in it, is asking for trouble.

A 14-character pseudo-random password consisting of lowercase letters alone would take their hot new algorithm somewhere between 1000-2000 years to crack.

I'm not worried.

They already have the hash for EVERY single password calculated (in this example for Windows XP password).


That is how rainbow tables work. They PREcalculate the hash for every single password. Every combination of every letter, capitalization, number, symbol up to a set length, against every salt in the algorith.

To "hack" your password they simply look up its hash against the table and blam it spits out your exact password.

Doesn't matter if you password is
jFh9e87we9feK^fh#s2T@#$@#89

Then they simply lookup the hash of your password against the rainbow and they know your password.

A strong password isn't enough. You need to ensure the algorithm uses a large enough salt. Windows Vista & Windows 7 use a 64bit hash making rainbow tables impossible.

No one should be putting anything of value on a networked Windows XP machine. For any reason.

"By mounting a brute force attack on each half separately, modern desktop machines can crack alphanumeric LM hashes in a few hours."

http://en.wikipedia.org/wiki/LM_hash

You need strong password + strong algorithm.

Windows XP isn't the only system with hash flaw. Many unix systems have a limited hash value. Many also have flaws in key reduction algorithm meaning the number of discrete values is less than key-length suggests.


Strong Password + Strong Hash = Secure
Strong Password + Weak Hash = Insecure

Maybe in 1980 they did.

MD5 can be hacked with about 80,000 hrs of CPU time; Blowfish, DES, SHA are even more computationally intensive.

Windows XP is not in the same league.

Many systems used a 12bit salt. This was before rainbow tables.

The problem with 12bit salt is there are only 4096 variants of the same password. This cuts down on number of iterations needed for rainbow table.

From the article: "Swiss security firm Objectif Sécurité was able to crack 14-digit WinXP passwords with special characters in just 5.3 seconds."

What did you say?: "A 14-character pseudo-random password consisting of lowercase letters alone would take their hot new algorithm somewhere between 1000-2000 years to crack."

I hope you don't make your living giving computer security advice.

and the first thing I advise clients is to recycle any computer running WinXP.

Now, back to your thread title: "SSD tools crack passwords 100 times faster". A more accurate title would be "SSD tools crack WinXP passwords 100 times faster". Big difference, because 14 character passwords are reduced to something much, much simpler in XP.

As far as a brute force attack on an unhashed lowercase password, take 26 and multiply it by itself 14 times. You'll end up with a number that's about 19 digits long, which represents the total number of possible passwords. Now take 300 billion (attempt rate/seconds) and multiply it by the number of seconds in a year. Divide the 19 digit number by this number and we have the number of years it would take to guarantee success in a brute force attack.

It's thousands of years. Add in uppercase, and it would take quite a bit longer than the age of the universe.

Again, I'm not worried.

With 90% of the world running a Windows based computer, I'm sure it's not an easy sell.

especially if they're networked and security is critical.

Get an RSA token or am MXI thumb drive.

http://www.sses.net/security-products/shop-by-department/authentication-and-tokens/

the biggest risk for passwords is interception by transmitting them unencoded over the web (not including, of course, having it printed on a Post-It note on the edge of your monitor) :)

By simply making sure your computer connection uses secure sockets layer (SSL) you are about as safe as you can be (https: )

passwords on our desk.

It's not compliant. ;)

A traditional hard drive has platters inside it that spin around like a record. Also like a record player, there is a "read head" that positions itself just above a spot on the platter to read data (which has been encoded using magnetic particles on the platter surface). This technology is ultimately limited by how fast the platters can spin, how quickly the physical head can read the data, and how many particles are required to encode information.

Solid state drives are basically more like the RAM (memory) in your computer. There are no moving parts - the computer just asks for data in a particular location and the drive provides it. Gone are the limitations of the old hard drive, and they are much much faster. Unlike the RAM in your computer, however, the SSD holds the information it stores even when the computer is off. So in that regard it is more like a hard drive.

If you've got a big enough computer you can generate a file containing every possible password and test each password against the thing you're trying to break into. With ATM cards it's pretty easy--there are only 10,000 choices, right? Long passwords are a different story but they're still doable. The thing is, 40 years ago when this was first suggested you needed a Cray if you wanted to drag fast enough to have something actionable when you were done. Now every Walmart in America sells computers big enough to do it.

See #15 above.

Lowercase letters alone would break the bank - 26¹⁴ is a really, really big number (and that's a relatively easy one).

onedit: what makes most passwords very breakable is that they use common phrases. That's doable.

(H1-B Visas, Peace Be Upon Them) jizz over the fact that some fellow-nerd figured out how to screw you and me over, and THEN they get to act EVER so superior as they laugh in the face of the issue because THEY will never fall victim as they do all their computing over Linus-Foxfire through their Mac Airbooks with a KwaZulu operating system set at the OBVIOUSLY optimal 34.569108 kilobites per joules.

They're just getting their jollies. This is, I suspect, all a great to-do about nothing.

"Welcome sir, won't you please come in and hack my website?"

Faster hardware with shorter latencies means faster brute force attacks. Its not rocket science. Latencies has always been a key factors in implementation.

If anyone expects basic user passwords to secure anything against anything above a curious spouse, they are deluded.

but do you have any advice?

1) Don't have anything on the system hard drives that would send you to jail, ruin your marriage etc.
2) Encrypt things you do not want others to be able to access. Lots of free tools out there that do that
3) Put sensitive things on encrypted removable media. Only bring the media up when you need access to those files. Secure it physically otherwise.

Its really a risk vs hassle things. A very secure system can be a PITA to use. What is it worth to the user? There is a balance in their somewhere. Most user identity thefts do not come by this route, so is it worth it to you. In support of another prof I prepared several machines for use in Computer Forensics classes. One remains unbroken, but using it is a real PITA. Next semester I should have an email server that no one can retrieve emails from, and yes its inspiration is political

:)

Windows 7 + Encrypted File System + Strong Windows Password.
Too easy.

For the Microsoft haters there are equivalent solutions that work with Unix Systems.
If you want to use Windows but don't trust Microsoft implementation Truecrypt provides filesystem encryption that is compatible with Windows.

and there are not all that many users upgrading to 7 at this point.

Security is more user than technology in many cases, and they are usually "the weakest link"

Disk IO has been THE bottleneck for some time, which is why we have 15K RPM spinning platter drives and bizarre striping arrangements between them. This is not news. I wonder if they've thought to run their tools from RAMdisk. Think of the worthless-article-generating possibilities when they discover it can be faster than SSD over SAS!

Windows addressable memory

Jesus - they could just port their passcracker to a more functional OS. ;-)

Rainbow tables contain every possible password combination.

A good rainbow table will have: "fH398K!3#e@jd' as one of the values.

Strong password must also be accompanied by strong algorithm. Hash used in windows XP is flawed and regardless of your password is subject to attack.

STRONG PASSWORD + STRONG SYSTEM = Security.

So if you enter the wrong password you have to wait 20 or 20 seconds before trying again?

or they will lock a user out after x attempts.

I had one client whose password was guessed (we believe) by a password-guessing program.

The password was "butthead", and the client was being one for making himself such an easy target.

A rainbow table is created ahead of time and contains the hash of every single possible password.

So say you password is "DU rocks 123".
That is stored encrypted on the system as say "8fhjk343h4498322@$3h"

A rainbow table attack will have a table which contains every single hash

a small portion
8fhjk343h4498322@$3d -> "Whaj93802"
8fhjk343h4498322@$3e -> "Dude !@j"
8fhjk343h4498322@$3f -> "djkl2"
8fhjk343h4498322@$3g -> "D& hel2 "
8fhjk343h4498322@$3h -> "DU rocks 123"
8fhjk343h4498322@$3i -> "Repukes for the winz"
8fhjk343h4498322@$3j -> "Password"

So the attack software compares the encrypted hash of your password "8fhjk343h4498322@$3h" against the rainbow table and the software outputs "DU rocks 123". The hacker types in "DU rocks 123" and logins in on the first login*.

Don't use insecure systems. Microsoft windows systems older than Windows Vista are insecure".
The above attack would work in XP it would not work in Vista or Windows 7.


*Nerd disclaimer: Technically the max # of attempts would be the length of 'salt'. A 12 bit salt would result in 4096 potential passwords. However using fuzzy logic that can be ordered from most likely to least likely and hacker would likely be able to login in 2 or 3 attempts.

A 14-character lowercase password is 26¹⁴ possibilities.

Unless the Romans had Windows XP and a lot of foresight, there is no such table.

without needing to compute or store every possible hash.
Given a hash value h you can very quickly determine original password.

If you think this flaw is limited to XP only then you really shouldn't be in computer security business.

I provided you a link you could read and learn something:
http://en.wikipedia.org/wiki/Rainbow_table

Rainbow attacks are very real and have compromised many non-windows systems. Many mainframes and legacy Unix boxes date back 20-30 years when 12 bit salts (or worse no salt) were commonly used in cryptographic functions.

Please, I'd like to know. :eyes:

I know what rainbow tables are, I know they can shorten the time required to retrieve a hashed plaintext. But "Given a hash value h you can very quickly determine original password" is nonsense.

Here's a site where 1,107 distributed machines have about a 1:2 chance of cracking your MD5-hashed password - and MD5 isn't even considered secure anymore.

http://www.freerainbowtables.com/

How about this: "The flaw is limited to Windows machines prior to Vista with wimpy LM encryption and 20-year-old mainframes that no one uses anymore." :P

You are clueless. Virtually every fortune 500 company have legacy machines running ancient code.

Governmental agencies including Department of Defense are far worse. They were more likely to create massive proprietary systems. Systems that haven't been fully migrated off legacy hardware. NASA finally shut down their last mainframe in 2009. HP still offers mainframe maintenance and migration contracts. There is a lot of vital systems running on mainframes.

Also it isn't just mainframes. Virtually any Unix distro before 1986 uses 12 bit salt and thus is vulnerable to rainbow attack. Early version of Linux use vulnerable Unix passwd system so shares same issue.


Your continued insistence that salt vulnerabilities and use of rainbow tables are a "windows xp" problem you really are just clueless.

It is one thing to not know something. It is another thing to continually and loudly boast about your ignorance.

Name one Fortune 500 company that's running 20-year-old Unix.

Then tell me how you know.

2009 mainframe since 1986? :shrug:

and bought a book on the OS. think that I will revisit it soon...;-)