This horse is not dead yet, so I'm going to beat it some more. ;)
I've read posts about GPU password cracking before and the speed increases over a standard CPU are significant in many cases. In this recent post I came across an NTLM password hash (Windows) is cracked on both a CPU and a GPU. It isn't until you get past 10 characters with mixed case and special characters that the cracking program starts to take enough time to make it prohibitive.
This is just one type of password, and salting the hash would slow this operation considerably, but it wouldn't necessarily prevent cracking altogether. Faster processors are always being designed for the future so this shows the value of using a longer password that uses mixed case, numbers, and symbols.
QuoteGPU Password Cracking – Bruteforceing a Windows Password Using a Graphic Card (http://mytechencounters.wordpress.com/2011/04/03/gpu-password-cracking-crack-a-windows-password-using-a-graphic-card/)
GPGPU computing is getting lots of attention these days. GPGPU computing simply means doing general calculations on graphic cards (GPUs) rather than CPUs. Traditionally, GPUs were used only for getting graphical output, rendering frames in games and other purposes related to graphics. Lately, people started realizing that GPUs are far more efficient at handling highly parallel tasks and that there should be a way to code graphic cards. Though GPGPU computing is still at its infancy, a lot of progress has been made toward this direction. For example GPUs are used to speed up video conversion, video processing, doing scientific calculations, folding and password hash cracking.
Slight tangent - but if anyone has theoretical interest in such things rather than just a practical one then I would whole-heartedly recommend "the code book" by Simon Singh. It is sort of a history of codes and code breaking, but given my a mathmatician so has explanation that a pure historian can't offer. Wow I just made that sound dull -but I promise it really isn't.
Anyway, reason if came to mind is that he talks a lot towards the end of the book about likely futures of cryptography and passwords and the like. Most importanly he talks about who utterly redundant they become (as well as anything based on them: SSL comes to mind as a good example) the day that a quantum computer is able to look at the problem. Quantum computers are real and work, but nothing that could be described as useful is around yet... unless you believe the TFH brigage of course in which case they are up and working in the pentagon already.
Sorry for the threadnap.
Thanks. I've actually heard of that Simon Sing book, but I've never picked it up. I'll add that to my ever growing list of books to read.
Actually I was thinking a bit about quantum computers when I posted. It's doubtful we'll see them before 'big brother' does. ;) Then you'd have to wonder whether your 100 character Google account password is quantum-proof, eh? However, just looking at what an off-the-shelf GPU unit can do might give you pause about what can be cracked today.
I recommend anything by Simon Singh - very, very smart fella who writes well. Big Bang is an excellent read.
Was speaking to a guy about passwords the other day and he was moaning that he had about 40-50 which he had to keep in a spreadsheet to keep track of them all. Plus he had to keep updating the spreadsheet as his work passwords change every month. Given that someone could hack into the spreadsheet, it all seems a bit pointless. And that's not factoring in the time he wastes every day opening up the spreadsheet to access the passwords.
Anyway, made me feel a bit better about my 3 passwords that I use for pretty much everything, which I've been told on numerous occasions is "virtual suicide" by techies :-)
Ed
I've been trying to find time to look for a secure password generator that works for groups. We work off something not disimilar to the spreadsheet,although a bit more secure, at the moment. It's about 1000 miles away from being ideal.... however it's a lot better than using the same few passwords for everything.
Re-use is probably the norm though: http://news.softpedia.com/news/Real-World-Data-Analysis-Reveals-Very-High-Password-Reuse-Rate-183980.shtml
I saw Simon a couple of weeks ago on the Uncaged Monkeys tour with Brian Cox. He was debunking the idea of there being hidden messages in the Bible. A very entertaining speaker.
Good timing on this one... Password Haystacks (https://www.grc.com/haystack.htm)
Steve Gibson is claiming that high entropy isn't necessary for passwords, but rather length, and a combination of mixed case, digits and special characters. His Search Space Calculator on this page shows roughly how long it would take to crack different password combinations.
Nice link bill. I have a simple alphanumeric password I've used for a long time:
QuoteTime Required to Exhaustively Search this Password's Space:
Online Attack Scenario:
(Assuming one thousand guesses per second) 33.22 centuries
Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second) 17.41 minutes
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second) 1.04 seconds
I've always had cryptic root passwords for servers, long passwords for financial related logins and relatively simpler logins for everything else. The simpler ones use a combination of 4 or 5 old passwords I used to have making them easy to remember.
I appreciate that processing power and clever algorithmic guessing can shorten brute force attacks... I must be naive in thinking protective mechanisms (blacklisting IPs/locking out an account) along with a relatively secure password are secure enough. I've always wondered how brute force attempts via online could ever have enough 'request opportunities' before being spotted in time. Nonetheless it seems people have enough black magic to gain unauthorised access to various accounts. Fascinating subject.
Seems like Google were too late to get in on this attempt:
http://www.bbc.co.uk/news/world-us-canada-13623378 - Google e-mail accounts compromised by 'Chinese hackers'
Pretty much I do it based on an old call sign when I used to use CB's. Bit even connected to anything in the real world.
I have various easy ones I use for shit sites that are not that important.
That many requests across most of my servers would banjo them.
I'm not sure I understand how they cary out these brute force attacks. Wouldn't you overload and crash any normal server?
A lot it must be done offline. Crack the server somehow and download the database...then take your own sweet time.
>This horse is not dead yet
Apparently not...
(https://fbcdn-sphotos-a.akamaihd.net/hphotos-ak-ash4/299079_1930692102394_1094988041_31660997_15151_n.jpg)
Ah yes...the xkcd cartoon. Someone was saying that they used the tool on the Password Haystacks page I mentioned earlier to come up with this one. They have a very good point. The longer password gives them more entropy. If it's easier to remember then that's an added benefit.