cancel
Showing results for 
Search instead for 
Did you mean: 

Your password is not safe

Community Veteran
Posts: 5,313
Thanks: 462
Fixes: 1
Registered: 21-03-2011

Your password is not safe

http://www.finextra.com/news/fullstory.aspx?newsitemid=23029 describes the use of multi-core graphics cards to crack password files in a few seconds. This is not exactly new news in the IT security industry, but is not widely known in public. The second comment on the article does a better job of explaining the risk.
You really should have different passwords for critical accounts such as online banking and change then frequently.
Now Zen, but a +Net residue.
27 REPLIES
hmarshy
Grafter
Posts: 135
Registered: 09-08-2010

Re: Your password is not safe

There was a piece on the Gadget Show on Channel 5 on Monday night with good advice for setting passwords.
See the video <a href="http://fwd.channel5.com/gadget-show/videos">Protect Your Privacy</a> about half-way down the page, for excellent password advice.
HighLordPhanty
Grafter
Posts: 54
Registered: 30-07-2007

Re: Your password is not safe

That's only true if you have access to the hashed password, i.e. the system has already been compromised.
Community Veteran
Posts: 13,919
Thanks: 514
Fixes: 7
Registered: 01-08-2007

Re: Your password is not safe

Not really.. you can still submit a password as many times as possible to a server until you get access.. not all websites will block you after x failed logins (although many FTP servers do).
Makes you wonder why the GPU isn't used for other CPU intensive tasks.. Imagine running apache via the GPU .. it could spell the end of DDos Wink
I need a new signature... i'm bored of the old one!
David_W
Rising Star
Posts: 2,293
Thanks: 29
Registered: 19-07-2007

Re: Your password is not safe

The GPU isn't good for CPU intensive tasks, it's pretty terrible at them frankly.  What it *is* good at is number crunching, best analogy I can think of to compare it with a CPU would be that a normal CPU is a 486SX, the GPU is a math co-processor which turns the 486 into a DX.  A CPU has to be good at everything so it can't focus on pure number crunching, a GPU only has to be good at a very small range of things so it can be outstanding in that field.
HighLordPhanty
Grafter
Posts: 54
Registered: 30-07-2007

Re: Your password is not safe

Quote from: Sprite
Not really.. you can still submit a password as many times as possible to a server until you get access.. not all websites will block you after x failed logins (although many FTP servers do).

You think a GPU can make 158 million login attempts per second over the internet?
Community Veteran
Posts: 13,919
Thanks: 514
Fixes: 7
Registered: 01-08-2007

Re: Your password is not safe

No, but it could certainly generate the guesses.
I need a new signature... i'm bored of the old one!
Community Veteran
Posts: 5,313
Thanks: 462
Fixes: 1
Registered: 21-03-2011

Re: Your password is not safe

The real risk from GPU password cracking is when a hacker breaks into a web site with poor security and downloads password files. He/she can then sit back and let the GPU break into the encrypted password file. People commonly use the same password across many systems with the same user Id code. Once the password is decrypted with the user Id it can be used to attack accounts like Banking/ebay etc. The hacker can also use the decrypted information to help build up personal data e.g. Mother's Maiden Name, Post code etc.
Now Zen, but a +Net residue.
David_W
Rising Star
Posts: 2,293
Thanks: 29
Registered: 19-07-2007

Re: Your password is not safe

Not really much of a risk there either.  Passwords on websites use one way encryption, hashing, when you click submit your password is hashed and then compared with the hash stored on the server, so password would look like "5f4dcc3b5aa765d61d8327deb882cf99".  Because of this you can add salts to the password, at the beginning and end, the salt can be anything you like so your password on the system may actually look like:
@#234kghs£$^&*hgpassword*?><hioh}{~'$%^&kg
You click submit with your password "password", the website adds the salt (which is hidden) to the beginning and end of the password and then hashes it to give the result "e09a246c623120d4623c2e64815778c4" if it matches it lets you in, if it doesn't match it gives a password error.  This is why websites if you forget your password can only offer a reset option, your password is not stored.
How long would it take a desktop computer to crack that hashed password? About 133 quattuorvigintillion years (http://howsecureismypassword.net/)  How long to crack a silly password like "a" which is hashed? About 41 novemdecillion years.  So don't worry, be happy etc.
Community Veteran
Posts: 13,919
Thanks: 514
Fixes: 7
Registered: 01-08-2007

Re: Your password is not safe

Yeah but thats the thing.. thats a CPU David. The GPU can do this in a far superior time - in some cases seconds.
I need a new signature... i'm bored of the old one!
David_W
Rising Star
Posts: 2,293
Thanks: 29
Registered: 19-07-2007

Re: Your password is not safe

A distributed platform (i.e. Amazon) can crunch 1 billion numbers per second, to crunch a 10 digit password of just letters (26 letters) would take it 39 hours.  An upper/lower/number password of 8 characters would take 60 hours.
The time taken to crack a password rises exponentially per character used, 6 letters (upper/lower/numeric) would take 56 seconds, a 7 letter would take 58 minutes, 8 and you're up to 60 hours, add in common symbols (@%$ etc.) and we're up to 34 days for an 8 character password (upper/lower/symbols) add in numbers and we're up to 83 days for a simple 8 character password.
Now add in a salt of 5 digits at the start and at the end and we're talking decades, possibly centuries even for a distributed network crunching 1 billion instructions per second.  That is why your password is pretty much safe, should computers start to be able to crunch a trillion instructions per second, that also isn't much of a problem with salts, you could have a salt that is 256 characters long either side of your password.
HighLordPhanty
Grafter
Posts: 54
Registered: 30-07-2007

Re: Your password is not safe

Quote from: Sprite
No, but it could certainly generate the guesses.

Which would be useless given the slowness of access over the net.
A GPU would only be useful if you had the hashed password to check against locally using a rainbow table or somesuch, but as posted above by David W, salting the hash can pretty much make this approach non-viable. I don't think the salt even has to be secret.
Community Veteran
Posts: 4,915
Thanks: 335
Fixes: 16
Registered: 10-06-2010

Re: Your password is not safe

If someone had acquired all the password hashes they would have got the salts as well. The salt can't really be secret, it's needed for checking the password.
Also, some banks ask for individual characters of the password and PIN - so they must store each character separately (each one individually salted and hashed, I hope). But I suppose asking for different characters each time provides a measure of protection against screen grabbing / key logging malware, or someone looking over your shoulder.
Actually, the time taken to crack salted hashed but silly passwords like "password" and "a" is going to be pretty much nil, because password cracking programs try things like that first! Trying all the 1 character passwords isn't going to take that long - there just aren't that many of them to try, assuming you're trying passwords in some kind of order after doing the top 100 favourite passwords.
David_W
Rising Star
Posts: 2,293
Thanks: 29
Registered: 19-07-2007

Re: Your password is not safe

The salts are not kept with the passwords, passwords are stored in a database and have no need to know the salt used.  The salt is part of the script in the web page itself (and so is not viewable as it's code).
You type in your password, the web page takes your password and then adds the salt to it, then it hashes it into an MD5 hash (for instance) and then it compares that hash with the hash in the database.  Knowing the hash would make a difference yes, a cracking programme would just start at [hash]a[hash] which reduces the required computations down to the level of character digits.  The weakness of hashing is that the salt can't change, if it changes all the passwords become invalid (the hash would change) so keeping it secure is of paramount importance so is usually kept in a folder where only the web server can access it, the owner being root or webservice or something along those lines.
Community Veteran
Posts: 4,915
Thanks: 335
Fixes: 16
Registered: 10-06-2010

Re: Your password is not safe

Well, some kinds of passwords like shadow passwords on Linux, use a different random salt each time, which of course has to be stored with the password hash.