Password Cracking
Password cracking has matured in the past few years. New hardware and techniques has made it possible to attempt 8.2 billion password combinations per second. This is being done by leveraging the GPU (Graphics Processing Unit) of the computer, complex algorithms and a new twist on an old technique called rainbow tables. In a rainbow table the password is passed through a complex mathematical formula that expresses all possible password combinations without requiring each combination to be stored on disk. From cryptographer Kestas Kuliukas: “A rainbow table chain starts with an arbitrary plaintext, hashes it, reduces the hash to another plaintext, hashes the new plaintext, and so on. The table stores only the starting plaintext and the final hash, and so a chain "containing" millions of hashes can be represented with only a single starting plaintext, and a single finishing hash.”
The efficiency of rainbow table is remarkable. It would take 3,108 terabytes of disk space to store all the possible combinations of a 10 character password. A rainbow table consisting of 99.9% of the same password combinations only consumes 167 gigabytes.
Password cracking tools are widely available and sometimes from reputable companies.
AccessData is commonly known for digital forensics and litigation support tools. However, they also offer a product PRTK (Password Recover Toolkit) which can decrypt passwords of many common applications. Alternatively, Ophcrack is a community supported free password cracking tool is able to decrypt 99% of Windows operating system passwords. Both of these tools are targeted at law enforcement or security professionals; however there is nothing to stop the malicious use of these tools.
With the rising advancements in password cracking what is an acceptable password policy?
Most IT security professionals will recommend beginning with enforcing complex password. Complexity can vary. In the simplest form a complex password is mixed case,
The efficiency of rainbow table is remarkable. It would take 3,108 terabytes of disk space to store all the possible combinations of a 10 character password. A rainbow table consisting of 99.9% of the same password combinations only consumes 167 gigabytes.
Password cracking tools are widely available and sometimes from reputable companies.
AccessData is commonly known for digital forensics and litigation support tools. However, they also offer a product PRTK (Password Recover Toolkit) which can decrypt passwords of many common applications. Alternatively, Ophcrack is a community supported free password cracking tool is able to decrypt 99% of Windows operating system passwords. Both of these tools are targeted at law enforcement or security professionals; however there is nothing to stop the malicious use of these tools.
With the rising advancements in password cracking what is an acceptable password policy?
Most IT security professionals will recommend beginning with enforcing complex password. Complexity can vary. In the simplest form a complex password is mixed case,
References: Dinei Florencio and Cormac Herley; Microsoft Research. (2007). A Large-Scale Study of Web Password Habits. Retrieved from: https://research.microsoft.com/pubs/74164/www2007.pdf Dan Goodin. (Aug 2012). Why passwords have never been weaker – and crackers have never been stronger. Retrieved from: http://arstechnica.com/security/2012/08/passwords-underassault/4/ SANS (n.d.). Password Policy. Retrieved from: http://www.sans.org/securityresources/policies/Password_Policy.pdf Password Safe. (n.d.). Retrieved from: http://passwordsafe.sourceforge.net/ 1Password. (n.d.). Retrieved from: https://agilebits.com/onepassword