September 18th, 2004, 04:14 PM
Curious about password security?
I read about password cracking capability rates of 1200 passwords per second, 100,000 passwords per second, etc., and hence the need for strong passwords. These rates seem pretty impressive and scary enough to convence me to use stronger passwords. However, there is still a nagging question in my mind. It is not all that difficult for me to imagine software and computers with the capability of generating trial passwords at those rates. What I cannot comprehend, though, is how can any software submit passwords to some system or program for verification and determine either success or failure at those high rates? Unfortunately, my computer experience is primarily limited to scientific number crunching, and I have been using computers for 43 years now (since the IBM 709) and logging on since the first telex terminals. It always seems to me that system response to an entered password and the resulting acceptance or rejection is a comparatively slow process. If someone could clue me in on this I would appreciate it. I don't need any details (probably would not understand them anyway), but just a general idea as to how it is possible to both generate and verify passwords at those high speeds?
September 18th, 2004, 04:21 PM
The passwords are stored as an encrypted hash. What a password cracker does it uses the same encription scheme and encrypts either the words from a word list or the next in sequence in a brute force attack and compares the two hashes. If the hash matches then the password was the one that generated the hash.
The reason that the password acceptance seems slow is because the acceptance not only simply accepts your password but also that there is a bunch of "housework" that gets done too including generating and issuing session ID's etc. It's not simply "Oh, ok, this is Bill".
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
September 18th, 2004, 04:51 PM
Thanks, Tiger Shark. Your answer is quit succinct.
September 19th, 2004, 02:12 AM
Also Dr T, the password cracking rates you saw are probably for cracking passwords locally (example, in the SAM or shadow/passwd file). Cracking using a bruteforce attack form across a network would take longer.
September 20th, 2004, 08:32 AM
Take for example an attempted remote brute-force on my machine. There's a delay of 30 seconds between login attempts [with a lock-out after three tries but that's beyond the point]. Take that number and multiply it with say 2,000,000,000 attempts to connect... unlikely for anybody to get in anytime soon.
I did try brute-forcing my password locally, and after 24 hours neither root nor user were broken... I don't consider having very long passwords but they are more than just alpha-numeric, so John was still quite a way from breakin'em.
As for the 'housework' [data across the network, encrypting pass, checking hash to passwd file] that definitely plays a part in how long it will take to brute-force the account. Unless the NSA is after you for high-level treason, a good password will keep 'h4X0rZ' out for longer than out Sun has to burn.