encryption/cracking - Page 2
Page 2 of 2 FirstFirst 12
Results 11 to 14 of 14

Thread: encryption/cracking

  1. #11
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    Hi, Happy New Year all,

    I think that karmine is asking more about possibility/probability that "how to". In other words a vulnerability assessment?

    What we don't know is what degree of threat he is contemplating? A 24 character strong password should be enough to stop any skiddies or less than seriously determined assailants?

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  2. #12
    Banned
    Join Date
    Jul 2004
    Posts
    119
    nihil is somewhat right in his assumption to what im asking. i realize now that 8char/int passwords are somewhat simple, i havent worried about security and such (password-wise) since like 1995 (lol?). but i know that people are capable of cracking up to 24 especially with the computers we have now, and BROADBAND which is available everywhere now. back then we had 56k and if you were lucky you had ISDN at home etc etc, or if you were in college a T1 i presume. my linux crashed along with my power supply and im trying to figure out why the drive wont work right, i think i have a power supply problem with the new one i got even though its a tiny bit better. things are just driving me crazy. and its not even script kiddies im worried about, its people who actually know something and develope the tools for the skiddies. not all of them are good and release them just for malicious reasons. i know, i use to be one years ago. but there has to be an easier way to make a good password without memorizing 24 length passwords (and ive read that shadowed passwords are not even secure). thats why im asking crypto nerds if there is an easy way to have a shorter password and have it secure for the general population (not feds) and keep it uncrackable. most remember the old wwwboard exploit....where you can get all accounts and just dictionary crack it with JOHN and crack an account easy. thats what i want to avoid.

  3. #13
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    if there is an easy way to have a shorter password and have it secure for the general population
    Unfortunately not. At the end of the day password length is an important factor in its strength. Just look at the available cracking tools and see how long a password they will accept.

    and keep it uncrackable
    It is wise to assume that all passwords can be cracked given sufficient time and resource. This is where you need to do a bit of risk modelling. For example, if it will take three weeks to crack my password and I change it every two weeks, then I am "safe".

    where you can get all accounts and just dictionary crack it with JOHN and crack an account easy. thats what i want to avoid.
    You should not fall for a dictionary attack.................don't use dictionary words

    Right now, I would consider the biggest threat to be brute force using rainbow tables (forget quantum stuff for the moment, it is beyond skiddies). The longer the password the bigger the tables and the more players you force out of the game.

    If I were very seriously concerned, and couldn't trust myself to remember a password of suitable length and complexity, I would go down the hardware store and buy a bunch of dog tags. I would then take my Dremel with a diamond engraving bit and engrave the pass on the tag and wear it round my neck.................I would simply replace the tag each time I changed the password.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  4. #14
    Senior Member
    Join Date
    Oct 2001
    Posts
    786
    If you're operating a website, the last thing you want to have happen is for a hacker to somehow manage stealing your database of passwords, etc. As long as a would-be-cracker doesn't have a *local* copy of the encrypted password to work with, and as long as your server remains in full control of the passwords, they will have to resort to social-engineering or otherwise capturing your password as it travels across the network.


    Brute-forcing over a network (ie sending passwords to your server and being denied) will always be slow and controllable. A long time ago (and something I no longer have) I wrote a program (more of a hobbled-together script) that was supposed to brute-force passwords to my wireless router's admin interface. It used NetCat and sent password attempts through GET requests of the HTTP protocol and had a 'dumb' analysis to check the length of the page returned. I knew the length of a page that was a failed password attempt (and knew the lenght was different for success), and wrote off passwords that returned pages that said 'wrong password'. It worked at a painfully-slow 3-5 passwords-per-second, and would not have found the 6+ character long password in any reasonable time. The router keeping in control of authentication made the difference by slowing attempts down a lot.


    If a cracker could rip through a local copy at 50,000+ combinations per-second or more, you're SOL. But at 5 combinations per-second, and in a networked environment that is traceable, they have to be more creative. Here you have to ensure hacks like XSS don't work on you, that your server has no vulnerabilities that leave you defenseless, and you don't have someone with ill-intentions working under your radar. And you need to look at the logs, and understand them.


    Encryption buys time if security fails. But you really should worry about security first, unless the encryption side of the equation is like swiss-cheese (full of holes). I'd say what was found about MD5/hashes by Wang, etc., is more influential to larger files where collisions actually happen regularly. For passwords, rainbow tables and the like are more worrisome. Pick a password length out of reach of rainbow tables, and you should be at least better off if your database is stolen.


    In short, ensure you don't lose your databases. As long as your server is in control, you're alright. Oh, and it does no good to have your hosting company backup your server and lose the tapes to the bad guys either. How much is that one password worth? Diversify. Cheers.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides