How safe is your password or encrypted data?

One of my colleagues today referred me to this excellent posting about password recovery speeds. Reading through the posting it became very clear to me just how achievable it is for crackers to brute-force determine pass-words/pass-phrases given crypted text, commonly used within the majority of password storage mechanisms employed today. Even easier would be PIN numbers for ATM and SIM cards, given the limited set of digits from which to select. My conclusion is that it borders on nearly impossible to craft a pass-word/pass-phrase that the cracker would not be able to recreate in a fairly short period of time, given the encrypted representation.

When people review the referenced article, consider crackers which are in control of a botnet. You can very quickly see that the class-E and class-F configurations are nearly trivial to achieve. Not discussed in the referenced article is the potential use of the GPU‘s on most modern computers today, which have much higher number crunching capacity then the general purpose CPU‘s, which crackers could leverage through marginally more difficult code to result in class-F or higher scale, for even moderately sized botnets.

In the end, even if you aren’t using very long pass-phrases leveraging the full 96 characters, and changing them fairly frequently, your accounts and/or data are at risk. Adding other factors to your security mechanisms, such as biometrics, will improve your safety factor. For most people, my recommendation would be to use pass-phrases at least 15 characters in length, avoiding dictionary words, and changing them every two to four weeks without reusing one that has been previously used. Relying on a password manager, such as those built in to many web-browsers, should be avoided. Yes, I know that is painful. The industry is going to have to devise alternatives if broad use will ever be achieved. Until then, assume that your pass-words/pass-phrases primarily just make it slightly more difficult for others to access your accounts / data than if you had no protection at all.

- Marc

[ Aug 1, 2009 ] At the Blackhat conference last week a related presentation was made, which shows how much closer to commodity levels brute force cracking is getting.

1 comment to How safe is your password or encrypted data?

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>