TexasCHLforum.com

mewalke wrote:Regarding passwords and susceptibility to brute force. I don't know where the article got its info, but I'm having a hard time getting for the 6 minute figure for a randomly generated 14 character password - even at the 300+ billion guesses per second.

A good article on password entropy (for random passwords) is here:

http://blog.shay.co/password-entropy/

Following that logic, the 20+ character passwords I use would still take the NSA a long time to crack, even at 300 billion guesses per second.

I get all my password security advice from Ellen Degeneres...

[youtube][/youtube]

Dave2 wrote:

sjfcontrol wrote:All this just goes to prove that passwords are an outdated (and out-technologied) concept. For true security we should all be using public/private certificates to prove our identities. Lets see them crack that in 6-minutes

IIRC, those are only secure because the numbers involved are so big that it takes so long to factor them that it's not practical to try. As soon as computers speed way up or somebody figures out a better algorithm, they'll be easy to crack. I think.

sjfcontrol wrote:By the way, is the NSA brute-forcing passwords in their "high-performance video boards"?

I'm not aware of any evidence one way or the other, but what's to stop them?

I was commenting on the quote that said computers with high-performance video cards were especially good at cracking passwords. The video cards have nothing to do with how many passwords can be tested per second -- unless they are displaying each result on the screen.

By the way 6 minutes may not seem like long if they want YOUR password, but consider that at that rate it would take almost 3500 years to crack just one password for each person in the U.S. And that is the kind of thing the NSA seems to want to do.

xb12s wrote:

sjfcontrol wrote: If the internet company knows what it's doing, they will be unable to comply with this request, as they don't know the passwords. All that is stored is a "hash" of the password. When the user logs in, he enters the password, which is passed thru the hash algorithm, and compared with the stored hash value. If it matches, the user is logged on. So the only thing the company stores is the hash, and there is no way (well, outside of the NSA, anyway) to recreate the password from only the hash.

From the article it looks like the NSA is looking for the "salt", the algorithm, and the hash and they can come up with the password in a matter of minutes.

But modern computers, especially ones equipped with high-performance video cards, can test passwords scrambled with MD5 and other well-known hash algorithms at the rate of billions a second. One system using 25 Radeon-powered GPUs that was demonstrated at a conference last December tested 348 billion hashes per second, meaning it would crack a 14-character Windows XP password in six minutes.

OK, I did say "outside the NSA"

By the way, if they have the power to brute-force passwords, they don't need the "salt". Salt is used to prevent password 'collisions'. Presume we both are married to women named "Mary", and use our wive's name as a password. If I have access to the file of hashed passwords, I can search for accounts that have the same hash as my account. I'll find your hash matches, and I'll know your password. With salt, everybody gets a random sequence "sprinkled" into the algorithm and my hash will then differ from yours even though our passwords are the same.

All this just goes to prove that passwords are an outdated (and out-technologied) concept. For true security we should all be using public/private certificates to prove our identities. Lets see them crack that in 6-minutes (unless, of course, the NSA has had the developing companies insert back-doors).

By the way, is the NSA brute-forcing passwords in their "high-performance video boards"?

xb12s wrote:I'll throw this on the fire:

Feds want passwords and password algorithms for user accounts from major internet companies:

http://news.cnet.com/8301-13578_3-57595 ... passwords/

If the internet company knows what it's doing, they will be unable to comply with this request, as they don't know the passwords. All that is stored is a "hash" of the password. When the user logs in, he enters the password, which is passed thru the hash algorithm, and compared with the stored hash value. If it matches, the user is logged on. So the only thing the company stores is the hash, and there is no way (well, outside of the NSA, anyway) to recreate the password from only the hash.

This seemed appropriate...