Product designed to retrieve forgotten passwords: 100,000 guesses/second Is encryption safe? One of the best ways of keeping your data safe in case a laptop computer gets stolen is via the use of disk encryption software like AlertBoot. However, there are ways of getting around it, the easiest being cracking the password.
One of the best ways of keeping your data safe in case a laptop computer gets stolen is via the use of disk encryption software like AlertBoot. However, there are ways of getting around it, the easiest being cracking the password.
The easiest way of obtaining a password, but also, perhaps, the most illegal way, is to physically threaten someone. Another easy way is to happen upon said password (think: Post-It note). These are not what we refer to when talking about "cracking passwords." Cracking passwords requires the element of guessing what the actual password might be: trying past passwords a person has used; trying personal information, such as birthdates and names; or just plain guessing. This process is fraught with long times at the keyboard. Unless you can get a computer to do it for you, which would try all possible passwords. Trying all combinations systematically (usually alphabetically), from A to Z, is often called cracking by brute force. Well, cracking those passwords has gotten easier, if not a bit more expensive. ElcomSoft has come up with their latest "password retrieval" device that can try 103,000 passwords per second. It looks like this rate is actually for cracking WPA (basically, wireless router) passwords, but imagine for a second that this could be applied to everything.
The easiest way of obtaining a password, but also, perhaps, the most illegal way, is to physically threaten someone. Another easy way is to happen upon said password (think: Post-It note). These are not what we refer to when talking about "cracking passwords."
Cracking passwords requires the element of guessing what the actual password might be: trying past passwords a person has used; trying personal information, such as birthdates and names; or just plain guessing. This process is fraught with long times at the keyboard.
Unless you can get a computer to do it for you, which would try all possible passwords. Trying all combinations systematically (usually alphabetically), from A to Z, is often called cracking by brute force.
Well, cracking those passwords has gotten easier, if not a bit more expensive. ElcomSoft has come up with their latest "password retrieval" device that can try 103,000 passwords per second. It looks like this rate is actually for cracking WPA (basically, wireless router) passwords, but imagine for a second that this could be applied to everything.
There are two ways of accessing encrypted data: know the encryption key or know the password. Of the two, the key is almost always the longer, complex one; thus, it makes sense to hack passwords which are shorter and--theoretically--easier and faster to guess. How easy? Well, let's take into consideration an eight-character long password which uses both letters and numbers (although not necessarily both: 12345678 would be a valid, but poor, password under the conditions). This means each placeholder on that 8-character long password has 36 possible alternatives (26, A through Z; 10, zero through nine). Or, 368 attempts which equals 2.8 trillion combinations. At a rate of 103,000 passwords per second, it would take 10.5 months to go through all possible 2.8 trillion combinations. Normally, experts assume the password will be guessed before 50% of the guesses are tried, so one could expect a breakthrough in 5 months, on average (on average meaning "for the same attempts across many machines." Results from machine to individual machine will vary, obviously). It should be noted that the above is for a case where one knows the password is an eight-character password: if one doesn't know how long the password is, a person would have to start with one-, then two-, then three-character passwords, and so on. Under such circumstances, it would take...about 10.8 months to go through all possible tries. Interestingly enough, a 9-character long password, just by itself, under the same conditions, would take 31 years to go through all tries (369). A 10-character long password would take 1,125 years (3610). How come? Exponential growth. The above explains why IT personnel ask that passwords be reset every 3 months or so if an 8-character password is used. It follows that, for shorter passwords, the reset has to be even more frequent.
There are two ways of accessing encrypted data: know the encryption key or know the password. Of the two, the key is almost always the longer, complex one; thus, it makes sense to hack passwords which are shorter and--theoretically--easier and faster to guess.
How easy? Well, let's take into consideration an eight-character long password which uses both letters and numbers (although not necessarily both: 12345678 would be a valid, but poor, password under the conditions). This means each placeholder on that 8-character long password has 36 possible alternatives (26, A through Z; 10, zero through nine). Or, 368 attempts which equals 2.8 trillion combinations.
At a rate of 103,000 passwords per second, it would take 10.5 months to go through all possible 2.8 trillion combinations. Normally, experts assume the password will be guessed before 50% of the guesses are tried, so one could expect a breakthrough in 5 months, on average (on average meaning "for the same attempts across many machines." Results from machine to individual machine will vary, obviously).
It should be noted that the above is for a case where one knows the password is an eight-character password: if one doesn't know how long the password is, a person would have to start with one-, then two-, then three-character passwords, and so on. Under such circumstances, it would take...about 10.8 months to go through all possible tries.
Interestingly enough, a 9-character long password, just by itself, under the same conditions, would take 31 years to go through all tries (369). A 10-character long password would take 1,125 years (3610). How come? Exponential growth.
The above explains why IT personnel ask that passwords be reset every 3 months or so if an 8-character password is used. It follows that, for shorter passwords, the reset has to be even more frequent.
It would depend on what one's talking about, but when it comes to laptop encryption, there are ways to counter password cracking attempts. The first would be to use a sufficiently long-enough password, one that's at least 9 characters long. But even if one were using a 6-character long password (366, crackable in 6 hours), the use of rate limiting (in the case of AlertBoot endpoint security, exponential rate limiters) would foil such brute-forcing attempts. What is rate limiting? The introduction of a time-out period between password tries: even if a device can attempt 103,000 passwords per second, all that raw power is useless if the laptop only allows you to try one password per second: the 2.8 trillion tries would require 2.8 trillion seconds (89,000 years). An exponential rate limiting is where the time-out period grows exponentially, from one second to two seconds, from two seconds to four seconds, from 4 to 8, and so on. By the tenth try or so, the cracking attempts crawl down to minutes. For the time being, encryption software still provides the data security many people and business require.
It would depend on what one's talking about, but when it comes to laptop encryption, there are ways to counter password cracking attempts. The first would be to use a sufficiently long-enough password, one that's at least 9 characters long.
But even if one were using a 6-character long password (366, crackable in 6 hours), the use of rate limiting (in the case of AlertBoot endpoint security, exponential rate limiters) would foil such brute-forcing attempts.
What is rate limiting? The introduction of a time-out period between password tries: even if a device can attempt 103,000 passwords per second, all that raw power is useless if the laptop only allows you to try one password per second: the 2.8 trillion tries would require 2.8 trillion seconds (89,000 years).
An exponential rate limiting is where the time-out period grows exponentially, from one second to two seconds, from two seconds to four seconds, from 4 to 8, and so on. By the tenth try or so, the cracking attempts crawl down to minutes.
For the time being, encryption software still provides the data security many people and business require.
Related Articles and Sites:http://www.net-security.org/secworld.php?id=9021