in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Data Encryption Software: 12-Character Passwords Now The Standard For Security

Scientists at Georgia Tech are recommending that passwords be no shorter than 12-characters long.  I can think of at least one exception to this recommendation when it comes to laptop encryption software; however, it would behoove most to follow the recommendation, it seems.

Bruteforcing and GPUs

One of the most effective, yet inefficient, ways of cracking passwords is via bruteforcing, the practice of trying all possible passwords, including senseless words:  In theory (and reality), if you try enough passwords, you've got to hit gold at some point.

However, as I've noted, it's inefficient: if you've got 6 billion possible matches and can only try one password every second, it's going to take at most 6 billion seconds (or 190 years).  Computer automation can aid in lowering this number (such as, but not limited to, starting from both ends of the password list), as well as taking advantage of practical realities, such as the fact that people generally use an actual word as their password.

Using a dictionary word lowers potential password listings from the above 6 billion to an actual 250,000 words, which would take about 3 days to exhaust the list at the speed of 1 second per guess.  (Incidentally, this is known as a dictionary attack, being a subset to a bruteforce attack.)

Modern graphics cards for computers sold out of retail shops can attempt more than one password per second.  The team at Georgia Tech that recommends 12-character passwords based their calculations on crack attempts at 1 trillion password combos per second.

My 6 billion-long list would be finished in less than a second.

Strength in Numbers

So, why 12-character passwords?  It's a matter of exponential growth: the English alphabet contains twenty six letters.  If a password consists of one letter, the total possible number of passwords is 26.  If two letters long, the total is 676 (26 x 26).  For three letters, it's 17,576.

If 12-characters long, the total possible number of passwords is 9.5 x 10^16 (or 95 quadrillion, or if you prefer it drawn out--95,000,000,000,000).

If the password differentiates between upper and lowercase letters, then that 95 quadrillion figure increases: it doesn't double in size to 190 quadrillion but grows exponentially to 30 quintillion!  Tack on numbers zero through nine, special characters, and international characters, and a 12-character password quickly becomes impossible to crack in a lifetime.

The findings by the Georgia Tech team found the following, per CNN:

The researchers used clusters of graphics cards to crack eight-character passwords in less than two hours.

But when the researchers applied that same processing power to 12-character passwords, they found it would take 17,134 years to make them snap.

Rate Limiting in Encryption

Like I said at the beginning, I can think of one situation where a password doesn't need to be 12 characters long.  When? you might ask.

If your computer's encryption software makes use of rate limiting, like AlertBoot does, where each incorrect guess introduces a delay in entering the password.  During the first three tries, things work as they normally do.  By the fourth incorrect try, however, you might specify that the password prompt not show up for 10 seconds.

After those 10 seconds are up, another erroneous guess doubles the waiting period to 20 seconds.  Then, 40 seconds, 1.5 minutes, 3 minutes, 6 minutes, 12 minutes, etc.  Soon enough, you're waiting an hour just to enter a password.

The ability to process 1 trillion passwords a minute is of no use if you only get to enter one password every hour.  At that rate, you'll still be entering passwords as the universe is collapsing.

Many on-line e-mail accounts already make use of something similar to this, where you only get so many tries to log in before you're locked out of your account until you can prove that you are not a hacker trying to bruteforce your way in.


Related Articles and Sites:
http://www.gtri.gatech.edu/casestudy/Teraflop-Troubles-Power-Graphics-Processing-Units-GPUs-Password-Security-System
http://edition.cnn.com/2010/TECH/innovation/08/20/super.passwords/index.html

 
<Previous Next>

Laptop Encryption Software: U Of Kentucky Laptop Stolen From Newborn Program (Update)

Disk Encryption Software: Royal Wolverhampton Hospitals Signs Undertaking For Recovered CD

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.