backtop


Print 65 comment(s) - last by Oregonian2.. on Jan 19 at 2:35 AM


  (Source: Elcomsoft)
Make sure your WPA/WPA2 passwords are good ones

GPU-powered general-purpose computing is causing all sorts of security nightmares these days, and wireless access points secured with WPA seem to be the latest victim. Elcomsoft, of “Advanced eBook Processor” fame, released a proprietary WPA/WPA2-PSK cracker that uses GPUs to brute force passwords in record time.

Elcomsoft claims its software can try almost 16,000 passwords per second (p/sec) with a single Radeon HD 4870, using an “advanced dictionary attack” that mutates entries from a master wordlist. Advanced hardware, such as the NVIDIA Tesla S1070 GP-GPU, raises the password rate to more than 52,000 p/sec – compared to an Intel Core 2 Quad Q6600 CPU, which clocks at 1,100 p/sec.

The program, known as the “Elcomsoft Wireless Security Auditor”, claims it was designed for network administrators and IT personnel seeking to audit internal security, as well as external penetration testers and other “white hat” hackers.

While brute-force and dictionary attacks are nothing new, Wireless Security Auditor appears to be one of the most efficient solutions available. To work, it requires a tcpdump-formatted communications dump with at least one handshake packet. Elcomsoft says all processing is done off-line, and is completely transparent to the targeted network.

HotHardware notes that the way Elcomsoft phrases its “proprietary” dictionary engine most likely means that it doesn’t use third-party programming interfaces such as OpenCL, CUDA, or Stream.

Despite the massive improvements in scalability and processing power that GPUs offer compared to regular CPUs, a full-scale brute-force attack against all but the weakest of WPA passwords is still infeasible – the amount of time required to brute-force a 10-digit password, assuming the entire ASCII character set and the same password rate, would still take a Radeon HD 4870 over 2 trillion years. Even with optimizations – such as narrowing the possibilities down to 0-9 and the upper/lower cases of the English alphabet – the number of GPUs required to crack it within a year lies in excess of 1.6 million.

Elcomsoft lists Wireless Security Auditor for $1,199, however the software it is currently priced at $599.99 until March 1, 2009.

Late last year, security researchers announced that they were able to break weak SSL certificates using the computing power of 200 PlayStation 3s over a handful of weekends. The attack only applied to SSL certificates signed with an MD5 hash, as opposed to the more-secure SHA1 or SHA2 algorithms, but its effects are devastating: once cracked, the attacker can impersonate the certificate signing authority and generate fully trusted SSL certificates for any domain, for any browser that trusts certificates signed with MD5.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Strong passwords...
By DonkeyRhubarb on 1/16/2009 8:05:10 AM , Rating: 5
Good way to get a fairly hack proof password, only problem I can see is that you could never remember one of these.

Would that not mean that would would have to store it somewhere, with this itself being the weakest link in your security?


RE: Strong passwords...
By Tsuwamono on 1/16/09, Rating: 0
RE: Strong passwords...
By ebakke on 1/16/2009 9:23:36 AM , Rating: 5
quote:
Good luck with that when i have a dog in the house.
Where did you get your bulletproof dog? I'd like one myself.


RE: Strong passwords...
By George Powell on 1/16/2009 9:39:58 AM , Rating: 2
Don't need to harm the dog, just bring 3 tins of dog food.

As an aside, those strong passwords are great for securing WPA networks, however for general purpose security they are not particularly practical.


RE: Strong passwords...
By on 1/16/09, Rating: -1
RE: Strong passwords...
By dflynchimp on 1/16/2009 9:29:06 PM , Rating: 1
a new account?! oh you have to be kidding me...


RE: Strong passwords...
By Chocobollz on 1/16/2009 9:33:53 PM , Rating: 2
Yeah and next time he will make some id like 'PLAYSTATION THREE 6 0' and he will start screaming, hahahaha!


RE: Strong passwords...
By Dark Legion on 1/17/2009 12:39:31 AM , Rating: 2
Yeah, this time its -1 ratings all the way! No more -.96 for him.


RE: Strong passwords...
By Chocobollz on 1/16/09, Rating: -1
RE: Strong passwords...
By jlips6 on 1/18/2009 5:49:50 PM , Rating: 1
all fighting is conceptualized. Anything stating: "then, I'll ..." is completely worthless.


RE: Strong passwords...
By FITCamaro on 1/16/2009 10:05:19 AM , Rating: 5
Actually I think the katanas on the wall would make it more likely they'll rob you. Typically geeks are into those things.


RE: Strong passwords...
By Murloc on 1/16/2009 3:21:49 PM , Rating: 2
true.


RE: Strong passwords...
By ZmaxDP on 1/16/2009 12:01:35 PM , Rating: 5
Are you suggesting that you've trained your dog to use Katanas? I must admit, if I broke into your house and a 100+ pound dog came charging after me on his hind legs wielding dual Katanas with his front paws, I'd get the F out of there because clearly something freaky was going on...


RE: Strong passwords...
By ZmaxDP on 1/16/2009 12:02:14 PM , Rating: 4
Come to think of it, it would be even weirder if it was a 6 pound Chihuahua...


RE: Strong passwords...
By Kugar on 1/16/2009 3:31:37 PM , Rating: 2
Teenage Mutant Ninja Dogs?


RE: Strong passwords...
By achintya on 1/16/2009 3:41:59 PM , Rating: 2
I was literally laughing my ass off after reading this comment!


RE: Strong passwords...
By semo on 1/17/2009 7:46:25 AM , Rating: 2
quote:
I was literally laughing my ass off

what does that even mean... or look like?

will security become meaningless when/if qubit computers become reality?


RE: Strong passwords...
By radializer on 1/16/2009 5:01:48 PM , Rating: 2
I'm trying really hard not to burst out laughing and shock the denizens of my cubefarm
:D

The post deserves a 6 for pure comic value!


RE: Strong passwords...
By FITCamaro on 1/16/2009 8:55:24 AM , Rating: 1
When I need to add a device to my network, I have my laptop sitting there with me with my routers config page showing my network password.

My password is quite long as well. But I might change it to one off the posted link. WPA passwords can be 64 characters right? Unfortunately I can't use WPA2 since the 360 network adapter doesn't support it. I might be moving things around though to where I can plug in the 360 and PS3 with an ethernet cable though here soon.

Not like it's really an issue in my neighborhood. Unless someone war drives through my neighborhood and picks my house, I'm not too afraid of anyone trying to get into my network. I'm the only person even using WPA. Everyone else is using WEP.


RE: Strong passwords...
By StevoLincolnite on 1/16/2009 9:29:34 AM , Rating: 2
I agree, I simply have my SSID hidden, and just monitor network traffic, I live in the country parts of Australia though, and there aren't many people with the "brains" to even show a hidden SSID around here. (Not saying there isn't anyone capable...)
Had it set-up this way for a few years now, Plus I don't have anything "Shared" just the internet connection, so my Data is pretty safe. (And I back-up often enough).

And never had any issues yet!

I only had it set-up this way because my Xbox 360 simply refused to make a connection to my wireless router with WEP or WPA, probably the routers fault more than the Xbox, or lack of knowledge on my behalf.


RE: Strong passwords...
By FITCamaro on 1/16/2009 10:06:39 AM , Rating: 2
No problems here with the 360 and WPA. Did you add the wireless adapters mac address to your mac table? Assuming you do mac address filtering as I do.


RE: Strong passwords...
By StevoLincolnite on 1/16/2009 10:10:47 AM , Rating: 2
Nah I didn't I wouldn't even know how, nor do I have the desire to research on how to do it, It's not broken so no point fixing it.


RE: Strong passwords...
By Kenenniah on 1/16/2009 11:17:13 AM , Rating: 3
Disabling SSID broadcast is actually less secure than having it broadcast, especially if you use Windows.

http://technet.microsoft.com/en-us/library/bb72694...
http://blogs.technet.com/steriley/archive/2007/10/...


RE: Strong passwords...
By StevoLincolnite on 1/16/2009 12:02:24 PM , Rating: 2
Er... Not when the people you live near have very little basic understanding of Networking.


RE: Strong passwords...
By achintya on 1/16/2009 3:45:44 PM , Rating: 2
BAH! Security in Obscurity is one of the lamest arguments I have ever heard in my life. Get a life man. One fine day a person not quite interested in the masses goes in for the kill of the weaker fish, you will be in grave danger.


RE: Strong passwords...
By mindless1 on 1/16/2009 11:23:59 PM , Rating: 2
Obscurity is the best argument. These people are talking about their home LAN, is a wardriving hacker going to go after the low hanging fruit or someone who already seems to be at least a bit mindful of securing confidential info?

One person doesn't just randomly go in for the kill of the weaker fish, it'd be someone who has a personal grudge and if they do, the last thing you ought to worry about is your wifi password.


RE: Strong passwords...
By Suntan on 1/16/2009 1:26:39 PM , Rating: 2
Agreed, digital *and* real world procautions work better than just relying on digital protection.

My wireless router is in the basement, between that and the stucco sided walls of the house, you pretty much need to be in my back yard to get a wireless signal, even with a highly efficient antenna.

If someone wants to jack into my wireless network to use it to downlaod porn that badly, I say let them.

-Suntan


RE: Strong passwords...
By Oregonian2 on 1/16/2009 2:54:31 PM , Rating: 2
Mine is in the opposite direction, it's in the middle of my second story, so "from it" I can see about five or six other neighbor systems (and it's draft-N which has considerable range).

My WPA2 password is a long sentence containing more than one language and is not terribly memorable, so it's kept written on paper in a drawer -- and only needed when configuring a new device. Not a problem.


RE: Strong passwords...
By Suntan on 1/16/2009 1:21:35 PM , Rating: 2
quote:
Would that not mean that would would have to store it somewhere, with this itself being the weakest link in your security?


At which point, wouldn't it just be easier to plug an extra CAT5 cable into the back of his router?

-Suntan


RE: Strong passwords...
By PrinceGaz on 1/16/2009 5:05:12 PM , Rating: 3
You don't need to remember your passwords if you keep a copy of them like I do in a .txt file in the My Documents folder. My file is named "password.txt" so that it is easy to remember, and means I can quickly copy and paste the required password whenever it is asked for (I make a note of the site name and which email account I used with it).

So not only are my passwords very secure, there is no difficulty remembering them.


RE: Strong passwords...
By wetwareinterface on 1/17/2009 11:35:14 AM , Rating: 2
wow that's so brilliant...
so every password you have is in a plain text file named passwords. so if anyone every manages to crack your windows security they then can get all the moeny out of your bank and order crap using your credit cards? wow that's awesome.

let me see if i got it straight..
passwords.txt located in the most obvious folder other than the desktop? sounds like security to me.

on a serious note...
if you want a secure password for your router just make up something obscure, write it down and tape it to the bottom of your router. if anyone has physical access to your router other than you you have bigger issues than your password being found.


RE: Strong passwords...
By Iketh on 1/16/2009 7:46:26 PM , Rating: 2
some geekiness in me has memorized pi to about the 12th digit since high school, and im 29 now. really thinking about memorizing 10-15 characters to use for life.


"A politician stumbles over himself... Then they pick it out. They edit it. He runs the clip, and then he makes a funny face, and the whole audience has a Pavlovian response." -- Joe Scarborough on John Stewart over Jim Cramer














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki