Print 65 comment(s) - last by Oregonian2.. on Jan 19 at 2:35 AM

  (Source: Elcomsoft)
Make sure your WPA/WPA2 passwords are good ones

GPU-powered general-purpose computing is causing all sorts of security nightmares these days, and wireless access points secured with WPA seem to be the latest victim. Elcomsoft, of “Advanced eBook Processor” fame, released a proprietary WPA/WPA2-PSK cracker that uses GPUs to brute force passwords in record time.

Elcomsoft claims its software can try almost 16,000 passwords per second (p/sec) with a single Radeon HD 4870, using an “advanced dictionary attack” that mutates entries from a master wordlist. Advanced hardware, such as the NVIDIA Tesla S1070 GP-GPU, raises the password rate to more than 52,000 p/sec – compared to an Intel Core 2 Quad Q6600 CPU, which clocks at 1,100 p/sec.

The program, known as the “Elcomsoft Wireless Security Auditor”, claims it was designed for network administrators and IT personnel seeking to audit internal security, as well as external penetration testers and other “white hat” hackers.

While brute-force and dictionary attacks are nothing new, Wireless Security Auditor appears to be one of the most efficient solutions available. To work, it requires a tcpdump-formatted communications dump with at least one handshake packet. Elcomsoft says all processing is done off-line, and is completely transparent to the targeted network.

HotHardware notes that the way Elcomsoft phrases its “proprietary” dictionary engine most likely means that it doesn’t use third-party programming interfaces such as OpenCL, CUDA, or Stream.

Despite the massive improvements in scalability and processing power that GPUs offer compared to regular CPUs, a full-scale brute-force attack against all but the weakest of WPA passwords is still infeasible – the amount of time required to brute-force a 10-digit password, assuming the entire ASCII character set and the same password rate, would still take a Radeon HD 4870 over 2 trillion years. Even with optimizations – such as narrowing the possibilities down to 0-9 and the upper/lower cases of the English alphabet – the number of GPUs required to crack it within a year lies in excess of 1.6 million.

Elcomsoft lists Wireless Security Auditor for $1,199, however the software it is currently priced at $599.99 until March 1, 2009.

Late last year, security researchers announced that they were able to break weak SSL certificates using the computing power of 200 PlayStation 3s over a handful of weekends. The attack only applied to SSL certificates signed with an MD5 hash, as opposed to the more-secure SHA1 or SHA2 algorithms, but its effects are devastating: once cracked, the attacker can impersonate the certificate signing authority and generate fully trusted SSL certificates for any domain, for any browser that trusts certificates signed with MD5.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: Strong passwords...
By StevoLincolnite on 1/16/2009 9:29:34 AM , Rating: 2
I agree, I simply have my SSID hidden, and just monitor network traffic, I live in the country parts of Australia though, and there aren't many people with the "brains" to even show a hidden SSID around here. (Not saying there isn't anyone capable...)
Had it set-up this way for a few years now, Plus I don't have anything "Shared" just the internet connection, so my Data is pretty safe. (And I back-up often enough).

And never had any issues yet!

I only had it set-up this way because my Xbox 360 simply refused to make a connection to my wireless router with WEP or WPA, probably the routers fault more than the Xbox, or lack of knowledge on my behalf.

RE: Strong passwords...
By FITCamaro on 1/16/2009 10:06:39 AM , Rating: 2
No problems here with the 360 and WPA. Did you add the wireless adapters mac address to your mac table? Assuming you do mac address filtering as I do.

RE: Strong passwords...
By StevoLincolnite on 1/16/2009 10:10:47 AM , Rating: 2
Nah I didn't I wouldn't even know how, nor do I have the desire to research on how to do it, It's not broken so no point fixing it.

RE: Strong passwords...
By Kenenniah on 1/16/2009 11:17:13 AM , Rating: 3
Disabling SSID broadcast is actually less secure than having it broadcast, especially if you use Windows.

RE: Strong passwords...
By StevoLincolnite on 1/16/2009 12:02:24 PM , Rating: 2
Er... Not when the people you live near have very little basic understanding of Networking.

RE: Strong passwords...
By achintya on 1/16/2009 3:45:44 PM , Rating: 2
BAH! Security in Obscurity is one of the lamest arguments I have ever heard in my life. Get a life man. One fine day a person not quite interested in the masses goes in for the kill of the weaker fish, you will be in grave danger.

RE: Strong passwords...
By mindless1 on 1/16/2009 11:23:59 PM , Rating: 2
Obscurity is the best argument. These people are talking about their home LAN, is a wardriving hacker going to go after the low hanging fruit or someone who already seems to be at least a bit mindful of securing confidential info?

One person doesn't just randomly go in for the kill of the weaker fish, it'd be someone who has a personal grudge and if they do, the last thing you ought to worry about is your wifi password.

"DailyTech is the best kept secret on the Internet." -- Larry Barber

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki