backtop


Print 65 comment(s) - last by Oregonian2.. on Jan 19 at 2:35 AM


  (Source: Elcomsoft)
Make sure your WPA/WPA2 passwords are good ones

GPU-powered general-purpose computing is causing all sorts of security nightmares these days, and wireless access points secured with WPA seem to be the latest victim. Elcomsoft, of “Advanced eBook Processor” fame, released a proprietary WPA/WPA2-PSK cracker that uses GPUs to brute force passwords in record time.

Elcomsoft claims its software can try almost 16,000 passwords per second (p/sec) with a single Radeon HD 4870, using an “advanced dictionary attack” that mutates entries from a master wordlist. Advanced hardware, such as the NVIDIA Tesla S1070 GP-GPU, raises the password rate to more than 52,000 p/sec – compared to an Intel Core 2 Quad Q6600 CPU, which clocks at 1,100 p/sec.

The program, known as the “Elcomsoft Wireless Security Auditor”, claims it was designed for network administrators and IT personnel seeking to audit internal security, as well as external penetration testers and other “white hat” hackers.

While brute-force and dictionary attacks are nothing new, Wireless Security Auditor appears to be one of the most efficient solutions available. To work, it requires a tcpdump-formatted communications dump with at least one handshake packet. Elcomsoft says all processing is done off-line, and is completely transparent to the targeted network.

HotHardware notes that the way Elcomsoft phrases its “proprietary” dictionary engine most likely means that it doesn’t use third-party programming interfaces such as OpenCL, CUDA, or Stream.

Despite the massive improvements in scalability and processing power that GPUs offer compared to regular CPUs, a full-scale brute-force attack against all but the weakest of WPA passwords is still infeasible – the amount of time required to brute-force a 10-digit password, assuming the entire ASCII character set and the same password rate, would still take a Radeon HD 4870 over 2 trillion years. Even with optimizations – such as narrowing the possibilities down to 0-9 and the upper/lower cases of the English alphabet – the number of GPUs required to crack it within a year lies in excess of 1.6 million.

Elcomsoft lists Wireless Security Auditor for $1,199, however the software it is currently priced at $599.99 until March 1, 2009.

Late last year, security researchers announced that they were able to break weak SSL certificates using the computing power of 200 PlayStation 3s over a handful of weekends. The attack only applied to SSL certificates signed with an MD5 hash, as opposed to the more-secure SHA1 or SHA2 algorithms, but its effects are devastating: once cracked, the attacker can impersonate the certificate signing authority and generate fully trusted SSL certificates for any domain, for any browser that trusts certificates signed with MD5.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Strong passwords...
By PrinceGaz on 1/16/2009 5:05:12 PM , Rating: 3
You don't need to remember your passwords if you keep a copy of them like I do in a .txt file in the My Documents folder. My file is named "password.txt" so that it is easy to remember, and means I can quickly copy and paste the required password whenever it is asked for (I make a note of the site name and which email account I used with it).

So not only are my passwords very secure, there is no difficulty remembering them.


RE: Strong passwords...
By wetwareinterface on 1/17/2009 11:35:14 AM , Rating: 2
wow that's so brilliant...
so every password you have is in a plain text file named passwords. so if anyone every manages to crack your windows security they then can get all the moeny out of your bank and order crap using your credit cards? wow that's awesome.

let me see if i got it straight..
passwords.txt located in the most obvious folder other than the desktop? sounds like security to me.

on a serious note...
if you want a secure password for your router just make up something obscure, write it down and tape it to the bottom of your router. if anyone has physical access to your router other than you you have bigger issues than your password being found.


"A politician stumbles over himself... Then they pick it out. They edit it. He runs the clip, and then he makes a funny face, and the whole audience has a Pavlovian response." -- Joe Scarborough on John Stewart over Jim Cramer














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki