GPU Power to crack passwords

Bozo

Storage? I am Storage!
Joined
Feb 12, 2002
Messages
4,396
Location
Twilight Zone
Does this thing have a useful (legal) function or is it just for pirates?

I wonder how it would do at Folding?
 

Chewy509

Wotty wot wot.
Joined
Nov 8, 2006
Messages
3,357
Location
Gold Coast Hinterland, Australia
Does this thing have a useful (legal) function
Digital Forensics involved with Law Enforcement and/or Military Intelligence, (on provision of required court orders, warrants, etc).
Normally in the scenario of being given the wrong password or no password, and you need to access encrypted files (EFS/Bitlocker), or to access a live system, etc... (Mind you this is not normally needed, as typically the HDD is imaged prior to forensic investigation, but is nice for attacking the local SAM database).

Also useful for password recovery of passwords on Domain Controllers, etc... (Who hear remembers the Active Directory recovery password)?

Also I think this is a good sellingpoint for getting away from older Windows versions in the workplace, especially when there are certain legal requirements needed for either government or vendor contracts. (eg, need to use Windows 7 as we can enforce stronger password storage technology, etc). Mind you, since you can change the password hashing system on most Unix system at will, is a good case for dropping Windows completely for 'mission critical' servers/applications.
 

mubs

Storage? I am Storage!
Joined
Nov 22, 2002
Messages
4,908
Location
Somewhere in time.
To hazard an answer for Bozo's question, I think this is a proof of concept that hackers will love. Some hacker teams are pretty successful and have made a lot of money, and for them, this would be very juicy news indeed.

What I see over and over is that pw length needs to be 14 chars plus to be reasonably secure. The difficulty of cracking rises somewhat exponentially with length. Unfortunately, those that need long pw the most sometimes aren't enabled for it. My bank allows a max char len of 14; I'd like 20 or at least 16.
 

time

Storage? I am Storage!
Joined
Jan 18, 2002
Messages
4,932
Location
Brisbane, Oz
This is stupid. If hackers can gain enough privileges to actually access password hashes, why would they bother cracking user passwords?

Mubs, rather than the length of your password, your bank account security relies on limiting the number of times an agent can attempt to log in.
 

mubs

Storage? I am Storage!
Joined
Nov 22, 2002
Messages
4,908
Location
Somewhere in time.
Right. If you can get to the hashes, what's the point of this? Are you sure you can get to the hashes? Isn't the whole idea of this to get into the system in the first place?
 

blakerwry

Storage? I am Storage!
Joined
Oct 12, 2002
Messages
4,203
Location
Kansas City, USA
Website
justblake.com
Right. If you can get to the hashes, what's the point of this? Are you sure you can get to the hashes? Isn't the whole idea of this to get into the system in the first place?

If you can get a user's credentials for one system (say an older or less well protected system or even from a backup file), it's likely the credentials will be the same on a more protected system (or the live system in the case of a backup) within the same enterprise.

So if you can get the password off the user's workstation, and break it, you might be able to gain access to shares and resources on the servers where you can pull of important files.
 

Chewy509

Wotty wot wot.
Joined
Nov 8, 2006
Messages
3,357
Location
Gold Coast Hinterland, Australia
It attacks a copy of the local SAM database attempting to match passwords to stored hashes. It doesn't attack live systems. (Hence time's comment "This is stupid"). You need to get a copy of the local SAM database to use this, but if you have enough privileges/access rights to get it, that system is good as considered to be 0wned.

Even though the article talks about Windows passwords, the same can be applied to WLAN connections - sniff the initial handshake of a WPA2 connection, get the hashes, and then simple attempt to find a password that provides the same hash. (And since WPA PSKs tend to be relative short, it won't take long).
 

LunarMist

I can't believe I'm a Fixture
Joined
Feb 1, 2003
Messages
17,497
Location
USA
A simple password works fine for me. How many people bother to dive around and hack on the internet?
 
Top