19 July 2010

Password-cracking software

A discussion thread at Reddit today reminds readers to use secure passwords, and offers a link to a password-cracking site called WPA Cracker -
WPA Cracker gives you access to a 400CPU cluster that will run your network capture against a 135 million word dictionary created specifically for WPA passwords. While this job would take over 5 days on a contemporary dual-core PC, on our cluster it takes an average of 20 minutes, for only $17.

NEW :: We now offer Germany dictionary support, a 284 million word extended English dictionary option, and ZIP file cracking.
What I don't understand regarding the susceptibility of sites to password hackers is why a site will permit hundreds, much less millions, of login attempts.  It seems to me that after a half-dozen failed attempts, the bank/broker/retailer or whatever should automatically block further access for some defined time period.

How does a program manage to try ten million access codes?

7 comments:

  1. "How does a program manage to try ten million access codes?"

    Answer: it doesn't. At least not on the actual network. The program looks a samples of encrypted packets and makes millions of attempts to decrypt that data with a various strings (usually a dictionary or sorts).

    By capturing the right type of packets, you can do your cracking offline. This means you only have to be near the network for a matter of seconds to get what you need. Once cracked, you go back to the network and login with the discovered key.

    If one is truly worried about this, the best thing to do is to mix up non-words with a number and non-alpha characters. For example, take the phrase "No 1, but no 1, can crack my network ever period!" and make the first letters of each word your password, like this:

    N1,bn1,ccmnep!

    *That* is a hard password to crack, and impossible using dictionaries.

    ReplyDelete
  2. Cracking WPA doesn't involve repeated requests; according to http://docs.alkaloid.net/index.php/Cracking_WEP_and_WPA_Wireless_Networks,"WPA is different... by capturing the right types of packets, you can do your cracking offline. This means you only have to be near the AP for a matter of seconds to get what you need."

    ReplyDelete
  3. Thank you. I obviously didn't understand how WPA worked.

    How would my question be answered re entry to websites like Amazon, eBay, my library etc? If someone wants to log in as me, will the site allow them to try 600 passwords? If so, I think that's a stupid way to set up a login protocol. If not, why does my password need to be tr5#fm&gh.?

    ReplyDelete
  4. "If not, why does my password need to be tr5#fm&gh.?"

    Well, obviously, you'll have to change it now.

    Most sites' administrators are well aware of the potential for brute-force and dictionary hack attempts - if the sites' administrators care about security, there will be a CAPTCHA to confirm the request is not automated after several failed attempts then either a lockout on the account username or a lockout on the IP address attempting to post the login attempt.

    Brute force and dictionary attacks against websites used to be the path of least resistance for an attacker, however, this security hole has since been effectively neutralized for sites which hold any stake in user security (though that does not necessarily mean that you can expect brute-force and dictionary attack counter-measures on every site that requires you to create a login and password - free services and online communities rarely receive the same attention to security as financial institutions).

    The path of least resistance for a financially-motivated attacker no longer involves guessing passwords at the target site, which is why your banking account probably doesn't need a particulary complex password so much as you need to practice safe computing (don't download software you don't trust, use an updated antivirus solution on any computer you access your accounts from, etc). Attackers have switched to using phishing schemes and malware to target authentication information - a network attack (i.e. WPA key cracking) can lead to the compromise of individual machines on the network, which is why it is important to use the latest encryption protocol available and MAC address filtering on your home and business WiFi routers (or just stay on a wired router).

    ReplyDelete
  5. To keep it very simple, WEP and WPA are ways to encrypt the data to/from a laptop or other wireless device and a wireless router. The worst thing to do is be open (no encryption). The lowest level of encryption is WEP and is easily cracked. WPA is not as easy, hence the need to spend days doing it or hire the firm in the article. The next level up is WPA2, which is longer and harder to crack. The important point is that WPA/WPA2 use a pre-shared key (PSK) which is on both devices (laptop and wireless router). It is a secret handshake if you will.
    Cracking involves a dictonary attack. A person captures a stream of info over the air, then tries to crack it. They use a dictionary to do this by trying words until it breaks (it is an automated process). As he article states, the faster computers will take less time. Computers paired up to work together (cloud computing) take just minutes or hours to do what a single pc takes days to do.
    What do you do? Use a complex password. This isn't something you need to type over and over, it is simply stored on your laptop and on the router. You enter it once and that's it. Search for "wpa2 generator" and you'll find many sites to make one for you. Here's an example of a generated key: C7EA601423FB89D5F81DB7592CEA60433249CB1D8F760AE5DBA1EC359640F872. Much more complex than "Johnswireless", right?
    Why do you want to encrypt? If the traffic over the air is not encrypted then your passwords can be gleened, PC accessed, etc. See http://www.reuters.com/article/idUSTRE64D60E20100514

    ReplyDelete