Password Cracking: CPU-Powered
There are a myriad of programs to choose from for recovering passwords, but two most popular programs are Advanced Archive Password Recovery and Visual Zip Password Recovery Processor. When I lost the password to my WinZip file, I was able to use the first to recover a seven-character-long password within 20 minutes. But this got me a bit curious. How fast was my computer searching for passwords? What would have happened if I had used a stronger encryption method, like AES-128?
More important: are all of your password-protected archives really only 20 minutes away from being opened by someone who shouldn't have access to them?
| Brute-Force Attack Speed Passwords Per Second | Advanced Archive Password Recovery | Visual Zip Password Recovery Processor |
|---|---|---|
| Compression: None Encryption: Zip 2.0 | 28 357 311 | 20 943 157 |
| Compression: None Encryption: AES-128 | 9715 | fail |
| Compression: None Encryption: AES-256 | 9713 | fail |
| Compression: Zip Encryption: Zip 2.0 | 28 492 733 | 20 888 938 |
| Compression: Zip Encryption: AES-128 | 9733 | fail |
| Compression: Zip Encryption: AES-256 | 9760 | fail |
| Compression: RAR Store Encryption: AES-128 | 213 | - |
| Compression: RAR Store Encryption: AES-128, File Names | 202 | - |
| Compression: RAR Normal Encryption: AES-128 | 213 | - |
| Compression: RAR Normal Encryption: AES-128, File Names | 202 | - |
As you can see, compression has a minor effect on the speed at which you can try plugging in passwords, but the biggest weakness is in the older Zip 2.0 encryption scheme. As a result, a five-character password is detected in just a few seconds because you can crunch about 28 million passwords per second using a Core i5-2500K. Visual Zip also found the correct password in the Zip 2.0 encryption method, but due to a software problem, it cannot detect a password of any length encoded in AES-128.
Of course, this doesn't really tell the full story. We don't care about speed for the sake of showing off what a new CPU can do (though this could, in fact, make an interesting benchmark). We care about it because it affects the speed at which I can recover a password.
| Total Time for Search If You're Churning Through 28 Million Passwords/Second | Passwords Between 1 and 4 Characters | Passwords Between 1 and 6 Characters | Passwords Between 1 and 8 Characters | Passwords Between 1 and 12 Characters |
|---|---|---|---|---|
| Lower-case | instant | 11 seconds | 2 hours | 112 years |
| Lower-case and Upper-case | instant | 12 minutes | 22 days | 451 345 years |
| All ASCII characters | 3 seconds | 7 hours | 8 years | 701 193 345 years |
Even if you assume that you can try 28 million passwords per second, your chances of guessing the right one get increasingly dim as you move to longer passwords and larger character sets. Spending a whole month to crack an eight-character password composed of letters isn't a terrible prospect if the protected data is really important. But 700 million years is probably too long to ask you to wait.
Fortunately, Advanced Archive Password Recovery allows you to pause and save the position of your search. And, if you have a few computers at your disposal, you can really cut down on the time investment by distributing the workload. Getting scared yet?
"While it would take a longer time to find a password made up of nine or 10 passwords, it's definitely doable between a few gaming buddies. "
9 or 10 characters?
How about adding some extended ASCII codes to a password.
"Think of this as generating every single combination of numbers that can be used to solve that same Sodoku puzzle, starting from an all zeros all the way through all nines. "
Sudoku puzzles have numbers from 1 through 9!
This reminds me of Bitcoin GPU crunching. 6990s are favored right now. I wonder how many were sold specifically to Bitcoin miners? I tried it with my dual 6850s but the heat was rediculous. I didn't like the stress on my hardware so I gave up mining. I'm sure it's the same with password software. Maxing out your GPUs. Great for Winter, not Summer!
I've always wondered about this: why don't they just code a delay into the decryption program, so you can't check a billion passwords a second?
I like the scale, but in your small example (a,b,c) you were right and wrong at the same time. Based on your configuration 6 possibilities are correct, but because you tell someone that they can use A or B or C in the password doesn't stop them from choosing aaa, therefor the combination is 9, not 6. Otherwise, interesting article.
"Think of this as generating every single combination of numbers that can be used to solve that same Sodoku puzzle, starting from an all zeros all the way through all nines. "
Sudoku puzzles have numbers from 1 through 9!
Fixed! Sorry. I usually play Sudoku variants.
I like the scale, but in your small example (a,b,c) you were right and wrong at the same time. Based on your configuration 6 possibilities are correct, but because you tell someone that they can use A or B or C in the password doesn't stop them from choosing aaa, therefor the combination is 9, not 6. Otherwise, interesting article.
I could understand that, but I left out that since I was trying to show a simple example of how permutations differ from combinations. As you pointed out, repetitions are allowed in passwords. I actually mention that in the sentence that follows in the next paragraph.
Password Haystacks Yes Steve Gibson has already covered something like this. Passphrases with upper lower number and speical are the way to go. Yes, please avoid shortcuts.
I've always wondered about this: why don't they just code a delay into the decryption program, so you can't check a billion passwords a second?
It wouldn't be easy from a design standpoint, cause now you're talking about fiddling with the design of the program.
The easiest way to slow down the verification portion of the password authentication process is increasing the number of transformation invocations for key generation. The problem is that this slows down the performance of your machine, even if you have the correct password.
How about adding some extended ASCII codes to a password.
That assumes WinZip and WinRAR supports them. To be honest, I haven't looked into that. Though, I'm inclined to believe that neither program supports them.
the tables in this review are horrible... they go from lengths of time to number of passwords and theres no discernible notation when they do.
Cracking a password? There's an app for that.
) Mother's maiden name? There's a Facebook page for that.
Saw something on this elsewhere recently (http://www.zdnet.com/blog/hardware/cheap-gpus-are-rendering-strong-passwords-useless/13125)
I've changed the password for important (tangible value) passwords such as that for my steam account to a password that now uses a few special characters, and some mixed up numbers, lower and upper case letters, totalling 18 characters. (lol)
Now I have a few different tiers of passwords, a now replaced 8 string of letters and numbers for unimportant things a couple of years ago, a now replaced string of 15 characters for semi-important things a couple years ago (have real world information or usefulness for a potential bad guy), their 8 and 15 respectively replacements and my new 18 character string for things that have definite tangible real world value to potential nasties.
And being only 15 I think I'm on the right track
The only thing that *really* worries me are the choice of security questions sometimes. If you're not allowed to pick your own, the answer would be easy to find on my Facebook page or similar (if I had one
Cracking a password? There's an app for that.Saw something on this elsewhere recently (http://www.zdnet.com/blog/hardware/cheap-gpus-are-rendering-strong-passwords-useless/13125)I've changed the password for important (tangible value) passwords such as that for my steam account to a password that now uses a few special characters, and some mixed up numbers, lower and upper case letters, totalling 18 characters. (lol)Now I have a few different tiers of passwords, a now replaced 8 string of letters and numbers for unimportant things a couple of years ago, a now replaced string of 15 characters for semi-important things a couple years ago (have real world information or usefulness for a potential bad guy), their 8 and 15 respectively replacements and my new 18 character string for things that have definite tangible real world value to potential nasties.And being only 15 I think I'm on the right track The only thing that *really* worries me are the choice of security questions sometimes. If you're not allowed to pick your own, the answer would be easy to find on my Facebook page or similar (if I had one ) Mother's maiden name? There's a Facebook page for that.
Actually, AccentZIP and AccentRAR are real world derivatives of the ighashgpu program that Zdnet wrote about. Ivan Golubev actually wrote the code for all three programs and we had the pleasure of working with him to write this article. The difference is that with ighashgpu, you're mainly looking at hash cracking.
You could buy multiple GPU's for a hefty price, or you could just use Amazon's cloud computing to do it for you....
Oops, link didn't show up, here it is:
Linky Linky
Oops, link didn't show up, here it is:
Linky Linky
Interesting. According to the article, it seems that the password recovery speed is limited by the internet connection.
I seem to recall seeing someone mention that a pair of 590s was faster than 30000 passwords per second with Elcomsoft's GPGPU document cracker.
Heck, assuming only 2002 SHA-1 transformations, a single GTX 460 would be faster.
How much of a jem is this article? This is way better than trying to save 3 cents a year on your power bill. I for one would like to see the process expanded into a benchmark if possible. For one thing, it could be an excellent for CPUs where it seems like it's more optimized -- GPUs are basically limited to nVidia's CUDA, but I still think the brain trust at Toms could find a way to make an informative benchmark out password cracking.
What if you have TRANSLTR?
A next good article would be a search for the best decryption software. Let the decryption roundup begins!
Interesting article. I personally use a fairly simple way to use one different password for each website / service following an easy to remember pattern. The method is described here:
http://passwordadvisor.com/TipsUsers.aspx
Would also be interesting to see if Sandy Bridge AES instructions helps on brute force.