A key foundation of practical modern encryption rests with the password. For example, users of AlertBoot Mobile Security provide a password when trying to access the contents of an encrypted computer; otherwise, there is no way to get around the strong encryption protection. So, the security associated with the password is of intense interest. One especially debated password security parameter: length.
Depending on the situation, some researchers have noted that password less than 12 characters in length should be considered “weak” (in other words, unusable).
Passwords lengths are under attack again (still?): researcher Jeremi Gosney has debuted at the Passwords^12 Conference a server rig that can bruteforce 348 billion password hashes per second.
Windows XP Password Defeated in 6 Minutes
According to securityledger.com, the organizer of the conference, Per Thorsheim, noted that “Passwords on Windows XP? Not good enough anymore.” The reason? The system can go through passwords like a hot butter knife through…well, butter:
348 billion NTLM password hashes per second. In other words, any WinXP password would fall in approximately 6 minutes:
LM Is what is used on Win XP, and LM converts all lowercase chars to uppercase, is at most 14 chars long, and splits the password into two 7 char strings before hashing — so we only have to crack 69^7 combinations at most for LM. At 20 G/s we can get through that in about 6 minutes. With 348 billion NTLM per second, this means we could rip through any 8 character password (95^8 combinations) in 5.5 hours. [securityledger.com]
Of course, under certain instances, things like this are a moot point. For example, you can defeat the same Windows XP password by slaving the hard drive to another computer, or booting up the computer in question with a Linux distro CD. Still, the fact that it only takes 6 minutes to guarantee entry into a machine running XP is very impressive.
What Does this Mean for Encryption?
In some ways, not much. Passwords tend to be the bane of encryption for many reasons: people post them on sticky notes, tape them to the computer, pass them around, etc. From a technical standpoint, passwords are the bane of encryption because it’s the weakest link. Unlike encryption keys, passwords generally are not random enough, short, and easily guessable. So, any person worth his salt tries to figure out the password, not the encryption key.
What’s the difference? You can change passwords to encrypted data easily. Changing the encryption key is not possible in the truest sense. To do so, one would have to decrypt the data then encrypt it again with another key. It’s like the difference between changing clothes and changing one’s face like in the movie Face/Off, with Cage and Travolta.
Thankfully, the ability to change passwords easily also means that it’s easy to disable their use. AlertBoot’s laptop encryption, for example, has a setting that disables the entry of any passwords after, say, the tenth incorrect try. This way, bruteforce attacks aimed at defeating passwords can be effectively fended off.
Related Articles and Sites: