> Does anyone have experience with this service or similar > password-breaking utilities?
Yes, I've used a few. > Can a non-trivial login password be broken in mere days, or is > the high success rate of loginrecovery.com due to the weak > passwords (with predicable patterns or letter-number > substitutions) that people tend to use? Both. Either. It depends :) Do you have the hash of the password? Do you know how it is encrypted (MD5, DES, SHA-1, SHA-256, RC5)? Was there salt added? How strong is the password itself? "login password" can be a loaded term -> does the machine prohibit multiple wrong attempts? Do I have local access to the machine, and can I yank out the drive or otherwise attack the stored crypts directly or do I need to try remotely? A 56-bit DES hash was broken in 1998 in 56 hours, using a machine that cost a quarter-million dollars to build; following the 18 month cycle version of Moore's Law, you could accomplish the same task today in 56 hours with about $14K worth of hardware. Practically, it's probably feasible to blow through older hash functions using a $2,000 dual core machine in a couple of days at most, using strict brute-force (no dictionary) methodologies. I haven't looked at loginrecovery.com, but most password-crackers don't really take a brute force approach anymore, since very few people actually use truly random passwords; as you point out, predictable patterns make building a good password cracker a matter of running through a dictionary first. A password that's been encrypted by a 128 bit function is practically cracked about as quickly as one encrypted by an older key if the password is weak; your cracking algorithm is going to be using the same dictionary regardless - the cracker isn't attacking the hash, it's just trying combinations of usernames and passwords. Functionally, this is a major question for people who are looking to deploy FDE in the future: how do you prevent someone who has access to the machine from busting in by brute force? If the user gets to choose his own password, an FDE-protected machine can fall easily if the password is "password". And, of course, if you make it too hard to remember, the user of the laptop is going to tape it to the underside of the laptop, so that he's not locked out on the road. "Check for a stickynote under the keyboard" will probably still be a viable attack scenario. > Anyone have personal experience with this that they'd like to > share? I'm awaiting this paper discussed in this article, I hope it gets into IEEE, since I'd really like more details as to the background setup of the story: http://www.darkreading.com/document.asp?doc_id=117302 Even the sparse writeup in the article is illuminating. _______________________________________________ FDE mailing list [email protected] http://www.xml-dev.com/mailman/listinfo/fde
