Interesting what you can learn when one puts their foot in their mouth
and then actually reads the backups to the replies.
I typically use the 52 character set, 8 characters long when choosing a
password. Assuming the security is properly implemented, 15 hrs w/ a
Class F (supercomputer) attack.
I seriously doubt anything I get into will be worth 15 hrs of
supercomputer time to anybody to figure out :-)
I have often said NOTHING is truly secure. All we can do is make it more
difficult to get into than what it's worth. Applies to the padlock on
your toolbox as much as your computer.
Jim G
On Sat, 2011-01-15 at 18:47 -0900, Christopher Howard wrote:
> On 01/15/11 15:14, Jim Gribbin wrote:
> > It seems to me if one of these GPU cluster thingies can be used to crack
> > this, it can be used to crack other things as well. A PGP encrypted hard
> > disk for instance.
> >
> > Maybe someone here can explain why I have no reason for concern.
> >
>
> Um... maybe because a PGP encrypted hard disk is a bit different from
> cracking WPA-PSK. Quotes from the article:
>
> "A German white-hat hacker named Thomas Roth claims he has found a way
> to use EC2 and some custom software to crack the password of
> WPA-PSK-protected networks in around 20 minutes. With some tweaks to his
> software -- which tests 400,000 passwords per second using the EC2
> compute power -- Roth said he has could reduce that cracking time to six
> minutes, about $1.68 worth of time on Amazon EC2. (Amazon charges 28
> cents per minute to use its services.). . . .
>
> "Roth attributes the success of his brute-force technique to a weakness
> in SHA-1. In an earlier blog posting, he wrote, "SHA-1 was never made to
> store passwords. SHA-1 is a hash algorithm, it was made for verifying
> data. It was made to be as fast and as collision free as possible, and
> that's the problem when using it for storing passwords: It's too fast!
> ... Instead of hash algorithms, one should use key-derivation functions
> like PBKDF2 or scrypt. Some of these functions hash passwords some
> thousand times and make brute forcing a lot harder."
>
> Brute-forcing /secure/ encryption setups is still pretty much
> practically impossible, even if you /own/ your own dedicated supercomputer.
>
> http://en.wikipedia.org/wiki/Brute-force_attack#Theoretical_limits
> http://www.lockdown.co.uk/?pg=combi
>
> Now, doubtless having instant access to cluster-level computing puts
> /insecure/ setups at greater risk.
>
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Sat Jan 15 19:19:11 2011
This archive was generated by hypermail 2.1.8 : Sat Jan 15 2011 - 19:19:11 AKST