Friday, May 29, 2009

Password cracking: Time honored hack

We are in the process of writing a CEH exam review guide book. While writting or reading the chapter that deals with password cracking inevitable philosophies and puzzles arise. A topic that is at some times stale and routine is forever renewed once you really dive into it and demonstrate the possible situations.

Credentials are a balance between usability, invasivness, risk, and cost. Every time a "perfect" solution is presented there is always a "yeah, but....." that follows.

Being that passwords are the easiest and cheapest way to impliment credentials they are the most popular. In some systems, passwords are tied into asymetric keys that protect the symmetric key that protects the data. In some respects one could argue that having a password be the primary access point defeats the purpose and introduces risk itself (1)

Password cracking is a whole industry(2). DNA attacks (Distributed Networking Attacks), parallel processing and advances in collision detection are ongoing effort with big money behind them.

I ran across this spreadsheet that helps calculate the password cracking time measured against enforced policies.(3)

(1) http://searchwinit.techtarget.com/news/article/0,289142,sid1_gci850470,00.html
(2) http://www.infoworld.com/d/security-central/vendors-release-password-cracking-management-tools-737
(3) http://infoworld.com/d/security-central/test-strength-your-password-policy-437

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.