Comments: New Password Cracking Threat: Grid + your laptop

I couldn't see your promised comments at the end, but it doesn't seem too earth shattering to me. Phychometrics has been a staple of code breakers and safe crackers since long before we had computers. If the best they can do is rely on people choosing weak passwords, that sounds like good news to those of us who don't...

A thorough multi-word dictionary attack might have cracked the odd login password of mine over the years, but I never used a pass phrase consisting of dictionary words for encrypting sensitive data. Everyone with any sense knows you include mixed case, missspellings, and odd punctuation in a meaningless (to anyone else) combination... (and from what I have seen, most computer users don't have to try very hard to come up with some misspellings!)

I would be interested to know how they propose to detect steganographic data though...

Posted by Digbyt at March 29, 2005 11:32 PM

Grid computing has been a threat for a decade (or even longer). It's usually called "botnets" outside academia.

Posted by Florian Weimer at March 30, 2005 08:04 AM

There are straightforward countermeasures to this, namely password stretching algorithms that make it really slow to check a given password. Users need to pressure the security companies to improve their support for this functionality. Meanwhile it's a one line patch to GnuPG, passphrase.c:hash_passphrase(), look for the line which sets s2k->count to 96.

Try increasing it to the max value of 255 and see how long it takes to unlock your key using your pass phrase. If it's too long then try decreasing the value. Every drop of 16 speeds it up by a factor of 2. Aim at having it take a second or so, even longer if you have a slow machine. You can make your key a thousand times harder to brute force, if they get your machine.

Posted by Cypherpunk at March 31, 2005 04:01 PM
Post a comment









Remember personal info?






Hit Preview to see your comment.
MT::App::Comments=HASH(0x560fccafb730) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.