Jump to content

[SEC] Uncrackable Passwords!


Recommended Posts

In the wake of the AT&T-NSA Scandal, this is exactly what everyone needs:

Every password today, no matter for what application or what it secures, is built on a base of 68 "letters" or characters. Some applications use less, but none use more. Brute force password cracking has become more and more viable due to the exponentially increasing power of individual machines and the even greater power of the government's cluster servers, making it now an easy and fast way of recovering any password.

But there is a solution. There are more than 1000 other letters that no one knows about! With these extra letters, it is possible to make passwords that are, for all practical purposes, uncrackable!

Link: Uncrackable Passwords :thumbup

Link to comment
Share on other sites


While it's hard to say that there is, or is not, such a thing as an uncrackable password, I can vouch that using special characters and a password between 7 - 14 characters does make things extremely difficult, syskey or no syskey (2000 or higher). Syskey does help, however, in that the SAM db is also encrypted quite well.

Link to comment
Share on other sites

Well, say we allow for any upper or lower case letter. That's 52 possibilities. Add the 10 numerical digits and their shifted symbols. That's 72. Add to that the other 11 symbols on a common computer keyboard plus their shifted symbols. That makes 94 possible characters. Don't forget the space bar - 95 possibilities.

Now, say we want an 8 character password from that set. That means each letter can be one of 95 possibilities, therefore an 8 character password has 95^8 possibilities - that's 6634204312890625 possibilities - over 6 quadrillion. Say now that your computer can brute force one possibility for each clock cycle (which is an exteme overestimate).

Assume a 2GHz CPU (realistically, all CPUs are within an order of magnitude of 2GHz, so changing it to 3GHz or 700MHz won't make a significant difference). That means the CPU is capable of trying 2 billion possibilities per second. Dividing the earlier result by 2 billion yields 3317102 seconds - or 38 days to crack that password by brute force.

Now realistically, the number of possibilities a 2GHz CPU can try per second is probably closer to 2000 rather than 2 billion. Therefore, we're talking 38 million days - or 105185 years to crack that password.

Long story short - if you make use of all the various characters your keyboard has to offer and you use a password of decent length, you probably don't have to worry about your password being brute forced ;)

Link to comment
Share on other sites

I've routinely used characters in the 127-255 (high byte) range as passwords... the actual keyspace is ~ 224^8 for an 8 character password. A true 8-byte password would be 64 bits, whereas 224^8 is equivalent to approximately 62 bits of key.

Link to comment
Share on other sites

While it's hard to say that there is, or is not, such a thing as an uncrackable password, I can vouch that using special characters and a password between 7 - 14 characters does make things extremely difficult, syskey or no syskey (2000 or higher). Syskey does help, however, in that the SAM db is also encrypted quite well.

Since you're in a position to know or find out... :)

Is the "Network security: Do not store LAN Manager hash value on next password change" going to default to Enabled for Vista/Longhorn Server?

It's something I already enable on our workstations, as well as "Send NTLMv2 response only\refuse LM and NTLM". I was just wondering if I'd continue to have to manually do so. :)

Link to comment
Share on other sites

Is the "Network security: Do not store LAN Manager hash value on next password change" going to default to Enabled for Vista/Longhorn Server?

I honestly don't know if that will be enabled in Longhorn, and at this point it doesn't appear Vista is any different from XP in that regard (although that can still change, but I doubt it will).

Link to comment
Share on other sites

I'd have to also take exception to the article's statement that 99+% of systems still use the old LM hash method. Maybe 99% of the SOHO's and home users are but, IMHO, any company w/an IT staff worth thier salt have already shifted to NTLMv2. And if MS truly wants to even appear as if they are taking a more secure stance, they'll enable not storing the LM hash by default.

Link to comment
Share on other sites

well that explains everything

:blink:

its just the number of possible charachters raised to the number of charachters in the password

so lets say there are 224 possible characters and that the password has 8 charachters in it

the equation for the possible passwords is 224^8

now if its a 64 characher password, that is 224^64, now that is a huge number of possibilities, which is why cracking a password is almost impossible

Link to comment
Share on other sites

If a computer has the storage space needed (two or three TB would be nice), using pre-computed hash tables would make the job allot easyer, and faster.

(~ 1/10 the time of a brute-force attack)

There are no uncrackble passwords, just some that will take a bit longer to crack.

Link to comment
Share on other sites

Yes, but with a good password policy by the time the password is cracked it will probably have been changed. :)

Our current policy is minimum 8 characters, remember last 9, expire every 90 days. DISA "guidance" is something like 12 or so characters, remember something like the last 25 and expire every 45 days (or something to that effect...I'd have to look it up). Fortunately we don't have to adhere strictly to the guidance.

We're also going to be mandatory CAC logon soon as well so I'm hoping that will make things a bit easier (and adds a layer of physical security because you'll have to have the card with PIN).

Link to comment
Share on other sites

That's a good implementation.

Multifactor authentication is the best method. Using 2 out of 3 is really good, however, using the 3 'areas' would be really cool.

Something you are (fingerprint, DNA)

Something you know (PIN, password)

Something you have (Smartcard)

Link to comment
Share on other sites

Yes? Your point being?

There aren't any uncrackable passwords! Doesn't matter if they are 20 or 30 characters long, however, the time and processor time required to brute-force on a password that long makes it unthinkable.

Link to comment
Share on other sites

Is the "Network security: Do not store LAN Manager hash value on next password change" going to default to Enabled for Vista/Longhorn Server?

It's something I already enable on our workstations, as well as "Send NTLMv2 response only\refuse LM and NTLM". I was just wondering if I'd continue to have to manually do so. :)

As of 5342: it doesn't look like it :(

If a computer has the storage space needed (two or three TB would be nice), using pre-computed hash tables would make the job allot easyer, and faster.

(~ 1/10 the time of a brute-force attack)

There are no uncrackble passwords, just some that will take a bit longer to crack.

But a precomputed hash table (such as governments use ATM) *does* need to be calculated at least once...

And remember, as long as it takes to make ONE table today, with this method, the government will need to spend 12,086,781x10^5 times LONGER to make a new one.... that is a hell of a long time :blink:

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...