Quoted:
Dictionary attacks are FASTER, but Brute Force attacks are, overall, more successful, because they will catch just about any password... eventually.
View Quote
True. No password is uncrackable. The key is to leverage the time it would take to crack a password with the time until a password is expired by the administration and has to be changed.
Iw!wiDhh.
That password would be impossible to crack via dictionary attack, and very hard for a brute force attack.
Not very hard, just time consuming.
View Quote
That's the point. Brute force attacks of random passwords with alternating case, insertion of characters like !@#$%^&*, and numbers significantly increases the time it would take to crack the password. Your passwords should be expried at least once every 90 days. I personally expire mine ever 30.
Also, modern PCs can brute force at an incredible rate.
View Quote
Depends upon the algorithm used. Using less intensive algorithms like RC4 with shorter length passwords does not take long. But using MD5, which is a much more complex algorithm, takes longer. Furthermore, the most effective way to brute force passwords is actually getting copies of the password file. Trying to do it remotely via POP services is a little more time consuming, as most POP servers should time out after 3 password attempts. Having to reestablish sessions also increases the time it takes. And any administrator worth their salt would notice so many failed auth attempts.
Recently, we had to crack a couple of (windows login) passwords in the office, and the 1.7GHz P4 we used for the task went through like sixteen million potential passwords a second.
View Quote
That has more to do with the inadequacies with the windows password hashing scheme than anything else. Breaking the password into two 7 or 8 byte boundaries and encrypting each half was a bad idea.
Considering that an eight character password made up of exclusively lowercase letters has 26^8 potential combinations (roughly 209 billion) a brute force attack will still take a while (three and a half hours, at the above rate) but it WILL get the job done.
View Quote
Start factoring alternating case, numbers, and the "!@#$^&" subset and refigure your timeframe. Each instance of one of those characters is an order of magnitude in your time calculations, is it not?
Again, your'e balancing time to crack vs. time to expire.
Also, some of these tools will run in a distributed environment--if you've got enough hardware, nothing is beyond your reach.
View Quote
Sure. At Enron I had l0phtcrack running on a farm of 12 dual PIII servers. Easy passwords like dictionary words were cracked fairly quickly, but brute force attacks still took lots of time for those passwords that didn't get cracked via dictionary attacks. Running for 4 weeks on my existing setup, I still only had about 70% discovery of passwords.
Did I mention the company I worked for managed the distributed.net master server until recently being bought out?
Remember the Alamo, and God Bless Texas...