The Register reports more advances in brute force password cracking. Swiss security firm Objectif Sécurité used Solid State Drives (SSD) to store rainbow tables and consequently speed up each brute force attack. The read speed from an SSD is typically quicker than that from a traditional drive, which is why there is an overall performance increase.
Objectif Sécurité claims a throughput of 300 billion passwords per second when attacking a Windows XP MD4 password hash.
My own testing using Objectif Sécurité’s online proof of concept easily cracked the passwords from my test XP machine including the complex x%fF*Z3$. It couldn’t crack my 29 character pass phrase from Size Does Matter, but this is because Windows XP stores passwords longer than 14 characters in a different way.
Of course the default LMHash used with MD4 to store Windows XP passwords is weak and has largely been replaced in modern operating systems. However the speed improvement can be applied to accelerate brute force attacks on other algorithms.
What does this mean in real terms? It was already true that if someone could get physical access to your XP PC, they could extract your data. Now it is trivial to steal your passwords as well, which of course opens up all sorts of identity theft related crime possibilities. This makes disk encryption, and not reusing passwords more important that ever.
For info, I “harvested” the passwords on my XP machine by booting from my favourite Linux Live CD, Backtrack. I then used Bkhive to extract the key used to encrypted the SAM file where the LMHashes are stored. Finally I used Samdump2 to extract the hashes themselves.
No comments:
Post a Comment