Prev: Criticism of a proposed floating point (cs)prng requested.
Next: Question About Cryptographically Hashing a Hash (SHA-512), Then Hashing That Hash, Etc.
From: Ohm on 4 Jun 2010 07:41 I have encrypted my data with this passphrase (example passphrase): ()Hnnn&&/7+BarakObama If I understand it correctly a brute force attack will keep trying dictionary words until it finds a match. My concern is this, will an attacker find out every single digit of my passphrase while cracking it or do they have to wait to get to get the whole pass phrase before knowing what it was? I am thinking that once an attacker has seen that my passphrase is composed of: ()Hnnn&&/7+Barak They may stop cracking and try Obama next after they have found the word Barak, this could make it quicker for them to crack the pass phrase. Am I correct in this? Thank you
From: mike clark on 4 Jun 2010 10:01 On Jun 4, 5:41 am, Ohm <O...(a)no.no> wrote: > I have encrypted my data with this passphrase (example passphrase): > > ()Hnnn&&/7+BarakObama > > If I understand it correctly a brute force attack will keep trying > dictionary words > until it finds a match. > > My concern is this, will an attacker find out every single digit of my > passphrase > while cracking it or do they have to wait to get to get the whole pass > phrase before > knowing what it was? > > I am thinking that once an attacker has seen that my passphrase is > composed of: > > ()Hnnn&&/7+Barak > > They may stop cracking and try Obama next after they have found the word > Barak, > this could make it quicker for them to crack the pass phrase. > > Am I correct in this? > > Thank you Most likely they will have to get the whole password. In my undergrad security class, however, we talked about an old OS (can't remember which one) that would check the password one character at a time. An attacker could then use timing analysis to crack the password letter by letter. In that case, yes, it might make the brute force of something like you described easier. With any modern OS the attacker will have to get the entire password though.
From: Maaartin on 4 Jun 2010 18:33 On Jun 4, 4:01 pm, mike clark <m...(a)netadv.net> wrote: > Most likely they will have to get the whole password. In my undergrad > security class, however, we talked about an old OS (can't remember > which one) that would check the password one character at a time. An > attacker could then use timing analysis to crack the password letter > by letter. In that case, yes, it might make the brute force of > something like you described easier. With any modern OS the attacker > will have to get the entire password though. Unless you use Windows with "LM hash", which is AFAIK still on by default. But I'm far from calling it a modern system.
From: Stewart Malik on 5 Jun 2010 21:20 > Unless you use Windows with "LM hash", which is AFAIK still on by > default. But I'm far from calling it a modern system. Since Vista NTLM hashing was used. Don't know why it's still insecure.
From: Maaartin on 6 Jun 2010 06:42
On Jun 6, 3:20 am, Stewart Malik <mali0...(a)gmail.com> wrote: > > Unless you use Windows with "LM hash", which is AFAIK still on by > > default. But I'm far from calling it a modern system. > > Since Vista NTLM hashing was used. Don't know why it's still insecure. I don't know *if* it's still insecure. But who cares about Vista? For kiddies the fancy look&feel may be important, but many businesses don't want to pay the cost for the transfer and risk that nothing more work. Companies are still running XP or Server 2000, etc. However, the "ideas" behind the LM hash are simply criminal: - processing the password in 7 char long chunks. - converting into uppercase - restricting to ANSI charset - missing salt Something as stupid as this might be acceptable for a freeware made by a small company, but not when made by a monopolist OS vendor. They should have been ordered to switch it off immediately and pay for all the resulting costs. |