In 2002, successfully found a 64-bit RC5 key in four years, in an effort which included over 300,000 different computers at various times, and which generated an average of over 12 billion keys per second. When ordinary desktop computers are combined in a cracking effort, as can be done with botnets, the capabilities of password cracking are considerably extended. 2 30 is only one billion permutations and would take an average of 16 minutes to crack.
A user-selected eight-character password with numbers, mixed case, and symbols, reaches an estimated 30-bit strength, according to NIST. Individual desktop computers can test over a hundred million passwords per second using password cracking tools that run on a general purpose CPU and billions of passwords per second using GPU-based password cracking tools. For example, one commercial product claims to test 103,000 WPA PSK passwords per second. In such cases, an attacker can quickly check to see if a guessed password successfully decodes encrypted data. Another situation where quick guessing is possible is when the password is used to form a cryptographic key. If not, the rate depends on whether the authentication software limits how often a password can be tried, either by time delays, CAPTCHAs, or forced lockouts after some number of failed attempts. If a hash of the target password is available to the attacker, this number can be quite large. The ability to crack passwords using computer programs is also a function of the number of possible passwords per second which can be checked. Higher password bit strength increases exponentially the number of candidate passwords that must be checked, on average, to recover the password and reduces the likelihood that the password will be found in any cracking dictionary. More common methods of password cracking, such as dictionary attacks, pattern checking, word list substitution, etc., attempt to reduce the number of trials required and will usually be attempted before brute force.
One example is brute-force cracking, in which a computer tries every possible key or password until it succeeds. Most methods of password cracking require the computer to produce many candidate passwords, each of which is checked. The time to crack a password is related to bit strength ( see password strength) which is a measure of the password's information entropy.
0 kommentar(er)
