Passwords alone can't protect your network

It takes more than a strong password policy to withstand the threats posed by cheap cloud computing services and hackers' cracking software

A German researcher's claim that he has found a way to leverage Amazon's EC2 service to crack wireless passwords raises an important question: Have passwords outlived their usefulness?

InfoWorld analyst Ted Samson reported this week that the researcher was able to use customized software running on multicomputer cloud system to crack wireless WPA preshared keys in as little as six minutes for a few dollars or less.

[ Revisit your company's stance on passwords -- start by testing the strength of your password policy. | Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

This threat isn't entirely surprising. To slightly paraphrase computer security expert Bruce Schneier, password attacks only become more effective over time. Yesterday's long and secure passwords become tomorrow's easily hackable passwords. A decade ago, a 6-character password provided most people a lot of protection. Today, it's likely that 10-character passwords are susceptible to assault, even when they're strong and employ authentication protocols.

Precloud password cracking
Cloud computing and its ability to bring in cheap, elastic computing and storage resources are certainly putting pressure on passwords, but there are other factors to consider. Five years ago I was using the John the Ripper password hash cracking program to make tens of millions of password guesses per second. I thought that was extraordinary. Then password crackers started using GPU (graphical processing unit) chips from standard PC video cards and gaming systems to increase password cracking speeds by as much as 100 times. In fact, it's cloud computing with GPUs that led to the recent superquick wireless WPA-PSK exploit.

But cloud computing isn't even necessary to take advantage of the benefits of parallel computing. Using Distributed John the Ripper and other password crackers, such as Passware Password Kit Forensics or Elcomsoft's Distributed Password Recovery product, password hackers have long been able to take advantage of every CPU under their control.

Anyone can even buy dedicated hardware units that use FPGA (field-programmable gateway array) circuits, such as Tableau's TACC1441, which has 16 FGPAs. It claims to boost password cracking speed by between 6 and 30 times compared to regular, nonaccelerated computers. Further, several TACC systems (less than $5,000 each, including software) can be connected to crack even faster.

If you already have the password hash, you can try it against any of the many online rainbow table hash crackers; alternatively, you can download the tables to crack them yourself without exposing your treasured hash to a complete stranger.

1 2 Page
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies