GPU-Accelerated Wi-Fi password cracking goes mainstream
Summary: No weak password can survive a GPU-accelerated password recovery attack. Last week's released Wireless Security Auditor is prone to shorter the time it takes for a network administrator to pen-test the strength of the WPA/WPA2-PSK passwords used on the wireless network.
No weak password can survive a GPU-accelerated password recovery attack. Last week's released Wireless Security Auditor is prone to shorter the time it takes for a network administrator to pen-test the strength of the WPA/WPA2-PSK passwords used on the wireless network. Its core functionality of shortening the wireless password recovery time up to a hundred times based on the GPU used, is naturally going to empower unethical wardrivers with the ability to easily guess the no longer considered secure 8 character passwords.
What's particularly interesting about the Wireless Security Auditor is that it attempts to accomplish the password recovery in an offline/stealth mode, instead of the noisy direct router brute forcing approach :
"Elcomsoft Wireless Security Auditor works completely in off-line, undetectable by the Wi-Fi network being probed, by analyzing a dump of network communications in order to attempt to retrieve the original WPA/WPA2-PSK passwords in plain text. Elcomsoft Wireless Security Auditor requires a valid log of wireless communications in standard tcpdumptcpdump. The tcpdumptcpdump format is supported by all commercial Wi-Fi sniffers. In order to audit your wireless network, at least one handshake packet must be present in the tcpdump file."
Meanwhile, pen-testing companies have once again urged IT managers and end users to go beyond the 8 character password strength myth, and anticipate the risks posed by the increasingly efficient password recovery solutions hitting the market :
"David Hobson said: “It's a wake-up call to IT managers, pure and simple. IT managers should now move to 12 and even 16 character keys as a matter of urgency. It's not very user-friendly, but the potential consequences of staying with eight character keys do not bear thinking about."
As previously discussed, best practices wake-up calls remains largely ignored prompting radical solutions in countries like India for instance, which recently announced that a Wardriving police unit will be locating insecure wireless networks and notifying the owners in order to "prevent the commission of a cognizable offense".
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
8? 12? 16? In a business?
And my router password is 13 characters.
user issues
It took me 8 months of [b]serious[/b] battling to allow me to take an 8-12 character alpha-only password up to 8+ base64 password combo. And that only changed when I was able to 'hack' the CEO's laptop by using a bluetooth enabled video camera.
Humm
But - point taken. I personally don't have the real world experience you have (finishing up college), but I am aware that yes, sometimes users can be a bit of a pain, especially when it comes to passwords.
Tokens
RE: GPU-Accelerated Wi-Fi password cracking goes mainstream
Seriously...? The harm?
Yes.
Depends - for many people, it also acts like a hardware router. If the hackers can hack it, they can redirect packets. This is a spammer's dream come true.
"Does sharing slow down my bandwith?"
Yes. Duh. Unless you have infinite bandwidth, this is like asking if 1+1=2.
Responsible networking
Enabling encryption on your device (if its of ANY quality) will give you a negligible impact on performance. I have a 50ish character WPA2 (AES-CCMP), alpha-numeric, special symbols, etc - and randomized - and I have no performance issues.
Why? Two very good reasons I can think of right off the bat
Legal problems too...
But in some places (like here in Germany), you are legally responsible for everything that travels over your DSL connection. If they spam or upload kiddie-pr0n, share music etc. and you haven't kept a security log of who accessed your network, when and what they did, you are legally responsible:
If you have an open wi-fi network, you are considered to be acting as a service provider and have the same responsibilities - keeping track of who used your network and what they were doing.
I don't know how that is treated in the States, but if you end up with the RIAA beating your door down, asking for money, you won't have a fall back, unless you can show evidence that somebody else was sending/receiving the music over your connection - and that is one of the less scary scenarios... Better than the police or FBI smashing your door down, dragging you away and confiscating your equipment etc... :-S
Guilty until proven innocent
So I could just sneak into someone's house, download kiddie porn on their computer, and as long as I didn't leave any fingerprints, hair, etc., they would get sent off to prison and nothing would happen to me?
Mmm.
This system really rocks. The law definitely hurts criminals not good guys.
[/sarcasm]
Figured I should add this tag since some people are to stupid to get that I was being sarcastic..
Most home networks don't need to be secured
Most users set up their network so they can access the internet from several different computers, and don't have it set up to access different devices within their network. In this way, it's just like having a direct connection to the internet without wifi.
And for most users, it's not going to make any difference to their performance if someone else is sharing their connection. I could have my whole street hopping on my router and it wouldn't make a difference.
Kiddie porn??? If your next door neighbor is downloading kiddie porn, you probably have bigger issues to be concerned about (like the fact that your neighbor is a pedophile).
Finally, charges for excess usage - how about nationalizing the ISPs? If they can't handle it, maybe they should get into a different business.
Neighbor?
Let me try to put it simply for you.
People can just drive by your house anonymously, without even exiting their vehicle, download/upload whatever they want through your connection, and drive away, before you even knew what happened. If any of this was illegal, expect the feds to show up at your door shortly after.
Does that put things into proportion better?
Well . . .
RE: GPU-Accelerated Wi-Fi password cracking goes mainstream
what about LAN ?
Also, is 8 too short when randomly generating passwords with mixed cased letters, digits and special characters (for windows and *nix sessions) ?
re: LAN
This particular example is specific to wireless - the encryption is needed because radio waves can be detected from a distance and unlike a cable you're not in total control of its range and where you can access it. The encryption, therefore acts like a virtual "wire" only allowing people who are allowed to access the network to access it.
[i]However,[/i] the ability to use GPUs to accelerate brute force cracking can be generalized, so yeah this can theoretically be used anywhere where an offline attack is available.
"Also, is 8 too short when randomly generating passwords with mixed cased letters, digits and special characters (for windows and *nix sessions) ?"
Even without this technique, 8 characters is a minimum, and to be honest, it's getting to be pretty weak. If you had 256 characters to choose from (and that's being extremely generous), then that's 64 bits. For many encryption algorithms, that may not be enough - it's much safer to have a 128 bit or larger key.
Depends
If you aren't storing the LM Hash, and you are using the highest lanman level "NTLMv2 only - Refuse LM & NTLM" then you are pretty safe as long as you aren't using lame passwords.
In Linux use fail2ban it will monitor /var/log/secure and configure iptables to ban the offending ip address.
Authentication is important
RE: GPU-Accelerated Wi-Fi password cracking goes mainstream
As for the "undetectable offline" attack, that is the only way I know of actually doing it. You need a wpa handshake then you use that packet to test your keys.
RE: GPU-Accelerated Wi-Fi password cracking goes mainstream