GPU-Accelerated Wi-Fi password cracking goes mainstream

GPU-Accelerated Wi-Fi password cracking goes mainstream

Summary: No weak password can survive a GPU-accelerated password recovery attack. Last week's released Wireless Security Auditor is prone to shorter the time it takes for a network administrator to pen-test the strength of the WPA/WPA2-PSK passwords used on the wireless network.

TOPICS: Security

Elcomsoft Wireless Security AuditorNo weak password can survive a GPU-accelerated password recovery attack. Last week's released Wireless Security Auditor is prone to shorter the time it takes for a network administrator to pen-test the strength of the WPA/WPA2-PSK passwords used on the wireless network. Its core functionality of shortening the wireless password recovery time up to a hundred times based on the GPU used, is naturally going to empower unethical wardrivers with the ability to easily guess the no longer considered secure 8 character passwords.

What's particularly interesting about the Wireless Security Auditor is that it attempts to accomplish the password recovery in an offline/stealth mode, instead of the noisy direct router brute forcing approach :

"Elcomsoft Wireless Security Auditor works completely in off-line, undetectable by the Wi-Fi network being probed, by analyzing a dump of network communications in order to attempt to retrieve the original WPA/WPA2-PSK passwords in plain text. Elcomsoft Wireless Security Auditor requires a valid log of wireless communications in standard tcpdumptcpdump. The tcpdumptcpdump format is supported by all commercial Wi-Fi sniffers. In order to audit your wireless network, at least one handshake packet must be present in the tcpdump file."

Meanwhile, pen-testing companies have once again urged IT managers and end users to go beyond the 8 character password strength myth, and anticipate the risks posed by the increasingly efficient password recovery solutions hitting the market  :

"David Hobson said: “It's a wake-up call to IT managers, pure and simple. IT managers should now move to 12 and even 16 character keys as a matter of urgency. It's not very user-friendly, but the potential consequences of staying with eight character keys do not bear thinking about."

As previously discussed, best practices wake-up calls remains largely ignored prompting radical solutions in countries like India for instance, which recently announced that a Wardriving police unit will be locating insecure wireless networks and notifying the owners in order to "prevent the commission of a cognizable offense".

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • 8? 12? 16? In a business?

    Hell, my own key is 20 characters AT HOME! I would hope any sensible IT manager would use way more than 8!

    And my router password is 13 characters.
    • user issues

      The biggest problem I've found in attempting strong passwords is the yelling and screaming of users, in particular senior and executive management. The average user just grumbles and puts up with it but several senior and executive staff where I work are insulted that they have to do the same stuff as everyone else.

      It took me 8 months of [b]serious[/b] battling to allow me to take an 8-12 character alpha-only password up to 8+ base64 password combo. And that only changed when I was able to 'hack' the CEO's laptop by using a bluetooth enabled video camera.
      • Humm

        Humm, well, in this case, it's the wi-fi password, so it's not an everyday password needed to login.

        But - point taken. I personally don't have the real world experience you have (finishing up college), but I am aware that yes, sometimes users can be a bit of a pain, especially when it comes to passwords.
        • Tokens

          The heart of the article is for Wi-FI PSKs, but for general logons, thats why tokens (RSA Secure ID's, Smart Cards, USB keys) are the way to go. Makes a very secure password, usually secured by a 6-8 digit PIN (again usually with a 3 strikes your out rule to lock the token). To get back to the Wi-FI PSK, I personally use 50ish alpah-numeric + special character, randomized, at the WPA2 only level...but WPA2-ENT (802.1x authentication via Certificate) seems the best way to go.
  • RE: GPU-Accelerated Wi-Fi password cracking goes mainstream

    Tell me why I should password secure my home wifi again ? Does sharing slow down my bandwith?
    Seriously...? The harm?
    • Yes.

      "Tell me why I should password secure my home wifi again?"

      Depends - for many people, it also acts like a hardware router. If the hackers can hack it, they can redirect packets. This is a spammer's dream come true.

      "Does sharing slow down my bandwith?"

      Yes. Duh. Unless you have infinite bandwidth, this is like asking if 1+1=2.
    • Responsible networking

      Well, for you specifically, maybe - maybe not. Now if you have Comcast or another cable system, you could be harming the other users by letting everyone else use your HSI connection to download what they wish (oh and be advised, you'll be left holding the bag for whatever crosses your pipes).

      Enabling encryption on your device (if its of ANY quality) will give you a negligible impact on performance. I have a 50ish character WPA2 (AES-CCMP), alpha-numeric, special symbols, etc - and randomized - and I have no performance issues.
    • Why? Two very good reasons I can think of right off the bat

      Kiddie porn and illegal file sharing of copyrighted media files. If you leave your network unsecured, anyone with access can download the aforementioned files and it's your modem that will be identified to your ISP. That enough to scare you into securing your network?
    • Legal problems too...

      As the others have said, it does rob you of bandwidth and allows people to spam from your location...

      But in some places (like here in Germany), you are legally responsible for everything that travels over your DSL connection. If they spam or upload kiddie-pr0n, share music etc. and you haven't kept a security log of who accessed your network, when and what they did, you are legally responsible:

      If you have an open wi-fi network, you are considered to be acting as a service provider and have the same responsibilities - keeping track of who used your network and what they were doing.

      I don't know how that is treated in the States, but if you end up with the RIAA beating your door down, asking for money, you won't have a fall back, unless you can show evidence that somebody else was sending/receiving the music over your connection - and that is one of the less scary scenarios... Better than the police or FBI smashing your door down, dragging you away and confiscating your equipment etc... :-S
      • Guilty until proven innocent

        Good ol' justice systems!

        So I could just sneak into someone's house, download kiddie porn on their computer, and as long as I didn't leave any fingerprints, hair, etc., they would get sent off to prison and nothing would happen to me?


        This system really rocks. The law definitely hurts criminals not good guys.

        Figured I should add this tag since some people are to stupid to get that I was being sarcastic..
    • Most home networks don't need to be secured

      I think a lot of tech types really overestimate how important security is for home networks.
      Most users set up their network so they can access the internet from several different computers, and don't have it set up to access different devices within their network. In this way, it's just like having a direct connection to the internet without wifi.
      And for most users, it's not going to make any difference to their performance if someone else is sharing their connection. I could have my whole street hopping on my router and it wouldn't make a difference.
      Kiddie porn??? If your next door neighbor is downloading kiddie porn, you probably have bigger issues to be concerned about (like the fact that your neighbor is a pedophile).
      Finally, charges for excess usage - how about nationalizing the ISPs? If they can't handle it, maybe they should get into a different business.
      • Neighbor?

        You are either extremely deluded, extremely confused, or both.

        Let me try to put it simply for you.

        People can just drive by your house anonymously, without even exiting their vehicle, download/upload whatever they want through your connection, and drive away, before you even knew what happened. If any of this was illegal, expect the feds to show up at your door shortly after.

        Does that put things into proportion better?
  • Well . . .

    Well, since this is the Wi-Fi password we're talking about, I use a completely random, generated password at the maximum length. Windows stores it and never forgets it anyways, so there's really no need to make it something easy to memorize.
  • RE: GPU-Accelerated Wi-Fi password cracking goes mainstream

    other than having someone stealing the bandwidth that you're paying for, there is also the possibility that the person using your bandwidth may be doing nasty stuff. Depending on the local laws where you are, you (as the account holder) may be considered either complicit or partially liable in any crime in a civil court that the leecher may do as your network is open.
  • what about LAN ?

    Is this specific to wifi or can something similar be used on a wired LAN (by dishonest employees)?

    Also, is 8 too short when randomly generating passwords with mixed cased letters, digits and special characters (for windows and *nix sessions) ?
    • re: LAN

      "Is this specific to wifi or can something similar be used on a wired LAN (by dishonest employees)?"

      This particular example is specific to wireless - the encryption is needed because radio waves can be detected from a distance and unlike a cable you're not in total control of its range and where you can access it. The encryption, therefore acts like a virtual "wire" only allowing people who are allowed to access the network to access it.

      [i]However,[/i] the ability to use GPUs to accelerate brute force cracking can be generalized, so yeah this can theoretically be used anywhere where an offline attack is available.

      "Also, is 8 too short when randomly generating passwords with mixed cased letters, digits and special characters (for windows and *nix sessions) ?"

      Even without this technique, 8 characters is a minimum, and to be honest, it's getting to be pretty weak. If you had 256 characters to choose from (and that's being extremely generous), then that's 64 bits. For many encryption algorithms, that may not be enough - it's much safer to have a 128 bit or larger key.
    • Depends


      If you aren't storing the LM Hash, and you are using the highest lanman level "NTLMv2 only - Refuse LM & NTLM" then you are pretty safe as long as you aren't using lame passwords.

      In Linux use fail2ban it will monitor /var/log/secure and configure iptables to ban the offending ip address.
  • Authentication is important

    Any enterprise network should use WPA/WPA2 with RADIUS authentication to a user database. Anything less, would be very irresponsible of the IT department. It's not that hard to setup and there are plenty of guides on the internet to assist.
  • RE: GPU-Accelerated Wi-Fi password cracking goes mainstream

    DAAAAAM talk about old news, this would have been a cool article had it come out 6 months ago.

    As for the "undetectable offline" attack, that is the only way I know of actually doing it. You need a wpa handshake then you use that packet to test your keys.
    • RE: GPU-Accelerated Wi-Fi password cracking goes mainstream

      [b]DAAAAAM talk about old news, this would have been a cool article had it come out 6 months ago.[/b] Agreed. What is the point of this article when there already was a big stink about it in early Sept. 2008. Stay a little bit more current on security issues and this may have been something to read about.
      Anonymous Benefactor