Go Down

### Topic: password checker 'Brute Force' (Read 5840 times)previous topic - next topic

#### enanthate

#15
##### Oct 25, 2013, 12:15 am

Unless you're expecting somebody to use an Arduino to crack your password (which would be a weird thing for them to do), is there any reason to do this on an Arduino? The algorithm would be easier and quicker to develop on a PC and would run massively faster.

Add the correct delay, and you can see how much time it would actually take to hack your password.
As for my password, without a delay : 212 microseconds.
Now, with a delay of only 5ms : 1901596(!) microseconds.

#### cjdelphi

#16
##### Oct 25, 2013, 02:00 am

Unless you're expecting somebody to use an Arduino to crack your password (which would be a weird thing for them to do), is there any reason to do this on an Arduino? The algorithm would be easier and quicker to develop on a PC and would run massively faster.

Add the correct delay, and you can see how much time it would actually take to hack your password.
As for my password, without a delay : 212 microseconds.
Now, with a delay of only 5ms : 1901596(!) microseconds.

I think you need a longer password.....

#### enanthate

#17
##### Oct 25, 2013, 04:16 am

My password consists of 4 letters and 5 numbers. I would almost have to be paranoid to worry about it. Aka, it's good enough.

#### cjdelphi

#18
##### Oct 25, 2013, 04:25 am
Add the correct delay, and you can see how much time it would actually take to hack your password.
As for my password, without a delay : 212 microseconds.
Now, with a delay of only 5ms : 1901596(!) microseconds.

"my password" 212 microseconds how???  sounds wayyyyy to fast to crack your password of that length even 212 seconds sounds too quick

#### Nick Gammon

#19
##### Oct 25, 2013, 07:28 am

My password consists of 4 letters and 5 numbers. I would almost have to be paranoid to worry about it. Aka, it's good enough.

That has an entropy of:

Code: [Select]
`log(36^9)/log(2) = 46.5 bits`

Or alternatively (different method):

Code: [Select]
`log(36)/log(2) * 9 = 46.5 bits`

That's assuming the cracker expected it to be alphanumeric. If they tried 4 letters and 5 digits it would be:

Code: [Select]
`log(26)/log(2) * 4 + log(10)/log(2) * 5 = 35.41 bits`

A 35 bit password is hardly secure.

Quote

Quote

Your password looks like it might just be a word and a few digits. This is a very common pattern and would be cracked very quickly.
Please post technical questions on the forum, not by personal message. Thanks!

http://www.gammon.com.au/electronics

#### enanthate

#20
##### Oct 25, 2013, 02:35 pm

Add the correct delay, and you can see how much time it would actually take to hack your password.
As for my password, without a delay : 212 microseconds.
Now, with a delay of only 5ms : 1901596(!) microseconds.

"my password" 212 microseconds how???  sounds wayyyyy to fast to crack your password of that length even 212 seconds sounds too quick

Yes, but this is for the Arduino. How often is Arduino used to hack passwords? Anyway, set it up against Hotmail for example, and it will take waaay more than 212 seconds.

Nick: Your math is too heavy for me, so I cant argue with you. But I can ask you, are those numbers true only if my password actually consists of 4 letters and 5 numbers? Would you have to know that before starting, and then it would take 7 hours? My password does not consist of 4 letters and 5 numbers, I lied for the safety, but it is something similar. Would it now take more time, as you don't know exactly how many letters and numbers?
And the time it would take to hack my password would really depend on the delay from the server. If you were using Hotmail, this would take alot of time.

I have to say I find it a bit strange that it is as easy as 7 hours. Why have I not been hacked before? I have a lot of accounts, containing credit cards, games, NETELLER, poker, etc, etc. If it is only 7 hours, that is a bit scary actually.
I've had accounts like these for more than 15 years, and been hacked once - this was a friend who knew my password. Those are a bigger threat than hackers

#### SirNickity

#21
##### Oct 25, 2013, 09:08 pm
Quote
Yes, but this is for the Arduino. How often is Arduino used to hack passwords? Anyway, set it up against Hotmail for example, and it will take waaay more than 212 seconds.

No one would do that.  No one would use an Arduino to crack a password at all.  It is so handicapped at this kind of process compared to a computer that it is ridiculous to even contemplate.  Now, I wouldn't fault someone (like you, for instance) for trying based on curiosity or whatever, but for genuine attempts at hacking... well.. let's just say if someone were trying to hack my accounts with an Arduino, I would be tempted to make my password shorter to give them a fair shot.  They're obviously of no real threat.

Also, I'm not going to pretend I have statistics to back myself up, but I don't think the majority of brute-force account break-ins happen through web interfaces to services like Hotmail, Gmail, etc..  Just the round-trip time alone would delay things to the point of absurdity.  Since most providers give you a couple shots at trying to remember a password before they start throwing up road blocks like time-delays or captchas, it's just not a very desirable point of entry.

Like others have said already, typically when account credentials are stolen, it's either because....

1)  Someone had previous knowledge of you or your account that gave them a substantial advantage.  Like how Sarah Palin's account got hacked because her security question was "What high school did you attend?"  There aren't that many high schools in Wasilla, AK -- where she's lived her entire life.  BTW, this is why the whole concept of "security questions" is deeply flawed.

2)  Someone had access to back-end information -- encrypted passwords, or other raw account info.  With a list of encrypted passwords, you no longer have to knock down the front door.  If the passwords aren't salted (randomized), then a given algorithm -- like MD5 -- will always produce the same hash with the same input.  This makes it easy to compare with pre-encrypted lists of common passwords.  Low-hanging fruit.  If the passwords are salted, then you're back to brute-force attempts.

So, brute-force (especially through a web site) is almost never the best option.  When it's the only option, there are a few tricks to optimize things.  Like, for one, I can get into a surprising number of accounts just by trying a "common passwords list".  It's just scary how often those passwords work.  Then, I can try just letters and numbers, and because it's so typical for someone to throw an exclamation point or two at the end, I'll add that too.  Limited character sets shorten the time to crack significantly, although still that's 26 * 2 + 10 + 1  (letters, lowercase and uppercase, then 0-9, and !), which will take a while to try in every possible combination.  If I want to consider other symbols -- like underscore, space, dash, the at sign, pound, percent, so on...  it takes a bit longer.  I might limit initial runs to 8-characters, and if that doesn't work, I would use the entire common English character set with inputs 9 characters and longer.

By then, I have to be really determined to get that one password.  Using that approach for an entire list would take way too much time without significant computing resources at my disposal.  Certainly not a pile of Arduinos.

#### Nick Gammon

#22
##### Oct 25, 2013, 11:35 pm

Nick: Your math is too heavy for me, so I cant argue with you. But I can ask you, are those numbers true only if my password actually consists of 4 letters and 5 numbers? Would you have to know that before starting, and then it would take 7 hours? My password does not consist of 4 letters and 5 numbers, I lied for the safety, but it is something similar. Would it now take more time, as you don't know exactly how many letters and numbers?

You make some good points, however I think if I were cracking passwords I would assume alphanumeric as a first guess, and try go crack that  (so the exact ratio of letters to numbers wouldn't matter). So we are back to around 46 bits of entropy, bearing in mind that DES (which is not used much now) had 56 bits. So you are using less than DES, which people have made DES-cracking machines for.

All that 46 bits of entropy really means is, if you divide that by 8 bits per byte (getting roughly 6) then your password is equivalent to a 6-character totally random password (where any character could be used).

The other thing is, a dictionary attack, which is much faster. Let's assume they have found your hashed password (by hacking into a server somewhere) but don't know the original. They make a disk file with all likely passwords and do a direct lookup of the hash to see if it matches. So at the expense of some disk space, they could lookup your password in seconds. Of course generating this file takes time, but then they can look up all of the thousands of passwords they stole.

Now of course, if they don't have the hash, and they have to try, one by one, then you are probably safe. But I have lost track of the number of sites recently that have reported they have had their passwords stolen.
Please post technical questions on the forum, not by personal message. Thanks!

http://www.gammon.com.au/electronics

#### cjdelphi

#23
##### Oct 26, 2013, 02:52 am
While the hash itself is not reversible, a vast database (rainbow tables i think they're called) full of hash keys are made, your hash then gets compared to the database and hopefully your hash was generated for the taking... instantly.

To make passwords secure, there has to be some kind of human element involved.

#### mikel0829

#24
##### Oct 29, 2013, 05:01 am
well i was going to see about using this to crack my wifi password when ever i buy the shield because im thinking thats how i got hacked anyway but other than that its mostly for the thrill i suppose. i do alot of things just to see what happens lol

#25
##### Oct 29, 2013, 04:42 pm
Quote
i was going to see about using this to crack my wifi password when ever i buy the shield because im thinking thats how i got hacked anyway

Your wifi probably broadcasts the wirless network name (the SSID). Turn SSID broadcasting off, in most cases people will not even see your network and those that know it is there will probably not bother to try to hack you on the basis that;

• Not only do they have to get your password they have to find the SSID

• If you know enough to turn off the SSID your password is likely to be a pain, you will have firewalls etc.

The only downside of not broadcasting a SSID is that when you want to attach devices to the network they will not automatically "see" the network you will explicitly have to enter its name.

#### SirNickity

#26
##### Oct 29, 2013, 11:01 pm
For WiFi, you can also usually limit the devices that are allowed to connect based on their MAC address.  This isn't fool-proof, as an attacker can sniff traffic for a valid MAC address, then force his own interface to use that MAC instead.  But it raises the bar a little bit.

You also want to make sure you're using a decent encryption method.  I don't know if anyone still uses WEP, for example, but WPA2 is more secure.  Again, not fool-proof, but another barrier to entry.

The hidden SSID thing takes you off the market for casual drive-by's.  If the attacker knows enough to get past MAC access control and WPA, it won't slow him down much, but then if you're doing all three of these things, there are probably easier and more desirable targets, unless it's really you they're after.

#### PeterH

#27
##### Oct 30, 2013, 02:14 am
The SSID makes it easier for legitimate users to recognise whether your WiFi is the right one to use - it makes it easier for you to use it, and easier for your neighbours to avoid using it. It has no relevance to security and if somebody is prepared to hack WiFi encryption then hiding the SSID from them is not going to make the least difference to how difficult that hacking is.
I only provide help via the forum - please do not contact me for private consultancy.

#### enanthate

#28
##### Oct 30, 2013, 02:38 am
If someone comes close to my WiFi-network, prepared to hack it, then be my guest. There are a couple of reasons why they would bother doing this;
1. They don't have internet themselves, and need to use mine. Go ahead. If this affects my internetspeed noticeably, I would be suspicious and login to my router to check for activity, then disconnect them/change password/go outside and kick his ass if needed to. If it doesn't affect my speed, then why would I care.
2. They are comitting something from a small to a very serious network-crime. In this case, it would be investigated - and we would quite easily figure I didn't do it. Again, be my guest. This would just be a rather fun experience - finally something is happening in my otherwise boring life.

Why bother? If my password got hacked, that would suck. But WiFi? Meh...

#### PeterH

#29
##### Oct 30, 2013, 04:01 am

Why bother? If my password got hacked, that would suck. But WiFi? Meh...

There is a huge difference between associating with a WiFi access point without your permission, versus enabling a third party to snoop on your WiFi traffic. It hardly seems worth the bother just to hijack your bandwidth, but if the hacker is trying to access your private data then that's a far more compelling reason to go to all that effort.

Also bear in mind that as soon as you associate with a 3rd party access point all of your traffic is vulnerable to man-in-the-middle attacks; it's foolish to steal somebody else's bandwidth but positively idiotic to use somebody else's network to access anything that you want kept private.

Anyway, you'd never do the encryption breaking with an Arduino. Or if you did, it would hardly qualify as a 'brute force' attack.
I only provide help via the forum - please do not contact me for private consultancy.

Go Up

Please enter a valid email to subscribe