topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 12:33 pm
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Brute Force hacking possible?  (Read 25749 times)

AbteriX

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 1,149
    • View Profile
    • Donate to Member
Brute Force hacking possible?
« on: September 07, 2006, 06:12 AM »
Hi f0dder,

1. If i enter a wrong password into fSekrit 1.1
2. i get an messagebox telling me that this password is incorrect.
3. Then i can try another one.
4. if this is wrong also i get an messagebox telling me that this password is incorrect.
5. GoTo 1.

I think someone can wrote an AutoIt script to use an text file to try common passwords, as many ppl use this.

For secure reason maybe you want add an timeout, like after 10 wrong pw's wait 30 minutes?

What think you?

Eóin

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,401
    • View Profile
    • Donate to Member
Re: Brute Force hacking possible?
« Reply #1 on: September 07, 2006, 06:45 AM »
Hi AbteriX, you bring up a good point but if someone has a copy of your file there are probably alot of ways they could cheat such a system, say by making a new copy of the file after every failed attempt, or adjusting their system clock to fool the program.

The only defense real against brute force attacks are hardened passwords.

f0dder

  • Moderator
  • Joined in 2005
  • *****
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Brute Force hacking possible?
« Reply #2 on: September 07, 2006, 06:48 AM »
This is a possible form of attack, yes, but it's going to be slow. You do *not* want to use common passwords, including (but not limited to) words present in a dictionary.

Adding this form of "protection", as Eóin already pointed out, is pretty useless - it's a false sense of "security", and there's numerous ways to defeat it. Besides, it would be a lot faster (though still painstakingly slow) to attack the file directly. At the moment that would require reverse engineering fSekrit, but I'm considering releasing the source when I'm satisfied with it... which would make attacks a lot easier.

But that's actually one of the points of releasing source - to show that security is strong. Security through obscurity isn't a good idea :)
- carpe noctem

AbteriX

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 1,149
    • View Profile
    • Donate to Member
Re: Brute Force hacking possible?
« Reply #3 on: September 07, 2006, 07:24 AM »
All right, THX  :)

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Brute Force hacking possible?
« Reply #4 on: September 07, 2006, 09:52 AM »
just to add to this:
modern cryptography algorithms, like the ones f0dder uses, are designed on the assumption that your attacker could, for example, test millions of different passwords per second, and still require longer than the time it will take for our sun to burn out before you stumble on the right password.  So the answer is surely to use a password someone is not going to guess, and don't worry about the rest.

f0dder

  • Moderator
  • Joined in 2005
  • *****
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Brute Force hacking possible?
« Reply #5 on: September 07, 2006, 09:58 AM »
fSekrit uses 256-bit keys. Even if you could test one trillion (10^12, or 1,000,000,000,000) keys per second, it could still take some 3,6717e57 years to find the password (read up on http://en.wikipedia..../Scientific_notation if you wonder what that 'e' is doing there, or think that "4 years is not enough" ;)).

That's for a dumb bruteforce attack, though - somebody *might* come up with a smarter attack against AES/Rijndael, or the government *might* have supah sekrit machines in Area 51, made by aliens, to decrypt faster...

or you might use a weak password from a dictionary :)
- carpe noctem

AbteriX

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 1,149
    • View Profile
    • Donate to Member
Re: Brute Force hacking possible?
« Reply #6 on: September 07, 2006, 02:05 PM »
It can take 4 years.... but also 4 min. by chance.

> or you might use a weak password from a dictionary
As most people do, that's why i ask to prevent a hole in fSekrit.


f0dder

  • Moderator
  • Joined in 2005
  • *****
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Brute Force hacking possible?
« Reply #7 on: September 07, 2006, 04:54 PM »
That wasn't four years - it was... well, "3.671 years with 57 zeroes behind", I dunno what such a quantity is called ;). But yes, you're right that it could take 4min by chance. Not very likely, though.

If people use weak passwords, they shouldn't really be dealing with cryptography anyway. I'm sorry if that sounds elitist, but it's similar to putting a $5000 lock on your door and hiding the key under your doormat.

Not putting in an artificial limit is *not* a security hole in fSekrit.
- carpe noctem
« Last Edit: September 07, 2006, 04:56 PM by f0dder »

AbteriX

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 1,149
    • View Profile
    • Donate to Member
Re: Brute Force hacking possible?
« Reply #8 on: September 08, 2006, 12:37 AM »
If people use weak passwords, they shouldn't really be dealing with cryptography anyway.
That's wrong. People are people. They do use 'weak' PWs because they are easy to remember.
And it's better people use weak PWs then they do nothing to care there own infos.
It's challenge of the coder to help people in any way to protect them and there data, not to
say 'you are a looser if you can't remember "x$4kHa8"' (BTW, i don't wanna push you to do what you don't
want, we just talking about, right?) I know the PWs of a many user and they are "holliday" "2006"
"daughter's name" "pet's name"...

Peace  :-*

rjbull

  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 3,199
    • View Profile
    • Donate to Member
Re: Brute Force hacking possible?
« Reply #9 on: September 08, 2006, 05:57 AM »

    Hackers' Song.


    "Put another password in,
    Bomb it out and try again,
    Try to get past logging in,
    we're Hacking, Hacking, Hacking.

    Try his first wife's maiden name,
    This is more than just a game,
    It's real fun, but just the same,
    It's Hacking, Hacking, Hacking."

    The NutCracker
    ( Hackers' U.K. )

  - see e.g. http://en.wikipedia.org/wiki/Micro_Live


kimmchii

  • Honorary Member
  • Joined in 2005
  • **
  • Posts: 360
    • View Profile
    • Donate to Member
Re: Brute Force hacking possible?
« Reply #10 on: September 08, 2006, 06:25 AM »
Password Recovery Speeds

How long will your password stand up

This document shows the approximate amount of time required for a computer or a cluster of computers to guess various passwords. The figures shown are approximate and are the maximum time required to guess each password using a simple brute force "key-search" attack, it may (and probably will) be possible to guess correctly without trying all the combinations shown using other methods of attack or by having a "lucky guess".
If you find a good solution and become attached to it, the solution may become your next problem.
~Robert Anthony