Welcome Guest.   Make a donation to an author on the site October 22, 2014, 11:37:25 PM  *

Please login or register.
Or did you miss your validation email?


Login with username and password (forgot your password?)
Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.


You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.
 
The N.A.N.Y. Challenge 2012! Download dozens of custom programs!
   
   Forum Home   Thread Marks Chat! Downloads Search Login Register  
Pages: [1]   Go Down
  Reply  |  New Topic  |  Print  
Author Topic: Brute Force hacking possible?  (Read 13329 times)
AbteriX
Charter Honorary Member
***
Posts: 1,050


Member #520

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« on: September 07, 2006, 06:12:16 AM »

Hi f0dder,

1. If i enter a wrong password into fSekrit 1.1
2. i get an messagebox telling me that this password is incorrect.
3. Then i can try another one.
4. if this is wrong also i get an messagebox telling me that this password is incorrect.
5. GoTo 1.

I think someone can wrote an AutoIt script to use an text file to try common passwords, as many ppl use this.

For secure reason maybe you want add an timeout, like after 10 wrong pw's wait 30 minutes?

What think you?
Logged

Greetings, Stefan.
EĆ³in
Charter Member
***
Posts: 1,400


O'Callaghan

see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #1 on: September 07, 2006, 06:45:26 AM »

Hi AbteriX, you bring up a good point but if someone has a copy of your file there are probably alot of ways they could cheat such a system, say by making a new copy of the file after every failed attempt, or adjusting their system clock to fool the program.

The only defense real against brute force attacks are hardened passwords.
Logged

Interviewer: Is there anything you don't like?
Bjarne Stroustrup: Marketing hype as a substitute for technical argument. Thoughtless adherence to dogma. Pride in ignorance.
f0dder
Moderator
*****
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #2 on: September 07, 2006, 06:48:38 AM »

This is a possible form of attack, yes, but it's going to be slow. You do *not* want to use common passwords, including (but not limited to) words present in a dictionary.

Adding this form of "protection", as EĆ³in already pointed out, is pretty useless - it's a false sense of "security", and there's numerous ways to defeat it. Besides, it would be a lot faster (though still painstakingly slow) to attack the file directly. At the moment that would require reverse engineering fSekrit, but I'm considering releasing the source when I'm satisfied with it... which would make attacks a lot easier.

But that's actually one of the points of releasing source - to show that security is strong. Security through obscurity isn't a good idea smiley
Logged

- carpe noctem
AbteriX
Charter Honorary Member
***
Posts: 1,050


Member #520

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #3 on: September 07, 2006, 07:24:28 AM »

All right, THX  smiley
Logged

Greetings, Stefan.
mouser
First Author
Administrator
*****
Posts: 33,578



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #4 on: September 07, 2006, 09:52:08 AM »

just to add to this:
modern cryptography algorithms, like the ones f0dder uses, are designed on the assumption that your attacker could, for example, test millions of different passwords per second, and still require longer than the time it will take for our sun to burn out before you stumble on the right password.  So the answer is surely to use a password someone is not going to guess, and don't worry about the rest.
Logged
f0dder
Moderator
*****
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #5 on: September 07, 2006, 09:58:12 AM »

fSekrit uses 256-bit keys. Even if you could test one trillion (10^12, or 1,000,000,000,000) keys per second, it could still take some 3,6717e57 years to find the password (read up on http://en.wikipedia.org/wiki/Scientific_notation if you wonder what that 'e' is doing there, or think that "4 years is not enough" Wink).

That's for a dumb bruteforce attack, though - somebody *might* come up with a smarter attack against AES/Rijndael, or the government *might* have supah sekrit machines in Area 51, made by aliens, to decrypt faster...

or you might use a weak password from a dictionary smiley
Logged

- carpe noctem
AbteriX
Charter Honorary Member
***
Posts: 1,050


Member #520

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #6 on: September 07, 2006, 02:05:39 PM »

It can take 4 years.... but also 4 min. by chance.

> or you might use a weak password from a dictionary
As most people do, that's why i ask to prevent a hole in fSekrit.

Logged

Greetings, Stefan.
f0dder
Moderator
*****
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #7 on: September 07, 2006, 04:54:35 PM »

That wasn't four years - it was... well, "3.671 years with 57 zeroes behind", I dunno what such a quantity is called Wink. But yes, you're right that it could take 4min by chance. Not very likely, though.

If people use weak passwords, they shouldn't really be dealing with cryptography anyway. I'm sorry if that sounds elitist, but it's similar to putting a $5000 lock on your door and hiding the key under your doormat.

Not putting in an artificial limit is *not* a security hole in fSekrit.
« Last Edit: September 07, 2006, 04:56:31 PM by f0dder » Logged

- carpe noctem
AbteriX
Charter Honorary Member
***
Posts: 1,050


Member #520

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #8 on: September 08, 2006, 12:37:14 AM »

If people use weak passwords, they shouldn't really be dealing with cryptography anyway.
That's wrong. People are people. They do use 'weak' PWs because they are easy to remember.
And it's better people use weak PWs then they do nothing to care there own infos.
It's challenge of the coder to help people in any way to protect them and there data, not to
say 'you are a looser if you can't remember "x$4kHa8"' (BTW, i don't wanna push you to do what you don't
want, we just talking about, right?) I know the PWs of a many user and they are "holliday" "2006"
"daughter's name" "pet's name"...

Peace  Kiss
Logged

Greetings, Stefan.
rjbull
Charter Member
***
Posts: 2,776

View Profile Give some DonationCredits to this forum member
« Reply #9 on: September 08, 2006, 05:57:20 AM »

Quote

    Hackers' Song.


    "Put another password in,
    Bomb it out and try again,
    Try to get past logging in,
    we're Hacking, Hacking, Hacking.

    Try his first wife's maiden name,
    This is more than just a game,
    It's real fun, but just the same,
    It's Hacking, Hacking, Hacking."

    The NutCracker
    ( Hackers' U.K. )

  - see e.g. http://en.wikipedia.org/wiki/Micro_Live

Logged
kimmchii
Honorary Member
**
Posts: 360


View Profile Give some DonationCredits to this forum member
« Reply #10 on: September 08, 2006, 06:25:50 AM »

Password Recovery Speeds

Quote
How long will your password stand up

This document shows the approximate amount of time required for a computer or a cluster of computers to guess various passwords. The figures shown are approximate and are the maximum time required to guess each password using a simple brute force "key-search" attack, it may (and probably will) be possible to guess correctly without trying all the combinations shown using other methods of attack or by having a "lucky guess".
Logged

If you find a good solution and become attached to it, the solution may become your next problem.
~Robert Anthony
Pages: [1]   Go Up
  Reply  |  New Topic  |  Print  
 
Jump to:  
   Forum Home   Thread Marks Chat! Downloads Search Login Register  

DonationCoder.com | About Us
DonationCoder.com Forum | Powered by SMF
[ Page time: 0.04s | Server load: 0.08 ]