Brute Force hacking possible?

[AbteriX]

Hi f0dder,

1. If i enter a wrong password into fSekrit 1.1
2. i get an messagebox telling me that this password is incorrect.
3. Then i can try another one.
4. if this is wrong also i get an messagebox telling me that this password is incorrect.
5. GoTo 1.

I think someone can wrote an AutoIt script to use an text file to try common passwords, as many ppl use this.

For secure reason maybe you want add an timeout, like after 10 wrong pw's wait 30 minutes?

What think you?

[Eóin]

Hi AbteriX, you bring up a good point but if someone has a copy of your file there are probably alot of ways they could cheat such a system, say by making a new copy of the file after every failed attempt, or adjusting their system clock to fool the program.

The only defense real against brute force attacks are hardened passwords.

[f0dder]

This is a possible form of attack, yes, but it's going to be slow. You do *not* want to use common passwords, including (but not limited to) words present in a dictionary.

Adding this form of "protection", as Eóin already pointed out, is pretty useless - it's a false sense of "security", and there's numerous ways to defeat it. Besides, it would be a lot faster (though still painstakingly slow) to attack the file directly. At the moment that would require reverse engineering fSekrit, but I'm considering releasing the source when I'm satisfied with it... which would make attacks a lot easier.

But that's actually one of the points of releasing source - to show that security is strong. Security through obscurity isn't a good idea

[AbteriX]

All right, THX 

[mouser]

just to add to this:
modern cryptography algorithms, like the ones f0dder uses, are designed on the assumption that your attacker could, for example, test millions of different passwords per second, and still require longer than the time it will take for our sun to burn out before you stumble on the right password.  So the answer is surely to use a password someone is not going to guess, and don't worry about the rest.

[f0dder]

fSekrit uses 256-bit keys. Even if you could test one trillion (10^12, or 1,000,000,000,000) keys per second, it could still take some 3,6717e57 years to find the password (read up on http://en.wikipedia..../Scientific_notation if you wonder what that 'e' is doing there, or think that "4 years is not enough" ).

That's for a dumb bruteforce attack, though - somebody *might* come up with a smarter attack against AES/Rijndael, or the government *might* have supah sekrit machines in Area 51, made by aliens, to decrypt faster...

or you might use a weak password from a dictionary

[AbteriX]

It can take 4 years.... but also 4 min. by chance.

> or you might use a weak password from a dictionary
As most people do, that's why i ask to prevent a hole in fSekrit.

[f0dder]

That wasn't four years - it was... well, "3.671 years with 57 zeroes behind", I dunno what such a quantity is called . But yes, you're right that it could take 4min by chance. Not very likely, though.

If people use weak passwords, they shouldn't really be dealing with cryptography anyway. I'm sorry if that sounds elitist, but it's similar to putting a $5000 lock on your door and hiding the key under your doormat.

Not putting in an artificial limit is *not* a security hole in fSekrit.

[AbteriX]

If people use weak passwords, they shouldn't really be dealing with cryptography anyway.

-f0dder (September 07, 2006, 04:54 PM)

That's wrong. People are people. They do use 'weak' PWs because they are easy to remember.
And it's better people use weak PWs then they do nothing to care there own infos.
It's challenge of the coder to help people in any way to protect them and there data, not to
say 'you are a looser if you can't remember "x$4kHa8"' (BTW, i don't wanna push you to do what you don't
want, we just talking about, right?) I know the PWs of a many user and they are "holliday" "2006"
"daughter's name" "pet's name"...

Peace 

[rjbull]

    Hackers' Song.


    "Put another password in,
    Bomb it out and try again,
    Try to get past logging in,
    we're Hacking, Hacking, Hacking.

    Try his first wife's maiden name,
    This is more than just a game,
    It's real fun, but just the same,
    It's Hacking, Hacking, Hacking."

    The NutCracker
    ( Hackers' U.K. )

  - see e.g. http://en.wikipedia.org/wiki/Micro_Live

[kimmchii]

Password Recovery Speeds

How long will your password stand up

This document shows the approximate amount of time required for a computer or a cluster of computers to guess various passwords. The figures shown are approximate and are the maximum time required to guess each password using a simple brute force "key-search" attack, it may (and probably will) be possible to guess correctly without trying all the combinations shown using other methods of attack or by having a "lucky guess".