GPUs Used To Crack WiFi Passwords Faster 189
MojoKid writes "Russian-based ElcomSoft has just released ElcomSoft Wireless Security Auditor 1.0, which can take advantage of both Nvidia and ATI GPUs.
ElcomSoft claims that the software uses a 'proprietary GPU acceleration technology,' which implies that neither CUDA, Stream, nor OpenCL are being utilized in this instance. At its heart, what ElcomSoft Wireless Security Auditor does is perform brute-force dictionary attacks of WPA and WPA2 passwords. If an access point is set up using a fairly insecure password that is based on dictionary words, there is a higher likelihood that a password can be guessed. ElcomSoft positions the software as a way to 'audit' wireless network security."
Full disclosure (Score:5, Insightful)
People who whine about these being "irresponsible" or "bad for security" always seem to forget that the bad guys may already have written stuff like this and are putting it to use. By publishing this software, it makes everyone aware that it's never safe to turn a blind eye to poor security practices.
If some security manager reads this, goes back to work, and says "OK, change all our WPA passwords, our current ones may not be secure", he will be making a real improvement to his network. He might even be locking out an existing hacker in the process.
Re:It's red (Score:2, Insightful)
Ricardo Montalban Dead At 88 [slashdot.org]
In his defense he probably thinks that it hasn't gotten sufficient coverage because we haven't seen two or three dupes yet ;)
Re:Brute-force password guessing not a problem (Score:2, Insightful)
Not to be picky but you would need to use /dev/random and have enough entropy to make this TRULY random (assuming we live in a non-deterministic universe).
Re:Brute-force password guessing not a problem (Score:4, Insightful)
But anything over 15 characters is probably secure enough for most home users.
15 characters using the full set of letters/numbers/symbols on your keyboard works out to ~98 bits of entropy. That's probably sufficient. I usually use at least 20 characters (~131 bits) but that's probably just my paranoia. If you are worried about somebody breaking a password that secure then you have bigger problems than your neighbor using your wi-fi connection. In this case I hope you are paying your team of armed guards well and trust that they won't betray you ;)
Re:Brute-force password guessing not a problem (Score:3, Insightful)
If you are worried about it, but still don't want (or for some reason, can't) generate a random character string locally, you could always have the website generate several passwords, then combine them yourself in some random way. For instance, you could swap blocks from each string, or reverse the order of one of them and XOR the characters together.
This is true but misleading (Score:3, Insightful)
The real problem is using WPA with pre-shared keys - that's what this can really do some damage with. That, and they used it to set up a fake root CA. Um, this is almost a month old. WTF? Slashdot: Where you hear it last!
Re:Brute-force password guessing not a problem (Score:3, Insightful)
For something like a WPA passphrase (it's not really the key) the actual amount of "randomness" isn't important provided whatever you use isn't in whatever dictionary the attacker is using. Once the dictionary attack is exhausted they're going to have to move onto simple one-by-one testing, and being "more random" or "less random" has no real meaning. Eventually they'll hit the right one, it's just a matter of how long that takes, which is a matter of luck and what order they test them in :)
Re:does it count as 0day? (Score:2, Insightful)
What's illegal about it? If you're using it against your own network to test the strenght of your settings, I see nothing wrong with that. The question isn't why can they sell this legally, but why WOULDN'T they be able to do so? Given that any tool can always be used in bad ways, I don't think that should be enough to outlaw the tool itself.
formulas make brute-force password guessing easy! (Score:2, Insightful)
You need letters, numbers and symbols. Mixed case also.
If you follow such a formula black hats know more about your password than if you don't, so their brute force attacks from 10,000 node botnets just got exponentially faster. You made the key space smaller when you eliminated all possible passwords that do not contain letters, numbers, symbols and mixed case.
My password is also not based on a dictionary word and means something only to me.
That's a far better strategy.
Myself, I ignore all "rules" and "formulas" for password generation and use 64 characters or more for important passwords. Until this became possible (I'm old) I always used the maximum number of characters allowed (so old, I had to use six-character passwords for decades).
Back in the day, college students and security auditors used to routinely brute passwords without dictionaries because MVS and RSX had such short passwords.
Re:Brute-force password guessing not a problem (Score:5, Insightful)
Maybe I'm dense, but how the hell does flooding a wireless card with brute force dictionary attacks bottleneck on computation speed? You create your dictionary, once, you stick it on a hard drive, you stream it at your target through the wireless networking card, you wait.
This product seems like a bunch of bullshit to me. Even if they did come up with some particularly clever algorithm for creating more effective dictionaries and speed it up GPUs, there's no need to recreate a dictionary every time you're doing a brute force attack.
It counts as a tool, like a hammer or pocketknife. (Score:5, Insightful)
they can legally sell this because...
They live in a culture that has more commercial freedom than yours, apparently. Given that they are in Russia, that's a sad commentary on wherever you live.
why? just because they claim to be an 'auditor' means they can profit from a cracker?
Because it's a tool. You can cave people's heads in with a hammer, you can assassinate the pope with a kitchen knife. They are tools, they have no moral dimension. Even a thumbscrew can be used for moral purposes, such as a doorstop that keeps cute fuzzy puppies from running on to train tracks.
Effective tools amplify your ability to do things you want to do. They don't make it necessary or possible for you to commit crimes; your will and your circumstances are what makes you a criminal.
I have used wifi crackers to audit networks in my workplace with the full knowledge of my employer. I have never used one to commit a crime, ever. It's just a tool.
Re:Brute-force password guessing not a problem (Score:3, Insightful)
I question why the hell anybody needs to have someone/something else generate a random password for them.
Can't you do it yourself? You've got 5 fingers on 1 hand. You've got a second hand. You've got a keyboard.
Just go KJNo867f*P7gP*&%o86fv:(O*& for shit's sake.