Posted on 04/25/2018 3:57:45 AM PDT by paladinkc
Another vote for 1Password. It is the best password manager out there in my humble opinion.
Agree on all points. I do the same, using a different app. No password is stored on the puter or certainly not in the cloud. After editing the pass doc on the flashdrive, I clean the puter caches, among other things, and run an overwrite program.
Given infinite money and time, no password is safe. And yes, cracking rigs can be clustered to reduce the time necessary to crack passwords. Back in 2012 it was demonstrated that a special built cracking rig (cluster of 25 GPUs) of about $25,000 can crack the NTLM 8 character space in under 6 hours. Today, that same power can be built for about $12,000. As hardware (graphics cards) get cheaper and more powerful, it will be easier to construct a cracking rig.
The tools to counter this are stronger HASH algorithms NTLM relies on the old MD5 hash. Other hash algorithms include Blake-256, SHA-256, SHA-3 and others. These hashes make it harder to come up with a guess so it slows the computer down in it’s brute force attack. So fewer guesses per second.
The second vector is the use of complexity, or more starting characters. Other than requiring a password contain one or more special characters at the time of creation, this really does not have any additional value as there is a limit to the number of special characters.
That leaves us with length. We all know that we should have longer passwords but because they are difficult to remember, we dont like them. Sentences are a whole ‘nuther ballgame.
For example:
Denver Bronco’s #1 fan
22 characters / Uppercase / lower case / digits / specials
brute force would be 88^22 or roughly 6 x 10^42
By comparison an 8 character password is 88^8 or 3.7 x 10^12
However, this all requires acceptance of longer passwords. The NIST standard calls for a minimum of 8 and a maximum of 64. Do all applications follow that standard ... no
No one is gonna crack a password unless you are a target specifically. With millions of hacked passwords for sale for a few dollars each, why would anyone waste time cracking one unless you are a specific target. And, if you are, they are gonna get you some other way.
Allow me to give you a real world example that is counter to your point.
During an active pen test of a bank, I walked the outside of the building and noticed that on of the doors did not shut all the way. I walked up to the door and pushed it open. That let me into a hallway that had a printer. The printer was connected to both power and a wall plate that had an active Ethernet port. I took my wifi extender, and plugged it into the second port and sure enough got a connection. The wifi extender was configured to allow me to access that port via the wifi link. So I went back outside, pulled my car into the parking lot (Wendy’s I think) that was opposite the door. I jumped on the laptop, connected to my wifi device and I was on their branch office network.
This particular branch also had a guest wifi for their customers and in internal wifi for their conference rooms. Now I know how lazy IT people can be so I figured I would crack the wifi password and try to use the same password to get to the switch. So I set the wifi up to require someone to log in. It is basicly a reset packet that dumps the wifi connection. Most users dont notice it because the default configuration is to attempt to reestablish connection by logging back in. I did care who it was because I just wanted to get a copy of the hash. Sure enough, I was able to grab a trace of their connect request and the hash is contained in that request.
Using my Verizon 4G hot spot, I sent that hash back to my cracking rig and had the wifi password in less than 10 min. I dont know exactly how long it took because I went into a coffee shop for a coffee after I sent over the hash. Once I had that password, I went back to the connection that I had put in and sure enough, the infrastructure ... all of the switches, used the same password. Now I could see the branch’s traffic Every single connection. A simple reconfiguration of the switch and now my wifi connection would receive a copy of any person’s traffic that I wanted to see. From there, using a similar trick as the wifi reset, I executed a TCP reset on someone’s traffic, captured the hash that was sent across the network, and sent that hash to my cracking rig.
So before lunch, I had user credentials and their password and a connection to the backbone along with the infrastructure password The infrastructure password was “Yankees11!”
No one challenged me.
No one stopped me.
Heck, I didnt even see anyone in the hallway.
After lunch I contacted my security contact and asked if any alarms were going off. Nope, not one.
Owned in less than 4 hours.
Granted, that is the exception rather than the rule and I have purposely left out some details. But I did not target any user. I just cracked the passwords of those that were easy to obtain.
Nice :-D
Thanks.
Thanks once more. Internet/Net security, is not a static issue and not being an expert by any stretch of imagination, it is interesting to see the issue from the eyes of one engaged in the process.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.