crypto crack benchmark

G

Gomar

Limp Gawd
Joined
Oct 25, 2007
Messages
315
From Winzip's help file: "full strength of AES encryption requires a password of approximately 32 characters for 128-bit encryption and 64 characters for 256-bit encryption."
Certainly, no one can memorize 32 random characters [if using all ASCII characters]. Also, people dont use the same PW for all logins; hotmail and gmail pws are different, as are windows and forum accounts. Thus, pw length of 8-12 is best.

On my PC using 4 characters to encrypt a file:
I used ARCHPR.
http://www.elcomsoft.com/archpr.html
using this PW: N#8w
min:1 max:4

using Winrar 128-bit will take 2 months to crack.
using Winzip's 256-bit, 10 days.
[proving Winrar's 128-bit is tougher to crack than Winzip's 256-bit]

try it out, post results.

Also:
http://lastbit.com/pswcalc.asp
pw length: 8
Speed: 10m/sec
# comps: 10
Full ASCII
up to 28 months [2.3years].

Cool. Thus proving an 8 character pw is more than secure against anyone not hooking up 1000 PCs.
 
Gomar said:
Thus proving an 8 character pw is more than secure against anyone not hooking up 1000 PCs.
Click to expand...

Well the tool you posted states there are only 500,000 tries per second. as a default. Well most of the MD5 bruteforcers and other password cracking tools I use with my i7 only Get about 235,000,000 tries per second. Then with the ones that are capable of GPU computing my 470s average 1,480,000,000 tries per second. That means that my somewhat normal, less then $2k home gaming computer is capable of 3,195,000,000 tries per second. For less then $5000 I could build a rig capable of 14,031,428,571 tries per second

Now with your first example of a 4 character random full ASCII password according to the tool you posted in your second link it would take my computer 8 hours to crack that password with a standard brute force. A 8 character Full ASCII password would take me 72591 years, which isn't acceptable to me, so lets forget brute force because it isn't effective unless you have absolutely no other option, or are a skiddie and couldn't figure out rainbow tables. If I was trying to brute force a encrypted file password for someone I would spear-phish them to gather a list of their commonly used passwords and generate a customized dictionary file based on commonly used passwords, known birthdays, names of loved ones, addresses, phone numbers, SSNs, PINs, etc. Then I would take that generated file and send my minions after it.

Also take into account that if you have someone who really wants to get into an encrypted file they will most likely buy CPU time on a cracking cluster. I have a "time share" if you will on one of these through work so that we can get full ASCII passwords cracked very quickly. The great thing about these services is that if you have a hash that isn't in their rainbow table they add it making cracking faster for others. Literally terabytes and terabytes of passwords all so that White hats, black hats and everyone in between can get into files, systems and networks just that much faster.

TL;DR Normal encryption is like putting a deadbolt on your front door. A common burglar will stay out but the professional thief will laugh as he waltzes right in.
 
Gomar said:
Thus, are you saying 8 characters full ASCII is or is not a secure enough password?
Click to expand...

Yes - if you really are randomly selecting 8 characters from the full ASCII set. If you are using an 8-character random password generator and really picking 8 completely random characters from the full ASCII set, then your all good.

But I think C7's point is this: you probably aren't. Your password is likely to be far less random than you think. You're probably already subsetting ASCII by only picking letters, numbers and a couple of common punctuation marks. And you're probably using words rather than random letter sequences or number sequences related to things you know (i.e., 4 digits could be 10,000 combinations to try, but meaningful "years" are need something closer to 200 tests). Further, the words or digit-strings are likely tied to things you can remember - birthdates, pets names, whatever. Use a crack-tool that uses a dictionary and add a little bit of social engineering and the cracking time for most passwords falls from centuries to days...
 
Last edited:
Gomar said:
Thus, are you saying 8 characters full ASCII is or is not a secure enough password?
Click to expand...

Yes and no. Are you trying to keep your wife and kids out of your porn, or a co-worker out of your documents? Then yes an 8 character full ASCII password is good enough. In fact the password of Password! will be enough to foil them, hell just making your password passwrod would be good enough.

HOWEVER if you are trying to keep your confidential corporate data away from someone stealing your laptop, or out of the hands of hackers / the government 8 characters full ASCII can be broken easily, even in 128 bit AES. A minimum recommendation would be a 20 character password full ascii, with a good portion of it not being in english, and something changed on a regular basis.

For instance I change my truecrypt passwords every 60 days. I usually have between 40-60 characters full ASCII. Sounds like a lot to remember, however usually they are quotes, or things I remember. For instance the last one I had was lyrics to a favorite song of mine that was two sentences long. The first sentence was in english, the second in german (the song is all in Swedish so it even if you know what it is, you have to translate to both english and german). To crack this you would need to spearphish me pretty hard to get the data, and even then you wouldn't be able to compile a dictionary that would be able to crack my password.
 
Or you could just use 7z and then there aren't any password crackers....that work at least.
 
umm yea that doesnt work.....I have doing a brute force attack on my PST for 2months on a beowulf cluster at home and it still hasnt found the password

I mean seriously....where did you even get an idea that, ZZZZZ1ZZZZ would be some sort of backdoor?
 
Last edited:
nitrobass24 said:
umm yea that doesnt work.....I have doing a brute force attack on my PST for 2months on a beowulf cluster at home and it still hasnt found the password

I mean seriously....where did you even get an idea that, ZZZZZ1ZZZZ would be some sort of backdoor?
Click to expand...

It's what I use for all my passwords all my banking and all my secret stuff it's a great password !

I even have all my hard drives shared on all networks and use this LOL !!!

ok ok i'm joking !
 
O you meant i should just use that password instead....gotcha

No but seriously i encrypted my PST w/ 7zip and of course its been two years and i forgot the pass...now i need one of those emails. There isnt any software out there that can crack 7z unless you used a 7z version from like pre-2005 era.
 
Is it an actual .7z file or is it just an encrypted .zip or .rar file?

Alternatively if you have the hash care to post it? :p
 
C7J0yc3 said:
Is it an actual .7z file or is it just an encrypted .zip or .rar file?

Alternatively if you have the hash care to post it? :p
Click to expand...

No its actual 7z.

I do not have the hash...otherwise i would post it....thats how bad i need this email!
I dont even know how to go about getting the hash.


Yea if this were RAR, ZIP this would have been easy as there are plenty of commercially available tools to crack those, but damn I didn't realize how tough this was going to be.
 
That website is bunk; it won't even let me punch in 24 as the number of characters I use in my password for TrueCrypt. =(
 
nitrobass24 said:
there are no commercially available tools to crack a 7z file.
Click to expand...


neither a Kremlin 3.0 file. Because they are both proprietary.
Thus, I could safely use a 4 character pw as there is no software to crack it?

Ifcourse, what I like about Winrar is its compression and exe file, which Kremlin doesnt make.
 
Whatsisname said:
brute force is for morons.
Click to expand...
rich morons.
Gomar said:
neither a Kremlin 3.0 file. Because they are both proprietary.
Thus, I could safely use a 4 character pw as there is no software to crack it?

Ifcourse, what I like about Winrar is its compression and exe file, which Kremlin doesnt make.
Click to expand...

security through obscurity..... I don't like that idea in the long run.
 
jeremyshaw said:
security through obscurity..... I don't like that idea in the long run.
Click to expand...

Had Kremlin made exe files, I would've used it instead of Winzip. As such, you need to install Kremlin on every device. Thus, safest to use above 8 characters if using winzip.
 
C7J0yc3 said:
the government 8 characters full ASCII can be broken easily, even in 128 bit AES. A minimum recommendation would be a 20 character password full ascii, with a good portion of it not being in english
Click to expand...

AES-128 is unbreakable; even 82-bit has not yet been broken.
To reach 128-bits you need:
Length: 26
Charset Size: 95
or
Length: 21
using extended ASCII
or
Length: 30
Charset Size: 26 characters [lower/upper case]

UNICODE is not usable on alot of logins, so it's out. Staying with 255-31=224.
now 224^12 =
15,957,917,665,472,413,585,874,354,176
 
nitrobass24 said:
it doesn't matter with 7z archives because there are no commercially available tools to crack a 7z file.
Click to expand...

That's probably right; however, I am sure the NSA/CIA/FBI have crackers for any popular crypto software such as rar, zip, 7z, pgp, trucrypt, winace, kgb, etc. Or maybe even a backdoor key that's in the source code.
Plus, with Winrar you get better compression anyway.
 
You must log in or register to reply here.
Back
Top