Well, now that I’ve taken a little break, it’s time to start updating again.
First, if anyone is interested in security challenges, the SANS 2012 Holiday Challenge is running through Jan. 6. I’m submitting an entry because unlike many security challenges…”I want a challenge I can do!” (Lisa Simpson).
I’ve still got one more piece left before I complete it, but I found this challenge to be a nice blend of basics and more advanced techniques. There’s also enough hints sprinkled around so that you generally know what your next steps entail. After the challenge is over I’ll post my answers here (I’ve decided that my best chance to win is through the “most creative” answers. I think they’ll be a fun read).
In other news, last week a Frankenstein’s monster of computing was unveiled that can crack most passwords in a typical workday.
As most articles about this have mentioned, the problem is that most hashing algorithms were designed to operate quickly. As hardware advances, brute-forcing passwords becomes more and more trivial. Systems need to migrate to more computationally complex encryption algorithms like bcrypt. In normal usage, the slightly slower processing when a user logs in will be unnoticeable, but the effect on a brute-force attempt is huge. If we take the top quoted speed of 350 billion guesses per second and compare it to the quoted speed for bcrypt (71,000 guesses per second), it reduces the ability to crack passwords by 99.99998%.
That’s more effective than Lysol.