Like this CertiGuide? Get it in PDF format!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Also available: 300-question Security+ practice test!
Get It Here!

Custom Search







Table Of Contents  CertiGuide to Security+
 9  Chapter 1:  General Security Concepts (Domain 1.0; 30%)
      9  1.4  Attacks
           9  1.4.11  Password Guessing

Previous Topic/Section
1.4.11  Password Guessing
Previous Page
Pages in Current Topic/Section
1
Next Page
1.4.11.2  Dictionary
Next Topic/Section

1.4.11.1  Brute Force

In a Brute Force attack, muscle (in this case, CPU and/or network muscle) is applied to break through a particular security mechanism, rather than using particular intelligence or logic. “Brute force” is most commonly applied to password guessing, taking advantage of computer power available to an attacker, to try every possible password value, until the right one is found.

Even just a couple years ago, brute force was considered difficult due to the lack of lost cost processing capable of the sheer crunching power needed. Today, the AMD 2200XP processor costs less than $100 USD and the 3000XP (Morgan CPU) is shipping.

That puts the brute force method within reach of anyone. Rather than go on with the usual blah blah about strong passwords, we are encouraging you to follow the footnote to a free Brute-Force Password Cracking Simulator87. Play with this simulator and you will discover that, in general, the longer the password, the more difficult a brute force attack becomes. Note that password cracking techniques have improved considerably since this simulator was written. Real world password crackers today are much faster.

Figure 12: Even telling the simulator to search through all 256 characters, by brute force with a 1.5Ghtz CPU, this password (“lootball”) can be broken in less than a day.

 


The simulator program is less than one megabyte in size and runs in Windows. Instead of actually attempting to “crack” a stored password, you just set the variables (including testing a real password) and it will calculate how long the brute force method takes. In one test Brute Force with a 1.5Ghtz processor would take 170 years, 309 days, 21 hours, 32 minutes, and 22 seconds to crack 4July1776. However, a dictionary password program would rip that same password almost instantly.

Figure 13: Just adding one special (high-order) character makes a brute force attack almost a month of effort with the same CPU.

 


Brute Force

A brute force attack involves throwing computer and/or network power at a security mechanism until it is broken.

Bruce force is commonly used to “crack” passwords, often for user accounts. It can also be applied to ZIP files and many other types of encrypted data.

One way to protect against brute force password cracking is to use as long a password as possible, because the longer the password, the harder it is to crack via brute force.


Figure 14: This more complex ten-character pass phrase (“Tcat=Yuma!”) takes the same CPU a few hundred thousand years to crack.

 


 __________________

87. http://www.alpinesnow.com/bpcs.shtml

Previous Topic/Section
1.4.11  Password Guessing
Previous Page
Pages in Current Topic/Section
1
Next Page
1.4.11.2  Dictionary
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.