Security Paranoia

IF YOU think the password protection on your MS Word file is keeping it safe from prying eyes, chances are you’re wrong. The time it takes to crack password-protected Microsoft Office files has tumbled from a 25-day average to a matter of seconds, thanks to a decades-old code-cracking technique that until recently was not viable.

The technique, described in a 1980 paper, A Cryptanalytic Time - Memory Trade-Off, involves pre-generating a massive “rainbow table” of passwords and their corresponding hashes - the encrypted strings of numbers computers use to verify passwords.

Until now, the terabytes of storage needed to write the tables haven’t been available. But cheap storage means rainbow tables are in vogue in the IT security industry. “Take a look at hard-drive storage. I buy terabytes like I used to buy megabytes,” says Christian Stankevitz, the laboratory manager for Chicago-based IT security consultancy Neohapsis.

In the past, passwords were cracked by randomly guessing at the correct string of characters in what’s known as a “brute force” attack. In these assaults, the encrypted form of the password - the hash - is extracted from the target file or computer. A randomly generated password is encrypted and its encrypted form is compared to the extracted hash. If it doesn’t match, the process is repeated until a match is found - it’s a long and tedious process.

With rainbow tables, the encrypted form of most possible passwords are pre-computed and stored alongside the actual, clear-text password. Users can simply look up virtually any hash in the massive index and match it to the corresponding password in seconds.

The tables can break password protection in many common file formats, including versions of Adobe’s PDF format (the current version is immune to the attack), the default encryption on protected Microsoft Office documents (40 bit) and even Windows password files.

“It’s a lot of (storage) space but the nice thing is it only needs to be done once,” says Pieter Zatko, a division scientist at BBN Technologies, a government contractor that conducts research for the US Department of Defence and other government agencies.

Mr Zatko is best known for writing the L0phtcrack password cracking tool in the ’90s. It was used to crack Windows passwords with ease, something he hoped would change the way organisations managed their passwords. Instead, L0phtcrack was commercialised and became the industry-standard password auditor, much to Mr Zatko’s dismay. “That was my problem with L0phtcrack. People were using it to audit their passwords,” he says. “It was supposed to be a statement of ‘understand your risks’.”

This article was derived from here

IF YOU think the password protection on your MS Word file is keeping it safe from prying eyes, chances are you’re wrong. The time it takes to crack password-protected Microsoft Office files has tumbled from a 25-day average to a matter of seconds, thanks to a decades-old code-cracking technique that until recently was not viable.

The technique, described in a 1980 paper, A Cryptanalytic Time - Memory Trade-Off, involves pre-generating a massive “rainbow table” of passwords and their corresponding hashes - the encrypted strings of numbers computers use to verify passwords.

Until now, the terabytes of storage needed to write the tables haven’t been available. But cheap storage means rainbow tables are in vogue in the IT security industry. “Take a look at hard-drive storage. I buy terabytes like I used to buy megabytes,” says Christian Stankevitz, the laboratory manager for Chicago-based IT security consultancy Neohapsis.

In the past, passwords were cracked by randomly guessing at the correct string of characters in what’s known as a “brute force” attack. In these assaults, the encrypted form of the password - the hash - is extracted from the target file or computer. A randomly generated password is encrypted and its encrypted form is compared to the extracted hash. If it doesn’t match, the process is repeated until a match is found - it’s a long and tedious process.

With rainbow tables, the encrypted form of most possible passwords are pre-computed and stored alongside the actual, clear-text password. Users can simply look up virtually any hash in the massive index and match it to the corresponding password in seconds.

The tables can break password protection in many common file formats, including versions of Adobe’s PDF format (the current version is immune to the attack), the default encryption on protected Microsoft Office documents (40 bit) and even Windows password files.

“It’s a lot of (storage) space but the nice thing is it only needs to be done once,” says Pieter Zatko, a division scientist at BBN Technologies, a government contractor that conducts research for the US Department of Defence and other government agencies.

Mr Zatko is best known for writing the L0phtcrack password cracking tool in the ’90s. It was used to crack Windows passwords with ease, something he hoped would change the way organisations managed their passwords. Instead, L0phtcrack was commercialised and became the industry-standard password auditor, much to Mr Zatko’s dismay. “That was my problem with L0phtcrack. People were using it to audit their passwords,” he says. “It was supposed to be a statement of ‘understand your risks’.”

This article was derived from here