How the Secret Service Cracks Encrypted Evidence

tabdelgawad writes "The Washington Post offers this writeup about how the U.S. Secret Service uses a Distributed Network Attack program to crack encryption on computers and drives seized as evidence. How can brute force still succeed with 256-bit encryption, you ask? Customized password dictionaries from the seized computer's email files and browser cache: People still use non-random passwords."

How To Make Easy Random Passwords

[cliffjumper222]

This might not be new to some, but it's quite easy to create random passwords that you can remember, although, I suppose you could argue that they are not completely random. Anyway, here goes:

1. Think of a sentence that you can remember, e.g., "My two lovely kids Spike and Mary eat noodles every day!"
2. Take the first letter of each word and use some common substitutions: "M2lkS&Mened!" - Bingo, not only is it a pretty random collection of letters but it includes numbers, upper case and lower case mixed and even punctuation. All lovely stuff to blunt brute force password attacks.
3. When you type it in, say the sentence to yourself in your head. It's really quite easy to remember that way. Also, you can even just about get away with writing it down (in an office environment) and not many people will understand it. Of course, I don't recommend this but people are people.
4. Don't forget to dump the sentence every few months or so and make up a new one. It's no big deal, they're easy to remember.

Hope that helps some.

Re:Isn't the effectiveness now compromised?

[X0563511]

Yes, you can mandate that users can only choose strong passwords.

Windows 2000 and up, go into the Local Security Policy (in mmc). Look for "Require Strong Password" (or similar, its been a while).

Why nobody uses it, I don't know.

Re:Acronym passwords are a good compromise

[John-D]

No, those are all horrible. If it is based on a real word, it will be tried first.

Any good cracking program will substitute $ for S, 4 for A, 3 for E, 7 for L, so on and so on.
This problem is even easier if (like most places, hopefully not microsoft) your IT dept still uses NTLM passwords for window auth. The password algorithm breaks your character into 2 7-char halves and generates a hash via DES. So your great 12 char password is really one 7 character and one 5. The 5 character part will be broken in under 1 hour ( I broke the NP4UL! portion of your password as I typed this; 7minutes, 27 seconds). Even worse are "policies" that enforce 8 character passwords under Windows. Guess how long it takes to 'break' a 1 character password. Those passwords halves are also non-salted and only DES. DES is made to be fast. look up some of the magic you can do with the MMX registers to make DES really fast in certain circumstances - where you are breaking about 60 or more password halves at once.
So if you have a list you are in luck because you can now compare the hash of the half you just broke with all the other halves in the list. Then you may save it off into a database to look up next time you are cracking passwords. Pre-calculation and other methods (so-called Rainbow tables) make cracking these passwords even easier.

Regular crypt passwords under Linux are almost as bad, except the salt makes them much more resistent to pre-calculation.
MD5 passwords under Linux are much more robust if you choose a moderately hard password; as all of the characters in your password count towards the hash, and MD5 is SLOW compared to DES.

My advice is to generate a random password and use that. Include non-printables (alt + numpad). Avoid real words. Write it down and keep it on you until you remember it; 3-4 uses for me usually does the trick. Play with John The Ripper - it does ntlm passwords now.

PS If you use samba, its passwords are also stored in NTLM format; so you should use a different password than your standard MD5 Linux login.