The user enters credentials such as a username and password. 2

Understanding Access Control Attacks 
645
With the speed of modern computers and the ability to employ distributed computing, 
brute-force attacks prove successful against even some strong passwords. The actual time it 
takes to discover passwords depends on the algorithm used to hash them and the power of 
the computer. 
Many attackers are using graphic processing units (GPUs) in brute-force attacks. In 
general, GPUs have more processing power than most CPUs in desktop computers. A quick 
search on the internet reveals online directions on how to create a multiple GPU computer 
for less than $10,000 and in just a few hours after you buy the parts. 
Mandylion Research Labs created an Excel spreadsheet showing how quickly passwords 
can be cracked. The number of guessed passwords a system can try is a moving target as 
CPUs and GPUs get better and better. We set the worksheet to assume the system can try 
350 billion passwords a second, and the following bullets show some calculated times it 
will take to crack different password combinations: 
■
8 characters (6 lowercase letters, 1 uppercase, 1 number)
: Less than a second 
■
10 characters (8 lowercase letters, 1 uppercase, 1 number)
: 1.29 hours 
■
12 characters (10 lowercase letters, 1 uppercase, 1 number)
: About 36 days 
■
15 characters (13 lowercase letters, 1 uppercase, 1 number)
: About 1,753 years
As processors get better and cheaper, it will be easier for attackers to cluster more pro-
cessors into a single system. This allows the systems to try more passwords per second, 
reducing the amount of time to takes to crack longer passwords. 
With enough time, attackers can discover any hashed password using an 
offline brute-force attack. However, longer passwords result in sufficiently 
longer times, making it infeasible for attackers to crack them.

Download 19,3 Mb.

Do'stlaringiz bilan baham: