On CBS.com: Victoria Secret Model Contest -Vote Now!
BNET Business Network:
BNET
TechRepublic
ZDNet

January 22nd, 2009

GPU-Accelerated Wi-Fi password cracking goes mainstream

Posted by Dancho Danchev @ 1:09 pm

Categories: Hackers, Passwords, Pen testing, Wi-Fi security, Wireless

Tags: Security, WiFi, Wardriving, Password Recovery, Password Cracking, ElcomSoft, Dancho Danchev

Elcomsoft Wireless Security AuditorNo weak password can survive a GPU-accelerated password recovery attack. Last week’s released Wireless Security Auditor is prone to shorter the time it takes for a network administrator to pen-test the strength of the WPA/WPA2-PSK passwords used on the wireless network. Its core functionality of shortening the wireless password recovery time up to a hundred times based on the GPU used, is naturally going to empower unethical wardrivers with the ability to easily guess the no longer considered secure 8 character passwords.

What’s particularly interesting about the Wireless Security Auditor is that it attempts to accomplish the password recovery in an offline/stealth mode, instead of the noisy direct router brute forcing approach :

“Elcomsoft Wireless Security Auditor works completely in off-line, undetectable by the Wi-Fi network being probed, by analyzing a dump of network communications in order to attempt to retrieve the original WPA/WPA2-PSK passwords in plain text. Elcomsoft Wireless Security Auditor requires a valid log of wireless communications in standard tcpdumptcpdump. The tcpdumptcpdump format is supported by all commercial Wi-Fi sniffers. In order to audit your wireless network, at least one handshake packet must be present in the tcpdump file.”

Meanwhile, pen-testing companies have once again urged IT managers and end users to go beyond the 8 character password strength myth, and anticipate the risks posed by the increasingly efficient password recovery solutions hitting the market  :

“David Hobson said: “It’s a wake-up call to IT managers, pure and simple. IT managers should now move to 12 and even 16 character keys as a matter of urgency. It’s not very user-friendly, but the potential consequences of staying with eight character keys do not bear thinking about.”

As previously discussed, best practices wake-up calls remains largely ignored prompting radical solutions in countries like India for instance, which recently announced that a Wardriving police unit will be locating insecure wireless networks and notifying the owners in order to “prevent the commission of a cognizable offense”.

Dancho DanchevDancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.

Email Dancho Danchev

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 34 Talkback(s)
Neighbor?
You are either extremely deluded, extremely confused, or both.


Let me try to put it simply for you.


People can just drive by your house anonymously, without even exiting their ve... (Read the rest)
Posted by: AzuMao Posted on: 02/24/09 You are currently: a Guest | | Terms of Use
8? 12? 16? In a business?  MGP2 | 01/22/09
user issues  m_coombes@... | 01/22/09
Humm  CobraA1 | 01/23/09
Tokens  JT82 | 01/23/09
RE: GPU-Accelerated Wi-Fi password cracking goes mainstream  Boxarox | 01/22/09
Yes.  CobraA1 | 01/22/09
Responsible networking  JT82 | 01/23/09
Why? Two very good reasons I can think of right off the bat  MGP2 | 01/24/09
Legal problems too...  pico_D | 01/27/09
Guilty until proven innocent  AzuMao | 01/28/09
Most home networks don't need to be secured  mflanery | 02/18/09
Neighbor?  AzuMao | 02/24/09
Well . . .  CobraA1 | 01/22/09
RE: GPU-Accelerated Wi-Fi password cracking goes mainstream  m_coombes@... | 01/22/09
what about LAN ?  it2009 | 01/22/09
re: LAN  CobraA1 | 01/22/09
Depends  Suicida| | 01/26/09
Authentication is important  ahahum@... | 01/22/09
RE: GPU-Accelerated Wi-Fi password cracking goes mainstream  Usernameisalreadyinuse,please | 01/22/09
RE: GPU-Accelerated Wi-Fi password cracking goes mainstream  Anonymous Benefactor | 01/23/09
It's quiet in the ZDNET Office today  Alan Smithie | 01/23/09
what is the big deal?  Word Eater | 01/23/09
key length  ed.ahlsen-girard@... | 01/23/09
Message has been deleted.  pcook@...ZDNet Moderator | 01/25/09
I do that as well.  BillDem | 01/28/09
RE: GPU-Accelerated Wi-Fi password cracking goes mainstream  rdtraversi | 01/23/09
RE: GPU-Accelerated Wi-Fi password cracking goes mainstream  ALFnl | 01/23/09
This is irrelevant for IT departments and end-users  georgeou | 01/24/09
Let me know when 32 characters  snafu_77 | 01/26/09
Password Length  FiOS-Dave | 01/28/09
That's not diminishing returns  AzuMao | 01/30/09
FireStream?  AzuMao | 01/26/09
Wifi police?  osands | 01/29/09
Duh  AzuMao | 01/30/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Essential Topics Click Here

advertisement

Recent Entries

advertisement
Click Here

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

  • Smart Tech Expert advice on innovations in healthcare and the green technologies that make it happen. Find out more
  • Smart Business Discussion and advice on management issues that revolve around making your world smarter and more useful. More Smart Advice
  • Smart People The best and worst moves in the management and strategy trenches. Learn More