In this article, we discuss speed and time, which are the most important factors to consider when trying to crack a password.
When trying to recover / crack a password or use an encryption algorithm, one of the most important things to consider is speed and time. As you know, the most important thing that affects the speed when trying to recover passwords is the password algorithm used. But as you can imagine, this is not the only factor, there are some other factors that affect speed. In this article, we will include the opinions of people who are experts in informatics in password cracking and we will examine this issue in detail.
What is Military Grade Encryption?
In many places “military grade encryption, encryption algorithm, AES-256You must have heard some words like ”. Before looking at the factors that affect password cracking, we need to know these concepts, as these are the underlying concepts and algorithms that affect many things.
In 1973, it was requested by the US National Standards Office to develop an encryption algorithm that could be a strong and national standard for the period. Among the algorithms developed by many organizations IBM in 1974 The algorithm LUCIFER has been accepted, NSA after several changes implemented by DES It was named after it was adopted as the official encryption algorithm in 1977.
Meanwhile, with the computer revolution in the 1980s and the internet becoming a global communication tool in the 90s, the world gradually began to digitalize. In these years, when many of the shopping platforms, financial institutions and government institutions worked hard to carry out their activities in the virtual environment, an algorithm was required to encrypt large-sized data. For this, in 1997, which was previously the national encryption algorithm DES (Data Encryption Standart – Data Encryption Standard) accepted.
The Emergence of AES
Later in the following years, when it was seen that DES also had some weaknesses and did not withstand brute force attacks with the help of modern computers, it was replaced in 2001. AES (Advanced Encryption Standard) An encryption standard called the US government was introduced. On the basis of the AES algorithm, which contains 4 transactions cryptographically switch, mix and switch lies down.
In the future, although 128 and 192, different types of AES, are safe, it is thought that AES-256 algorithm has been developed. Thus, what we call military-grade encryption algorithm for use in critical institutions and data 256-bit key long AES has been developed. To break this algorithm 2 ^ 200 It is thought that the process is necessary, and that this many procedures can only be done in a longer period than the age of the universe. For this reason, attacks are generally done by trial and error on the password, not on the algorithm itself. Many of today popular messaging software taking these standards end-to-end encryption Comes with support.
Encrypted Files and Factors Affecting Recovery Time
Often times, to crack a document’s password, you generally need to access the entire file. In many cases the encryption metadata is mostly header stored in the information. This metadata may include the password hash, the salt value, and sometimes some encryption parameters.
Based on this, you can extract metadata of encryption in many file formats and documents from the header part. Although this metadata contains much more information, it is simply referred to as password hashes. That’s all we need to crack the password.
Exceptionally RAR3 and RAR4 Unfortunately, there is no such thing as we mentioned in archives with formats. For us to crack the password, the file header The hash in the section is not enough, the entire archive is required. In some files, another data block must be decrypted in order to verify the password. Even though both the password algorithm and the hash logic are the same, the cracking process takes more time than it is supposed because the methods used by different file types for password verification may be different.
Of course, it is not only the verification method of the password that affects the recovery time of a password, as in some ways several million copies per second password combination is allowed. Sometimes there are situations where you can get a single digit password attempt value.
Why Does Breaking Time Change According to Formats?
Elcomsoft As stated in an article, almost everyone uses AES-256 for encryption, but some file formats can be slower to crack. So what is the reason for this? Pretty simple actually. What is Hash As we explained in detail in our article, it is caused by the repetition of karma.
Time and Password Security Relationship
Technically, the longer it takes to crack a password, the more secure the password. Are there any theoretical limits on data security?
Most software developers and file formats approach the opening and unlocking of the user’s encrypted document. 0.3 seconds because the expectation of users is that it will take this much time on average. They generally measure this time according to modern computers. Newer and faster computers will be able to open the same document more quickly.
Many manufacturers use a single core of processors for password authentication very inefficiently. With the work done by Elcomsoft used all cores of the processor, and when optimizing the code, the attack speed was 10 to 25, than normal unlock speed GPU He says that if it is used, it increases another factor of 20 to 250.
In order to prevent this, the manufacturers take some measures. for example Apple using different numbers of hash iterations. VeraCrypt While software like software allows users to set the number of repetitions themselves, some password managers do it automatically.
How Much Trial and Error Can I Do?
While you can attempt an unlimited number of passwords to crack file passwords, if you fail after a certain number of attempts in the password system set by some manufacturers and developers, your access will be blocked after a while. For example a iPhone Or, if you’re attempting a password on an online service, you’ll likely be blocked in a very short time.
Is 2FA Available in Data Encryption Algorithms?
Two-step authentication is commonly used for encryption when provided by a remote service. Except this DRM It can also be used for copy protection in protected books, music and videos. In general, for normal data encryption 2FA we have hardly seen any software that uses it. While it is possible and functional in theory, it is not something that anyone can do and manage with confidence. To give an example of a service that uses 2FA, non-encryption OneDrive Personal Vault we think the service meets this definition.
Some Algorithms Break Faster Than Others
As we have mentioned since the beginning of our article, the algorithms used in some file formats can break faster or slower than others. The main reason for this is the difference in the number of hash iterations as we mentioned.
For example, Elcomsoft’s to an article We can take a look about this topic. In this article, where the speed and security of virtual machines are broken, some of them can be cracked very quickly, even reaching the speed of millions of attempts, while some of them are difficult to reach even thousands of attempts.
Still, the security in today’s software is not at all underestimated, many types of documents can be encrypted very strongly.
Understanding Trial Speed
You might think, “10 million attempts per second is good, trying 10 passwords is bad.” Actually it is not. The important thing is how many passwords you can crack in a certain period of time. A day, a week, a month?
You may not like the answer, but these are not. The decisive factor is to find the combination and number of passwords you need to try and start accordingly before finding the right password. Therefore, the speed is variable according to the situation, you have to be patient.
Using Salt in Hashing
Earlier hash topic We talked in detail. Someone come out and all common passwords related hash What if they could easily crack passwords by trying against their values? Or what if he tried the millions or even billions of passwords that have ever leaked at these hash values?
Here in order to prevent this absolute There is another unique value called, which is added to passwords before hash. The resulting hash is not the password itself, but the hash of salt along with the password. In order to verify a used only hash value, its corresponding salt value is needed. It is not just a secret in general, it is kept together with the hash. If salt, that is salt, is located in a separate database or physical server, this is also peppercalled pepper. Large companies generally use only passwords.
Pure Brute Force Attack and Intelligent Attacks
The breaking speed mentioned in many places is only valid for pure brute force attacks. It’s easy for attackers to add new passwords and new characters to the word list to use in a new attack. In addition, when password attempts are made with the help of GPUs that are much more powerful than normal CPUs in terms of parallel computing, the time is significantly shortened.
Still, we can say that pure brute force attacks are still effective in certain situations. Medium length passwords with classic lists and pure trial and error attack.
It is possible to quickly crack most passwords (such as those based on simple dictionaries and formed by combining a few words) with some dictionaries and methods we call smart brute-force. Such smart attacks can be slow, but deliver the result quicker than normal brute force attacks.
Obtaining iPhone Backup Passwords
In terms of brute force attacks, iPhone backups have very high protection. Apple has taken many measures to slow down trial and error attacks against iPhone backups. Even in a hardware-accelerated brute force attack, an average of 10 passwords per second can only be tried. Encrypted iTunes single core to backup and CPU When a brute force attack is made using a method using 15 seconds for a single password is required. But the application itself can open backups very quickly when the correct password is entered.
When you need to recover a password, you should determine your strategy appropriately and act according to the encryption algorithm used by the target file. When it comes to brute force attacks or attacks directly to the algorithm itself, you should use your ability to use the hardware at your disposal and try out various forms of passwords. If the algorithm itself is what you’re attacking, you should know the algorithm well and try to find out if such a thing is possible.
In this article, we talked about the important factors that affect password recovery and cracking. If there are things you want to add and correct in the article, you can comment, for your questions and questions. At Technopat Social You can exchange ideas with our members by opening a topic.