You know the drill: use a long and varied password, don’t use the same password twice, use a different password for every site. Is using a short password really that dangerous? Today’s Question & Answer session comes to us courtesy of SuperUser—a subdivision of Stack Exchange, a community-driven grouping of Q&A web sites.

問題

超級使用者讀者user31073很好奇他是否真的應該注意那些簡短的密碼警告：

Using systems like TrueCrypt, when I have to define a new password I am often informed that using a short password is insecure and “very easy” to break by brute-force.

I always use passwords of 8 characters in length, which are not based on dictionary words, which c***ists of characters from the set A-Z, a-z, 0-9

I.e. I use password like sDvE98f1

How easy is it to crack such a password by brute-force? I.e. how fast.

I know it heavily depends on the hardware but maybe someone could give me an estimate how long it would take to do this on a dual core with 2GHZ or whatever to have a frame of reference for the hardware.

To brute-force attack such a password one needs not only to cycle through all combinati*** but also try to decrypt with each guessed password which also needs some time.

Also, is there some software to brute-force hack TrueCrypt because I want to try to brute-force crack my own password to see how long it takes if it is really that “very easy”.

短隨機字元密碼真的有風險嗎？

答案

超級使用者貢獻者Josh K.強調了攻擊者需要什麼：

If the attacker can gain access to the password hash it is often very easy to brute force since it simply entails hashing passwords until the hashes match.

The hash “strength” is dependent on how the password is stored. A MD5 hash might take less time to generate then a SHA-512 hash.

Windows used to (and may still, I don’t know) store passwords in a LM hash format, which uppercased the password and split it into two 7 character chunks which were then hashed. If you had a 15 character password it wouldn’t matter because it only stored the first 14 characters, and it was easy to brute force because you weren’t brute forcing a 14 character password, you were brute forcing two 7 character passwords.

If you feel the need, download a program such as John The Ripper or Cain & Abel (links withheld) and test it.

I recall being able to generate 200,000 hashes a second for an LM hash. Depending on how Truecrypt stores the hash, and if it can be retrieved from a locked volume, it could take more or less time.

Brute force attacks are often used when the attacker has a large number of hashes to go through. After running through a common dictionary they will often start weeding passwords out with common brute force attacks. Numbered passwords up to ten, extended alpha and numeric, alphanumeric and common symbols, alphanumeric and extended symbols. Depending on the goal of the attack it can lead with varying success rates. Attempting to compromise the security of one account in particular is often not the goal.

另一位撰稿人Phoshi進一步闡述了這一觀點：

Brute-Force is not a viable attack, pretty much ever. If the attacker knows nothing about your password, he isn’t getting it through brute-force this side of 2020. This may change in the future, as hardware advances (For example, one could use all however-many-it-has-now cores on an i7, massively speeding up the process (Still talking years, though))

If you want to be -super- secure, stick an extended-ascii symbol in there (Hold alt, use the numpad to type in a number larger than 255). Doing that pretty much assures that a plain brute-force is useless.

You should be concerned about potential flaws in truecrypt’s encryption algorithm, which could make finding a password much easier, and of course, the most complex password in the world is useless if the machine you’re using it on is compromised.

我們可以將Phoshi的回答解釋為“暴力不是一個可行的攻擊，當使用複雜的當前一代加密時，幾乎從來沒有”。

正如我們在最近的文章中強調的，暴力攻擊解釋了：所有的加密都是易受攻擊的，加密方案老化，硬體能力增加，所以過去的硬目標（如微軟的NTLM密碼加密演算法）在幾個小時內就可以被擊敗只是時間問題。

有什麼要補充的解釋嗎？在評論中發出聲音。想從其他精通技術的Stack Exchange使用者那裡瞭解更多答案嗎？在這裡檢視完整的討論主題。