Why an 8-Character Password is Not Enough

Take a common password8 characters in length, composed of 1 word, 1 numbers and 1 punctuation mark:

The Attack

Using a script (a program that automatically executes tasks instead of a human), the script starts to guess all possible 8-character password combinations. This will take about 3 days.

This is a brute force attack – very little elegance, just plain old grinding it out.

The More Sophisticated Attack

Using a dictionary attack, again the attacker runs a script, but this time instead of random guessing, dictionaries of words are tried first, specifically, the most common password words are tried.

See yours in here?

The Defence

Choose 3 obscure words, string them into a sentence separated by punctuation and numbers.

***

This post has been brought to you by Nuix and KeriBlog. Meet Nuix here.

 

 

This Robot is Brute-Forcing an iPhone

The robot will try all possible 4-digit passwords on an iPhone.

Seen at Black Hat 2013.

Best Use I Can See

It’s not elegant, but it would work. Grab a phone off the street, return to a secure location, put it under the robot, wait.

You’d need a location though, and time. And it’d be a targeted attack; you’d be after the information on the phone, not the phone itself. Otherwise, just wipe it.

Defences

– turn OFF simple passcode. Then you can have a longer passcode, with alphanumeric characters
– turn ON “after 10 failed password attempts this iPhone will wipe itself”
don’t use any of these – Most Common iPhone Passwords
– hang onto your phone tight, but not like this this

Sorry, that’s all I know; saw it en route to the car hacking talk.

So if this robot belongs to you, email me and I’ll link you up, and any explanation you’d like to add.