Thread: KeePass pasword vault

Brute force on most sites is a thing of the past. Most sited have a security lockout if your password is failed to much. Even with 10,000 slave bots at 5 guesses each, per 15 minutes, it's still a stupid about of time. Hell I think most sites will lock your account if too many failed attempts occur and force you to reactivate.


Most brute forcing happens on encrypted files that the hacker has acquired locally. And is trying to hack locally.

As for 256bit aes, I'm not familiar with it but it probably stands no chance up against modern gpu cracking approaches look at the latest specs for nvidia titan cards

Mobile-

Originally Posted by Bunni

Brute force on most sites is a thing of the past. Most sited have a security lockout if your password is failed to much. Even with 10,000 slave bots at 5 guesses each, per 15 minutes, it's still a stupid about of time. Hell I think most sites will lock your account if too many failed attempts occur and force you to reactivate.


Most brute forcing happens on encrypted files that the hacker has acquired locally. And is trying to hack locally.

As for 256bit aes, I'm not familiar with it but it probably stands no chance up against modern gpu cracking approaches look at the latest specs for nvidia titan cards

Mobile-

256bit RSA has been dead for awhile, but 256bit AES block cypher is still very much alive, the best known attacks are on the order of 2^254 ops according to wikipedia.

Advanced Encryption Standard - Wikipedia, the free encyclopedia

So if we play this game the number of flops of a GTX titan is 4.5 tflops. We can assume this is the floor for integer performance, but within an order of magnitude or so. Given this we get something like 6^63 seconds for key recovery. this is approximately 10^46 more time than the universe has existed. I would say this is a very conservative estimate since I don't know if the code for such an attack can be effectively sped up by a GPU.

-H

ed. Man, had to open matlab to do that, but I love playing these games

Originally Posted by iLLusioN

Keepass is amazing. I need to get it allowed at work...would make things significantly easier with 21381092348021984 accounts and rolling passwords every 30 days for all of them.

This times 1000. I (not exaggerating) have 19 usernames and passwords at work just for network access. That's not counting the user names and passwords to sites and services on those networks. All the passwords get changed regularly and they all must be long and complex. It's maddening. Throw in my personal stuff for bills, banks, shopping, mail, social sites and games and it's a major headache. And if you want to be secure, everything needs a unique password so if say LinkedIn gets hacked, the assholes don't also get your PayPal. I hate those guys so much...

Sent from my Nexus 7 using Tapatalk

Originally Posted by hannibal

256bit RSA has been dead for awhile, but 256bit AES block cypher is still very much alive, the best known attacks are on the order of 2^254 ops according to wikipedia.

Advanced Encryption Standard - Wikipedia, the free encyclopedia

So if we play this game the number of flops of a GTX titan is 4.5 tflops. We can assume this is the floor for integer performance, but within an order of magnitude or so. Given this we get something like 6^63 seconds for key recovery. this is approximately 10^46 more time than the universe has existed. I would say this is a very conservative estimate since I don't know if the code for such an attack can be effectively sped up by a GPU.

-H

ed. Man, had to open matlab to do that, but I love playing these games

But they don't just brute force the hash. They start with using a dictionary of passwords to weed out the easy ones. And don't think that 1337 speak makes your password good against this type of dictionary. That alone nets them what they want. Then they have plenty of time to use the power of their distributed computer network of zombies to break the rest. There is no password security. Two factors are needed for decent security.

Sent from my Nexus 7 using Tapatalk

http://arstechnica.com/security/2013...our-passwords/

Everyone should read the original story and the follow up I linked. It's just too easy.

Sent from my Nexus 7 using Tapatalk

Originally Posted by Gumby

But they don't just brute force the hash. They start with using a dictionary of passwords to weed out the easy ones. And don't think that 1337 speak makes your password good against this type of dictionary. That alone nets them what they want. Then they have plenty of time to use the power of their distributed computer network of zombies to break the rest. There is no password security. Two factors are needed for decent security.

Sent from my Nexus 7 using Tapatalk

They also have rainbow tables.

Originally Posted by Gumby

But they don't just brute force the hash. They start with using a dictionary of passwords to weed out the easy ones. And don't think that 1337 speak makes your password good against this type of dictionary. That alone nets them what they want. Then they have plenty of time to use the power of their distributed computer network of zombies to break the rest. There is no password security. Two factors are needed for decent security.

Sent from my Nexus 7 using Tapatalk

This post was about the security of AES via key reovery. My Keepass file is two factor, requiring a key and a master password.

-H

Originally Posted by Partyball

They also have rainbow tables.

Rainbow tables work by pre-computing unsalted hashes of known plain text. This is why salts have become standard.

-H

Originally Posted by hannibal

Rainbow tables work by pre-computing unsalted hashes of known plain text. This is why salts have become standard.

-H

Salts are not secure either. Better but still not two factors.

Sent from my Nexus 7 using Tapatalk