Page 1046 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1046

4.  Repeat steps 1 through 3 until a guessed password has the same
                    hash as a stored password.

               This is also known as comparative analysis. When the password-

               cracking tool finds a matching hash value, it indicates that the guessed
               password is very likely the original password. The attacker can now
               use this password to impersonate the user.

               If two separate passwords create the same hash, it results in a
               collision. Collisions aren’t desirable and ideally, collisions aren’t
               possible, but some hashing functions (such as MD5) are not collision
               free. This allows an attacker to create a different password that results

               in the same hash as a hashed password stored in the account database
               file. This is one of the reasons that MD5 is not recommended for
               hashing passwords today.

               With the speed of modern computers and the ability to employ
               distributed computing, brute-force attacks prove successful against
               even some strong passwords. The actual time it takes to discover

               passwords depends on the algorithm used to hash them and the power
               of the computer.

               Many attackers are using graphic processing units (GPUs) in brute-
               force attacks. In general, GPUs have more processing power than most
               CPUs in desktop computers. A quick search on the internet reveals
               online directions on how to create a multiple GPU computer for less
               than $10,000 and in just a few hours after you buy the parts.


               Mandylion Research Labs created an Excel spreadsheet showing how
               quickly passwords can be cracked. The number of guessed passwords a
               system can try is a moving target as CPUs and GPUs get better and
               better. We set the worksheet to assume the system can try 350 billion
               passwords a second, and the following bullets show some calculated
               times it will take to crack different password combinations:

                    8 characters (6 lowercase letters, 1 uppercase, 1 number): Less

                    than a second

                    10 characters (8 lowercase letters, 1 uppercase, 1 number): 1.29
                    hours

                    12 characters (10 lowercase letters, 1 uppercase, 1 number): About
   1041   1042   1043   1044   1045   1046   1047   1048   1049   1050   1051