Jump to content
Tuts 4 You

[STORY] Even Russian spies have absurd password requirements


Recommended Posts

Even Russian spies have absurd password requirements

From this fascinating CNET article on a few of the techniques that the Russian spies used to exchange data:

…the steganographic program was activated by pressing control-alt-E and then typing in a 27-character password,

which the FBI found written down on a piece of paper during one of its searches.

While online passwords never need to be this complex - centralized management can prevent brute-force attack. Arguably,

longer passwords are more important for local software (that can be stolen, then brute-forced). In fact, the leading theories

on the ‘cracking’ of the wikileaks video suggest that they brute-forced the password that unlocked the encrypted contents.

A 27 character password certainly makes brute-forcing the password impossible. But human nature, even to extremely well-trained

spies is to write things like this down.

CNET article

Link to comment
Share on other sites

How did Wikileaks decrypt the video?

The answer is "nothing much". There are two types of encryption: serious, and casual. If the file were seriously encrypted, then Wikileaks would not be able to break it, no matter how much computing power they had. On the other hand, if the file were casually encrypted, then it could be broken by a desktop computer in an hour.

A typical example of casual encryption is WinZip. One of the options is to encrypt your file using a password. I use this sort of encryption all the time. If I want to send sample computer viruses to other security researchers, I’ll zip them up with the password "infected" so that the e-mail virus scanners won’t block them (and to inform the recipient to take care).

It’s easy to crack this encryption. There are lots of zip-cracking packages out there that will attempt to decrypt the file by trying all the words in a dictionary. E-mail gateways don’t do this because they can afford to spend an hour trying to crack a single file, nor do they want to delay e-mail that long. But this doesn’t mean the file is seriously "secure".

I could instead choose to be serious about encrypting the zip file. I could choose a longer password like "7dh73hdHkLe)dn@hn!xoq3%axhgGK:V3tgh(kjg%3fjkfQl[" and AES encryption, and feel confident that even the master spies in the government would not be able to decrypt the file, not even with their billions of dollars of computing power. The only way to break this sort of password is if somebody leaks it -- in which case it's even easier to decrypt than using a dictionary of common passwords.

The important thing about cracking such encryption is that the problem is exponential. A 12-character password is not twice as hard to decrypt as a 6-character password -- it is instead a trillion times harder. If a single computer can decrypt a 6-character password in an hour, then it would take that same computer 100-million years to crack a 12-character password. An 18-character password would be a trillion time more difficult than even that. If you pick a long password, with random characters, and correctly encrypt something, then no amount of compute power will be able to crack it.

Wikieleaks says:

Have encrypted videos of US bomb strikes on civilians http://bit.ly/wlafghan2 we need super computer time http://ljsf.org/

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...