SecurityRatty: Cracking passwords on a PlayStation

This is cache of http://pluralsight.com/blogs/keith/archive/2007/12/03/49341.aspx. Cache is the snapshot of article that we took when we index feed.
To see original page click here.
We are not affiliated with the authors of this article and not responsible for its content.

Cracking passwords on a PlayStation

2007-12-03 16:37:00 by Keith Brown in Security Briefs

I remember making a joke not long ago about my kid sister attacking a password database using her Nintendo DS. Looks like the PS3 has an architecture that makes it especially well suited for this type of attack.

Security researcher Nick Breese used a PS3 to crack supposedly strong eight-character passwords in hours. Typically, previous attempts to crack such passwords took days to get the same result.

I found this story via Kim's blog, where he points out that using password-based encryption is dangerous. What he's referring to is using encryption where the key is derived from a password.

Lots of consumer-oriented encryption works this way. For example, when you encrypt a ZIP file with a password, clearly the password is being used to derive a key. Let's say this resulted in a 256-bit AES key. Don't fool yourself - your keyspace is not 256 bits! If you used a 12 character password, it's only a 79-bit keyspace. And that's the best case, assuming you included numbers, punctuation characters, as well as upper and lower-case letters, and generated it from a good random source. If you only used numbers, you'd end up with a whopping 40-bit keyspace.

Hervey and I worked on an article awhile back that addressed this issue, in case you want more background information. The moral of the story is, if you're forced to use passwords to authenticate users, it's a good idea to tunnel this over a stronger form of encryption (SSL is a very common example).