How a security professional had to crack his own password


The CTO of WhiteHat Security, Jeremiah Grossman, shared a personal account over the weekend of how he recently forgot a crucial password required to access his work files. These files are stored inside an encrypted image file, and he had changed his password recently as part of his regular practice.

Unfortunately, as someone who is necessarily paranoid about security, there was no paper backup of the elusive password. He had also encrypted it in with AES-256, the strongest encryption available.

This made it extraordinarily difficult to crack; Grossman estimates that it would take "multiple decades of cracking" at current processor speeds.

As a prominent security professional himself, Grossman was thankfully able to recruit some of the foremost experts in password cracking to assist. By narrowing down the characters and symbols used, the possible password combinations were reduced from over 41 billion to just 22 thousand. It took 3 and a half minutes to eventually crack the 25-GPU cluster.

"I've come to appreciate why password storage is ever so much more important than password complexity," Grossman wrote in his blog of his ordeal. He noted: "Clearly, I need paper backup, and thinking maybe about giving it to my attorney for safekeeping where it'll enjoy legal privilege protection. We'll see."

For more:
- check out this article at Ars Technica

Related Articles:
Google experiments with alternatives to static passwords
25-GPU cluster will crack all 8-character Windows passwords in hours