Over the past several weeks a huge wave of cyber attacks targeted high profile companies such as Sony, Google, Lockheed Martin and others.
“For us this wave of attacks does not come as a surprise. The rise of cheap and extremely powerful GPUs (graphical processing unit) just rendered passwords completely useless,” said George Gauci, Business Developmenet Manager of Aloaha, a Malta-based software and smart-card technology development company.
“A fairly standard graphics card today can brute force a five-letter NTLM (Microsoft security protocol) password in less than a second, seven-letter passwords are cracked in just under 20 minutes. Currently passwords must be at least nine characters to increase the cracking time to more than 30 days. But with 500 Gigaflop netbooks around the corner it will be just a question of months that the minimum password length must be 15 characters or more,” warned Mr Gauci.
He does not believe that OTP (one-time password) tokens are the solution as the attack on Lockheed Martin has shown that OTP can never be secure since the algorithm of the token has to be known by the server and thus could be known also by an intruder.
“This case has shown that OTP stands more for ‘Obscurity Takes Privacy’ rather than ‘One Time Password’”, according to Mr Gauci.
Aloaha suggests that the only secure way of authentication must be based on asymmetric cryptography, for example with smartcards.
Smartcard authentication is already available for any Windows-based machine that is a member of a domain. All the user requires is a smartcard and middleware software such as the Aloaha Smartcard Connector. Once correctly configured the unsecure password authentication can be even disabled completely. For machines which are not member of a domain, there is AloahaSmartlogin, a package which allows the user to encrypt his/her password with the smartcard. Like that the user can choose a very long 100 character password and encrypt it with the smartcard. AloahaSmartlogin will take care of passing this password to the logon process. Even a 500 Gflop netbook will take years to crack such a smartcard encrypted password.
Strong passwords can also be extended to include hard disk and document encryption.