Ever been annoyed by those password policies that say “One digit, one uppercase, one lowercase” and then cap your password at, say 12 characters? Are those passwords secure these days, when cheap processing power is freely available ? A while ago I’ve stumbled upon an article where, among other info, some really interesting data was shared about how long it takes to crack standard crypto hashes used for password encryption in WLANs, web sites and operating systems. This prompted for a refresher in password security and brute-forcing performance. The numbers are worth sharing.
In my recent Android trainings and the Android security talk I gave at AppForum 2014 I was asked to provide a sort of a demo that can be easily replicated to explain the importance of maintaining a proper security posture. So I created a script that ‘recovers’ PSKs from the device and displays them.
Before moving on, a brief disclaimer: Android (or iOS, or Windows) are pretty secure, it is up to the user how much of this security is traded for convenience (or ignorance).
A tech support article has been published on Motorola’s support portal regarding ShellShock vulnerability. A brief note:
- APxxxx, RFSxxxx, WSxxxx, CBxxxx (existing and legacy) – NOT vulnerable, as they don’t have bash at all.
- NXxxxx and VXxxxx – KIND OF. They have unpatched bash, but it’s not exposed through any APIs/UIs unless you already somehow get the shell (which defeats the purpose of this vulnerability). Nevertheless, “Never say never” and a patch will be released in due time just to be sure, but there’s no rush.