With faster machines and even faster hard drives (SSD) holding large rainbow tables the average cracking time on a dual processor machine came down to just 15 minutes (according to OBJECTIF SÉCURITÉ).
Also a good german article: http://www.n-tv.de/technik/Passwoerter-werden-unsicherer-article10092261.html
A good english article: http://www.deloitte.com/view/en_GX/global/industries/technology-media-telecommunications/tmt-predictions-2013/tmt-predictions-2013-technology/9eb6f4efcbccb310VgnVCM1000003256f70aRCRD.htm
Having that in mind it is time to consider different logon mechanism with extreme large passwords or two factor authentication.
The Aloaha Smartlogin is one Credential Tile (or Gina on XP) hosting a large number of new authentication methods:
1. Traditional Smartcard Certificate Login via Kerberos (Active Directory required)
Any smartcard holding a certificate issued by the domain CA can be used as a two factor authentication token without even having to have or know a password. Obviously this works also via RDP
2. Smartcard Login via Credentials encrypted with the certificate of the Smartcard.
Basically Username, optional Domain and Password are encrypted with the certificate. This encrypted token is used to authenticate the user. Passwords can be chosen extremely long. The user just needs to remember the PIN of the Smartcard. Aloaha will then use the smartcard to decrypt the extreme long password to pass it to the machine for authentication.
This mode supports Active Directory but does NOT require it. It also works via RDP.
Since there are no requirements on the certificate this mode is suggested for e-Health Cards, ATM Cards, Company Cards, etc.
3. Credentials saved on a PKCS11 Token.
Even here the user can choose an extreme long password. He does not need to remember it since it is stored inside the PKCS11 token. The user only needs to type in the PIN of the token to enable Aloaha to read the extreme long password to pass it for authentication.
This mode supports Active Directory but does NOT require it.
4. Credentials saved on a plain memory card
In this mode it is possible to use very cheap i2c memory cards. Certificates or Active directory are not required since no RSA encryption is involved.
Passwords are NOT saved on the memory card but only a hash. This hash will be compared to the inputted passwords hash and only if they match a logon is granted. So even if someone manages to crack a password he would still need the matching card to get access to the machine.
5. Credentials saved on a plain USB Memory Stick or mobile phone.
This methods works similar to the PKCS11 mechanism BUT cannot be considered as secure as the methods 1-3. It will work ONLY at the console since RDP sessions are NOT supported. This mode is freeware and does not require any license.
6. Custom Plugins
The Aloaha Smartlogin supports custom plugins so that customer are able to create their own authentication mechanism.
The evaluation version can be download from http://www.aloaha.com/download/smartlogin.zip
Your evaluation key is: 8CAAEF6D4-C9D980551-03136DBC5-438EADB32-AC1567A23-2E1E2256E (two weeks from today)
More information can be found on http://www.aloaha.com/smartcard-software-en/aloaha-credential-provider.php and of course in our blog on http://blog.aloaha.com/category/aloaha-smartcard-software-en/aloaha-smart-login/
SecureSIM: Aloaha secureSIM