April 23, 2009, 11:08 AM — As full-disk encryption becomes increasingly used to protect data, new software tools that can recover lost passwords or change forgotten ones are being released.
Full-disk encryption will protect data, but it also means that the data could be unrecoverable if people forget their passwords. Russian security company ElcomSoft specializes in software that can crack unknown passwords for a variety of software programs.
The company's latest upgrade to its ElcomSoft Distributed Password Recovery (EDPR) product increases the speed at which passwords can potentially be recovered from the hard disk with PGP encryption, said Olga Koksharova, Elcomsoft's marketing and sales director.
EDPR lets administrators use off-the-shelf graphics cards from Nvidia to crack passwords, taking advantage of the parallel processing capability that can figure out passwords or encryption keys much faster than desktop CPUs.
The update adds GPU acceleration, which Elcomsoft says speeds up password recovery between 10 to 200 times more than using only desktop CPUs. A single Nvidia GeForce GTX 295 using EDPR can work about 15 times faster than an Intel Q6600 Core 2 Quad 2.4 GHz chip, the company said.
Scaling up, four Nvidia GeForce GTX 295 cards can brute-force 500,000 passwords per second using EDPR, Koksharova said.
But Elcomsoft's software can't necessarily recover every password, since it depends on the password's length and complexity. For example, an eight-character password consisting of only lower-case characters is likely recoverable, but the chances of recovery are slimmer for a nine-character one that includes a special symbol.
Overall, PGP disk encryption is very secure, Koksharova said. PGP uses 256-bit AES (Advanced Encryption Standard) keys for its whole-disk product. But studies show that people are relatively lazy about passwords, often making them easy to guess or too short.
Elcomsoft's software is legal to use as long as an administrator has proper permission to use it on machines. EDPR starts at £599 (US$886) for use on 20 client machines.
As far as password management, Lenovo recently released software that allows administrators to reset user passwords remotely within a PC's BIOS, which holds hardware passwords to boot the PC and start the hard disk.
Administrators have been able to change those passwords before, but they needed physical access to the PC. That hasn't been practical for organizations that have thousands of PCs deployed worldwide. Also, there's a risk since if those passwords are forgotten, the hardware is useless.
Lenovo's Hardware Password Manager can be deployed remotely and will work with fully encrypted disks. Once installed, users set their own password, which is also stored in BIOS, to get access to the PC. The user does not know the hardware passwords, and the administrator doesn't know the user's password.
If a user forgets their main password, the computer will start but only allow the person to connect to the organization's intranet. The user will need to remember their intranet password, but presumably their memory will be better for that one.
Once authenticated on the intranet, the PC can be unlocked by the Hardware Password Manager. Eventually, a new password can be set.
Those people who forget their passwords and aren't online will have to call the help desk. The administrator can give the user an emergency password that unlocks the PC. The emergency password is then changed again so the user doesn't know it, according to a video demonstration posted by Lenovo.
Hardware Password Manager will be available early next month. Lenovo said its ThinkPad X301, X200, X200s, X200 Tablet, T500, T400, R500, R400, W700, W700ds and the ThinkCentre M58/M58p desktop will support the technology. No pricing has been listed yet.