14 DAY TRIAL // Password recovery vendor ElcomSoft claims that its software can crack PDF passwords in Acrobat 9 a hundred times faster than in previous versions. Adobe agrees that optimizations brought to the opening time of PDF files in version 9 of its Acrobat product could decrease the time required to brute force weak passwords.
ElcomSoft is a Russia-based company that provides several password recovery software solutions. It made the above claim in order to help promote the latest version of its Advanced PDF Password Recovery product. “While Adobe advertises Acrobat 9 as the most secure PDF production tool ever with enhanced 256-bit encryption, ElcomSoft has discovered that the new PDF protection system implemented in Acrobat 9 is even faster to recover than in previous versions. In fact, a hundred times faster,” wrote the company.
Even though, according to Adobe, Acrobat 9 features a 256-bit AES encryption implementation instead of the old 128-bit AES one, “the new version of Adobe Acrobat is easier to break,” claims ElcomSoft CEO Vladimir Katalov. In response, John Landwehr writes on his blog at Adobe that this is caused by the performance improvements that “can also allow external brute-force cracking tools to attempt to guess document passwords more rapidly because fewer processor cycles are required to test each password guess.”
He also points out that this should not pose a problem for people using strong pass-phrases instead of passwords. “Adobe continues to recommend that customers using password-based encryption utilize long pass-phrases with upper case, lower case, numbers, and symbols to help mitigate dictionary attacks,” he says.
The problem with pass-phrase adoption over passwords is that pass-phrases are hard to memorize, and just as easy to forget. For this reason, in real-life scenarios, while performance boosts are more than welcome and generally expected, they could have poor security side-effects. This is even more of a problem as crackers are constantly improving their algorithms and techniques. For example, ElcomSoft announced a while ago that its new technology would use the processing power of GPUs in NVIDIA graphics cards in order to speed up password recovery times.
“Need help picking a long pass-phrase? Pick a line or two from your favorite song or poem and add numbers or symbols if they aren't already there,” suggests John Landwehr, while also pointing to other methods of protecting documents, like “hardware tokens - including three-factor authentication with a smartcard, PIN and biometric.”