Once more Elcomsoft is making the buzz (see post where they claimed to have broken WPA2). Their new target is Adobe 9.
Adobe 9 uses AES-256 to protect pdf files. Unfortunately, calculating SHA256 is faster using Graphical Processor Units (GPU) than calculating MD5 as in previous versions of Adobe. Thus, ElcomSoft claims that is less secure because they can brute force 8 characters passwords with Adobe 9 at the same speed than 6 characters with previous versions of Adobe.
The answer from Adobe is clear and technical (see Security matters: Acrobat 9 and passwords encryption). With the new version, they have allowed passphrases of up to 127 characters!
My comments are:
- Was is it useful to used AES256? Is it not simply a stupid commercial argument? To use the full benefit of AES256, the passwords should exceed 37 characters (I used 127 bits per character to calculate it). It represents passphrase as long as “Law #1: Attackers will always find th”. Who will
- dial such long passphrase?
- remember it? especially if not used daily.