25-GPU cluster can brute force Windows password in record time

If I am understanding the hash concept, what is stopping anyone from creating a huge cross-reference from password to hash?

If a hash is so easy to find, what is stopping anyone from reading the hash and then cross-referencing a DBase of hashes to instantly unlock anyones computer?

GPUs have a lot higher bandwidth than CPUs. GPUs are now used in supercomputers, and NVIDIA's CUDA solution has been used for a long time in things like Photoshop/Premiere.

I'm not going to claim to be an expert, but this is my understanding: it is possible to obtain the hash for a lot of password systems. Not all, but a lot.

This hash is different for each system. password1 can be hashed to xyz on techspot, but it will be qwerty on gmail. The hashes I believe are made my applying a 'master hash key' to the ASCII password, which as before, is different for each system.

There is usually a password policy that defines how many invalid passwords can you enter before the account got locked, also you can define for how long you can lock it when that limit is reached, and to sum up you can set how often you require the password to be changed. That is why brute force has become obsolete, even more obsolete than NTLM.

Those guys need to run that beast on a WPA password dictionary.. using Elcomsoft Wireless Auditor..that would be insane speeds..lol.haha..Not the easy windows passwords.A cave man could guess that ****.

Guess that's why "You have been locked out, contact systems admin" after a certain amount of attempts setups are popular.
Or even the "After the next wrong password you will be locked out for 15 minutes." setups.

That is crap: http://imgs.xkcd.com/comics/password_strength.png

-_-...

That is only assuming a dictionary-based attack is not used.

What if it guesses on random remembering what it guess before. And not going in order. It would be even faster.

...or just spend less than 10 min asking the appropriate party for the password. This has pretty much zero real life scenario relevance; what a waste of GPU horsepower.

Better than that ... if the site knows anything about security, then the hash is calculated for the password and a random "salt" together. The salt is generated just for that user when the password is first created. The salt and the hash are both stored. So the attacker has to find a password that when hashed with that salt makes that hash. No dictionary is going to hold all passwords with all possible salt values.

And then that key becomes extremely valuable=worth killing for ;-)

Lame. this is pretty much useless. for the most part this cant be used online. anyone with real pw worth cracking like bitlocker or truecrypt pw is going to use a 20+ character pw. all they did is create the world most expensive windows pw cracker. they could have saved all the money and downloaded microsofts msdart.

At that length a dictionary attack would take longer than the eight length password with stupid characters...

If you broke in the system to steal the hash, you'd steal the salt too.

That obviously depends on the size of the wordlist. There are 16604 unique words/numbers in the Bible so that's huge, but since those are words, they make up passwords quicker than chracters. You can sort words by frequency:

the 63924
and 51696
of 34734
to 13561
that 12913
in 12667
he 10420
shall 9838
unto 8997
for 8971

Why can't they just write it on a post-it and stick it to the monitor like most people?

yah, since I was banned yesterday for trying to promote my crowdfunding campaign for a solution to this problem, I guess you'd only know if you PM me.

But none of those words would be used...

Are you sure? It was talking about passphrases/sentences, and many pages ago where people referred to an xkcd comic strip. correct and horse are both in the bible, interstingly, no battery nor staple were in the bible since it's before its time.

Either way, frequency is some times take into consideration for dictionary attacks.

None of those words would be used as you did not list any of those words in your frequency table.

Four words using only the words in the bible equates to 76,006,528,794,009,856 possible combinations. While an eight character password with numbers, upper and lower case letters, and let's say a choice of thirty special characters (the amount on a US keyboard) comes up with 6,095,689,385,410,816 possible combinations. That is a figure that is twelve times easier to crack if you use a password that is bloody hard to remember. Not to mention the former example sky-rockets when you add a possibility for the first letter of one or all of the words to be upper-case (1,216,104,460,704,157,696 -- 200 times harder to crack), as well as taking into account modern words (the figure sits at about 64,000 'common words' which bring it to 16,777,216,000,000,000,000 -- 2,752 times larger -- and 268,435,456,000,000,000,000 -- 44,037 times larger -- for the possibility of an upper-case character starting one of the words).

Soooo: at the end of that I think those 'experts' can stick it up their nose with the rubber hose...