25-GPU cluster can brute force Windows password in record time

[Arris]

Yes, we do the "maths" in the UK.

 

[captaincranky]

Yes, we do the "maths" in the UK.

You know, sometimes I spell color, "colour", favor, "favour", as a tribute to our common heritage. This, in spite of the fact it drives Firefox's spell checker absolutely bonkers. But "maths"? I'm sorry, that's where I draw the queue......

 

[Arris]

You know, sometimes I spell color, "colour", favor, "favour", as a tribute to our common heritage. This, in spite of the fact it drives Firefox's spell checker absolutely bonkers. But "maths"? I'm sorry, that's where I draw the queue......

It's the abbreviation of mathematics, so to me math (even thought I can understand it's use) sounds wrong.

How about centre?

 

[RocketSteve]

So if we 'do the math' or maths for those in England, the possible number of combinations is 26 lowercase and 26 upper case and ten numbers and 31 symbols = 83
To the power of 8 (as this is the password length) = 2252292232139041 combinations
At 350 000 000 000 calcs per sec = 6435.12 secs to complete
In hours = (/3600) = 1.78 hours

Article states 5.5hrs. Something in error of my maths?
As Brian Cox says 'It's always important to show your workings'...

At least having reread my own post after some amusing and whitty (yes with and 'h', like yoghurt) banta, I can see my own mistake in the maths, but it still only adds up to 4.4hrs of GPU time... (83^8 should be 93^8)

 

[captaincranky]

It's the abbreviation of mathematics, so to me math (even thought I can understand it's use) sounds wrong.

How so? Using "math" as the abbreviation makes more sense, especially to a lazy American. You just cut the end of the word off completely, instead of picking and choosing. Down comes the knife, and off comes the foreskin....it's as simple as Bris....

Oh hell, why not just take out the vowels the way the children do, "Mthmtcs"

How about centre?

I'll give it a shot, but I know Firefox isn't going to like it.

(Yeah, FF gave you the big red wavy line on that one ).

 

[jondonnis]

All the more reason passwords needs to go away and everything needs to use one centralized authentication system thats linked to some biometrics or a physical off line key carried by the user.

Which is then lost due to either being in a crash and losing said limb or just forgetting the item needing to be carried.

Passwords need to be secure its true, but you also have to get into the mind of the simple user. Those simple users will ALWAYS end up writing the password down somewhere.

 

[Row1]

Why bother cracking Windows passwords? Just ask the NSA for access and info. They apparently are pretty willing to grant access to all kind of info.

 

[Satki]

All the more reason passwords needs to go away and everything needs to use one centralized authentication system thats linked to some biometrics or a physical off line key carried by the user.

This is a brute force attack - it could get through biometrics (which after all are simply converted to a long line of numbers), though it would take a very long time as each additional character increases the cracking time exponentially.

 

[Guest]

Now add in phonetic spelling of other language (e.g., ping yin for Chinese)...

I guess I'm going to look for a site that lets me see if a word I want to use exists in the bible.

 

[Darth Shiv]

The point of this brute-force is to produce a password with a matching hash as the original password. The hash is easily obtained, it's the password that produces that exact hash which is hard to find.

So what are you saing? A password can be found once a hash is known, without attacking the system? Seems kind of stup-id to allow a way of breaking a system without confronting the system.

If this is true, then the failure of using a password is not the password itself but easy access to the hash.

Well actually this is a relatively common scenario. If reversing arbitrary hashes was easy, authenticity checks of messages (which is used in cryptography) would be easily compromised. A malicious attacker could, without breaking your encryption, add random garbage to messages and the receiver would think the message was still authentic and untampered.

Also, websites that store passwords usually stored salted and hashed passwords, not the raw passwords. If the website database is compromised, the attacker has of course access to the hashed passwords for every user. If you could crack the hashes there, you gain a database of passwords and email addresses at a minimum which you could then try on other websites as people often re-use passwords.

So the strength of the hash is extremely important for offline attacks!

 

[GregH]

I know this is an old topic, but I gotta point something out.

It says in the article that it is only feasible to work offline because websites limit password attempts. That means local access to the system.

Now, if this article is talking about login access (Can't tell, it's very poor on details.) Then it's a waste as Hiren's Boot CD has a program that will break any windows password in less than five minutes.

I'm guessing this was an attempt to drum up business for Mr. Gosney.

 

[Darth Shiv]

Now, if this article is talking about login access (Can't tell, it's very poor on details.) Then it's a waste as Hiren's Boot CD has a program that will break any windows password in less than five minutes.

I'm guessing this was an attempt to drum up business for Mr. Gosney.

Depends on what version of a Windows password hashing algorithm you are talking about. There are legacy protocols that are trivial to break as you imply but you can force Windows to use more modern hashes which cannot be broken in 5 minutes.