Sign up for a new account or log in here:
Jeremi Gosney, the founder and CEO of Stricture Consulting Group, recently showcased a GPU-based computer cluster capable of brute forcing its way through any standard eight-character Windows password (including upper- and lower-case letter, digits and symbols) in less than six hours.
The machine, powered by 25 AMD Radeon graphics cards, runs the Virtual OpenCL cluster platform. This allows all of the machines / GPUs to act as a single computer. With this configuration, Gosney was able to use a password-cracking suite called ocl-Hashcat Plus that is designed specifically for GPU computing.
The cluster uses the NTLM cryptographic algorithm included in all versions of Windows since Server 2003 and is able to generate and test 350 billion password guesses per second. Once the math is factored in, that equates to every different password combination in only five and a half hours. Gosney said they can now attack hashes about four times faster than they previously could.
VCL virtualization is essentially what makes a system like this possible. GPU computing isn’t exactly new but hardware and software limitations have thus far prevented most people from running more than eight graphics cards on a single computer.
"Before VCL people were trying lots of different things to varying degrees of success," Gosney told Ars Technica. "VCL put an end to all of this, because now we have a generic solution that works right out of the box, and handles all of that complexity for you automatically. It's also really easy to manage because all of your compute nodes only have to have VCL installed, nothing else. You only have your software installed on the cluster controller."
It’s worth pointing out that this method typically only applies to offline attacks due to the fact that most websites limit the number of incorrect password guesses before either locking the account down or enforcing a waiting period.
Either way, experts suggest using a password that is at least nine characters long and doesn’t contain names, words or common phrases.
Related Products from Product Finder
AMD ATI Radeon HD 6990 4GB GDDR5 PCIe
The AMD ATI Radeon HD 6990 is a massive graphics card measuring in at 12 inches long (30cm) and weighing a little over 1kg. The heatsinks are separated by a blower fan which is positioned in-between them rather than at the end of the card. The Radeon HD 6990 has an impressively low 37-watt idle consumption. The GDDR5 memory works at 5000MHz (1.25GHz x 4) on this particular model and features a 4GB capacity.
Sapphire Radeon HD 6990 4GB GDDR5 PCIe
Read expert reviews, pros & cons, and product information about Sapphire Radeon HD 6990 4GB GDDR5 PCIe. There are 16 reviews available so far.
HIS Radeon HD 6990 Fan 4GB GDDR5 PCIe H699F4G4M
Read expert reviews, pros & cons, and product information about HIS Radeon HD 6990 Fan 4GB GDDR5 PCIe H699F4G4M. There are 7 reviews available so far.
User Comments: 48
Got something to say? Post a comment-
Fokissed said:
That is crap: http://imgs.xkcd.com/comics/password_strength.png-_-...
That is only assuming a dictionary-based attack is not used.
-
What if it guesses on random remembering what it guess before. And not going in order. It would be even faster.
-
1 person liked this |
...or just spend less than 10 min asking the appropriate party for the password. This has pretty much zero real life scenario relevance; what a waste of GPU horsepower.
-
1 person liked this |This hash is different for each system. password1 can be hashed to xyz on techspot, but it will be qwerty on gmail. The hashes I believe are made my applying a 'master hash key' to the ASCII password, which as before, is different for each system.
Better than that ... if the site knows anything about security, then the hash is calculated for the password and a random "salt" together. The salt is generated just for that user when the password is first created. The salt and the hash are both stored. So the attacker has to find a password that when hashed with that salt makes that hash. No dictionary is going to hold all passwords with all possible salt values.
-
And then that key becomes extremely valuable=worth killing for ;-)
-
Lame. this is pretty much useless. for the most part this cant be used online. anyone with real pw worth cracking like bitlocker or truecrypt pw is going to use a 20+ character pw. all they did is create the world most expensive windows pw cracker. they could have saved all the money and downloaded microsofts msdart.
-
That is crap: http://imgs.xkcd.com/comics/password_strength.png
-_-...
That is only assuming a dictionary-based attack is not used.
At that length a dictionary attack would take longer than the eight length password with stupid characters...
-
Better than that ... if the site knows anything about security, then the hash is calculated for the password and a random "salt" together. The salt is generated just for that user when the password is first created. The salt and the hash are both stored. So the attacker has to find a password that when hashed with that salt makes that hash. No dictionary is going to hold all passwords with all possible salt values.
If you broke in the system to steal the hash, you'd steal the salt too.
-
At that length a dictionary attack would take longer than the eight length password with stupid characters...
That obviously depends on the size of the wordlist. There are 16604 unique words/numbers in the Bible so that's huge, but since those are words, they make up passwords quicker than chracters. You can sort words by frequency:
the 63924
and 51696
of 34734
to 13561
that 12913
in 12667
he 10420
shall 9838
unto 8997
for 8971
-
1 person liked this |
Why can't they just write it on a post-it and stick it to the monitor like most people?
-
Why can't they just write it on a post-it and stick it to the monitor like most people?
yah, since I was banned yesterday for trying to promote my crowdfunding campaign for a solution to this problem, I guess you'd only know if you PM me. :-p
-
That obviously depends on the size of the wordlist. There are 16604 unique words/numbers in the Bible so that's huge, but since those are words, they make up passwords quicker than chracters. You can sort words by frequency:
the 63924
and 51696
of 34734
to 13561
that 12913
in 12667
he 10420
shall 9838
unto 8997
for 8971
But none of those words would be used...
-
But none of those words would be used...
Are you sure? It was talking about passphrases/sentences, and many pages ago where people referred to an xkcd comic strip. correct and horse are both in the bible, interstingly, no battery nor staple were in the bible since it's before its time.
Either way, frequency is some times take into consideration for dictionary attacks.
-
Are you sure? It was talking about passphrases/sentences, and many pages ago where people referred to an xkcd comic strip. correct and horse are both in the bible, interstingly, no battery nor staple were in the bible since it's before its time.
Either way, frequency is some times take into consideration for dictionary attacks.
None of those words would be used as you did not list any of those words in your frequency table.
Four words using only the words in the bible equates to 76,006,528,794,009,856 possible combinations. While an eight character password with numbers, upper and lower case letters, and let's say a choice of thirty special characters (the amount on a US keyboard) comes up with 6,095,689,385,410,816 possible combinations. That is a figure that is twelve times easier to crack if you use a password that is bloody hard to remember. Not to mention the former example sky-rockets when you add a possibility for the first letter of one or all of the words to be upper-case (1,216,104,460,704,157,696 -- 200 times harder to crack), as well as taking into account modern words (the figure sits at about 64,000 'common words' which bring it to 16,777,216,000,000,000,000 -- 2,752 times larger -- and 268,435,456,000,000,000,000 -- 44,037 times larger -- for the possibility of an upper-case character starting one of the words).
Soooo: at the end of that I think those 'experts' can stick it up their nose with the rubber hose...
-
None of those words would be used as you did not list any of those words in your frequency table.
Four words using only the words in the bible equates to 76,006,528,794,009,856 possible combinations. While an eight character password with numbers, upper and lower case letters, and let's say a choice of thirty special characters (the amount on a US keyboard) comes up with 6,095,689,385,410,816 possible combinations. That is a figure that is twelve times easier to crack if you use a password that is bloody hard to remember. Not to mention the former example sky-rockets when you add a possibility for the first letter of one or all of the words to be upper-case (1,216,104,460,704,157,696 -- 200 times harder to crack), as well as taking into account modern words which will widen the possible combinations exponentially -- literally!
Soooo: at the end of that I think those 'experts' can stick it up their nose with the rubber hose...
Some "experts" told me my campaign doesn't solve the biggest problem...etc... and I said, Rome wasn't built in a day. Anything is better than the current situation...
-
Some "experts" told me my campaign doesn't solve the biggest problem...etc... and I said, Rome wasn't built in a day. Anything is better than the current situation...
As I understand it a team in Cambridge, UK are working on a system that will be able to build Rome in a day, while using less energy than an ordinary quasar.
-
As I understand it a team in Cambridge, UK are working on a system that will be able to build Rome in a day, while using less energy than an ordinary quasar.
haha... you won't believe it was the same team who told me that... on the other hand, some security architect who works in the real world pledged for my campaign.
-
crazyboots said:
I think just 4 7990 should able to do about the same thing lol I await the 8990's before I upgrade from my 7970 1ghz
-
*adds a letter to his password*
*trollface engage*
-
It' s a comic ...
-
Felipe Queirolo said:
-_-...
But can it run Crysis?
(I know, I know...)
I believe there are FirePro cards
-
and I have no idea why microsoft is now limiting password characters to a maximum of 16.Probably because boredom & fatigue set in after you've typed something as complex as, "1, 2, 3, 4, 5, 6", and nobody would be able to log on without taking a 10 minute coffee break.I have no idea why gpu is used to crack passwords rather than the cpu.All just joking aside, likely because the bit width access and memory bandwidth of a modern single GPU far exceed that of the typical CPU. (at present 64 bits, versus single GPUs @256 bits). I'm thinking you could convince a GPU cluster to, "wild guess much faster".I believe there are FirePro cardsAre you saying a "Fire Pro" video card won't play "Crysis"? 'Cause that would really burn my buns. Have you seen the prices they charge for those things?
To the upside, if the Fire Pro cards won't play Crysis, then not to many will fall into the wrong, unscrupulous hands.
-
AES is a symmetrical encryprtion algorithm ... not a hash algorithm. SHA-256, 384, 512, etc. are hash algorithms. Once the AES encryption key is guessed, any password protected by the key is shot. SHA-512 has the advantage that each password has to be cracked individually (especially if it is salted.)
Most Popular
| Trending | Featured |
-
Xbox One: Entertainment hub first, gaming console second - but can it disrupt TV?
-
Metro: Last Light Tested, Benchmarked
-
Microsoft officially announces Xbox One: here's what we know so far
-
'Supercapacitor' could fully charge your phone in less than 30 seconds
-
Sony releases PS4 teaser video on eve of Xbox 720 reveal
Subscribe to TechSpot
Get free exclusive content, learn about new features and breaking tech news.