25-GPU cluster can brute force Windows password in record time

Shawn Knight

Shawn Knight

Posts: 15,285   +192
Staff member

Jeremi Gosney, the founder and CEO of Stricture Consulting Group, recently showcased a GPU-based computer cluster capable of brute forcing its way through any standard eight-character Windows password (including upper- and lower-case letter, digits and symbols) in less than six hours.

The machine, powered by 25 AMD Radeon graphics cards, runs the Virtual OpenCL cluster platform. This allows all of the machines / GPUs to act as a single computer. With this configuration, Gosney was able to use a password-cracking suite called ocl-Hashcat Plus that is designed specifically for GPU computing.

The cluster uses the NTLM cryptographic algorithm included in all versions of Windows since Server 2003 and is able to generate and test 350 billion password guesses per second. Once the math is factored in, that equates to every different password combination in only five and a half hours. Gosney said they can now attack hashes about four times faster than they previously could.

VCL virtualization is essentially what makes a system like this possible. GPU computing isn’t exactly new but hardware and software limitations have thus far prevented most people from running more than eight graphics cards on a single computer.

25-gpu windows passwords gpu cluster password cracking

"Before VCL people were trying lots of different things to varying degrees of success," Gosney told Ars Technica. "VCL put an end to all of this, because now we have a generic solution that works right out of the box, and handles all of that complexity for you automatically. It's also really easy to manage because all of your compute nodes only have to have VCL installed, nothing else. You only have your software installed on the cluster controller."

It’s worth pointing out that this method typically only applies to offline attacks due to the fact that most websites limit the number of incorrect password guesses before either locking the account down or enforcing a waiting period.

Either way, experts suggest using a password that is at least nine characters long and doesn’t contain names, words or common phrases.

Permalink to story.

https://www.techspot.com/news/51044-25-gpu-cluster-can-brute-force-windows-password-in-record-time.html

 
It would be nice if the article said what difference would 9 characters over 8 make using this method - or 10 for that matter.
 
  • Like
Reactions: m4a4
"While remarkable for its simplicity and speed in software, RC4 has weaknesses that argue against its use in new systems.[2] It is especially vulnerable when the beginning of the output keystream is not discarded, or when nonrandom or related keys are used; some ways of using RC4 can lead to very insecure cryptosystems such as WEP."

NTLM is RC4-based and, as such, is quite obsolete. See a backtrack distro cracking your WEP pass in an hour or two, easier ones, of course, but still, I'd say this algorithm's credibility is pretty much shot.

Let me see it crack an AES 256 hash based pass of 16 characters or more and then you can color me impressed :)

Still, it's scary for the masses, since we all know the complexity of the average man's password.
 
  • Like
Reactions: captainawesome
What is the last password it will try in those six hours? I will make that one mine, ZzZZZzzz?
 
All the more reason passwords needs to go away and everything needs to use one centralized authentication system thats linked to some biometrics or a physical off line key carried by the user.
 
It still converts into a digital "something" that can be cracked...
 
Where are the safeties against such attacks?

There are logins that make you wait a certain length of time before you can try again, if you fail to enter the correct password in three tries. If the system (once it has been locked down from incorrect entry) required the correct password to be entered three times in a row no quicker than 5 seconds apart, would tremendously increase the time it takes to break passwords.
 
jasphoto said:
It would be nice if the article said what difference would 9 characters over 8 make using this method - or 10 for that matter.
Click to expand...
Given that there are 94 usable characters for passwords, so each character will increase the total number of passwords 94 times. So a 9 character password will take 94 times as long to crack as an 8 character password. A 10 character password will take 8836 times as long to crack.
 
  • Like
Reactions: Darth Shiv
"All the more reason passwords needs to go away and everything needs to use one centralized authentication system thats linked to some biometrics or a physical off line key carried by the user."

Nah, I'd rather not risk having my digital biometrics cracked and put on the net. Would much rather that be a password if it should happen
 
tomkaten said:
"While remarkable for its simplicity and speed in software, RC4 has weaknesses that argue against its use in new systems.[2] It is especially vulnerable when the beginning of the output keystream is not discarded, or when nonrandom or related keys are used; some ways of using RC4 can lead to very insecure cryptosystems such as WEP."

NTLM is RC4-based and, as such, is quite obsolete. See a backtrack distro cracking your WEP pass in an hour or two, easier ones, of course, but still, I'd say this algorithm's credibility is pretty much shot.

Let me see it crack an AES 256 hash based pass of 16 characters or more and then you can color me impressed :)

Still, it's scary for the masses, since we all know the complexity of the average man's password.
Click to expand...
AES 256 isn't any better against a brute-force attack than RC4. RC4's weakness is that it can be broken in other ways, not brute-force. Password length is the only way to increase the time it takes to brute-force a password (and the time it takes to hash each password).
 
cliffordcooley said:
Where are the safeties against such attacks?

There are logins that make you wait a certain length of time before you can try again, if you fail to enter the correct password in three tries. If the system (once it has been locked down from incorrect entry) required the correct password to be entered three times in a row no quicker than 5 seconds apart, would tremendously increase the time it takes to break passwords.
Click to expand...
The point of this brute-force is to produce a password with a matching hash as the original password. The hash is easily obtained, it's the password that produces that exact hash which is hard to find.
 
Fokissed said:
The point of this brute-force is to produce a password with a matching hash as the original password. The hash is easily obtained, it's the password that produces that exact hash which is hard to find.
Click to expand...
So what are you saing? A password can be found once a hash is known, without attacking the system? Seems kind of stup-id to allow a way of breaking a system without confronting the system.

If this is true, then the failure of using a password is not the password itself but easy access to the hash.
 
How long this device can crack the password if I add biometric fingerprint lock along the password? :D
 
I don't know, xkcd has convinced me that random words are much better than random characters for humans to remember and took longer for computers to brute force. Unless the math was wrong.
 
You can do the math yourself. Since they are brute-forcing the password, adding a single character (chosen from a pool of N different characters) can only increase the cracking time by factor N at worst, N / 2 on average. N is most likely less than 100 (lowercase letters, uppercase letters, numbers and about 20-30 special characters available on keyboard).
 
If the password is not eight characters, solution time goes way up.

Plus - these people have a way-faster internet connection than I have. If I enter a wrong password by mistake, it takes me a few seconds to enter the next one. The processor power cannot be local. Are the IT guys gonna wheel this frankenprocessor in on a cart anytime someone forgets their password, and plug it in?
 
So my password "n0p455w0rd" is no longer safe? :)

I have no idea why gpu is used to crack passwords rather than the cpu.

and I have no idea why microsoft is now limiting password characters to a maximum of 16.
 
If I am understanding the hash concept, what is stopping anyone from creating a huge cross-reference from password to hash?

If a hash is so easy to find, what is stopping anyone from reading the hash and then cross-referencing a DBase of hashes to instantly unlock anyones computer?
 
misor said:
...
I have no idea why gpu is used to crack passwords rather than the cpu.
...
Click to expand...

GPUs have a lot higher bandwidth than CPUs. GPUs are now used in supercomputers, and NVIDIA's CUDA solution has been used for a long time in things like Photoshop/Premiere.



cliffordcooley said:
If I am understanding the hash concept, what is stopping anyone from creating a huge cross-reference from password to hash?

If a hash is so easy to find, what is stopping anyone from reading the hash and then cross-referencing a DBase of hashes to instantly unlock anyones computer?
Click to expand...

I'm not going to claim to be an expert, but this is my understanding: it is possible to obtain the hash for a lot of password systems. Not all, but a lot.

This hash is different for each system. password1 can be hashed to xyz on techspot, but it will be qwerty on gmail. The hashes I believe are made my applying a 'master hash key' to the ASCII password, which as before, is different for each system.
 
  • Like
Reactions: cliffordcooley and misor
There is usually a password policy that defines how many invalid passwords can you enter before the account got locked, also you can define for how long you can lock it when that limit is reached, and to sum up you can set how often you require the password to be changed. That is why brute force has become obsolete, even more obsolete than NTLM.
 
Those guys need to run that beast on a WPA password dictionary.. using Elcomsoft Wireless Auditor..that would be insane speeds..lol.haha..Not the easy windows passwords.A cave man could guess that ****.
 
Guess that's why "You have been locked out, contact systems admin" after a certain amount of attempts setups are popular.
Or even the "After the next wrong password you will be locked out for 15 minutes." setups.
 
You must log in or register to reply here.

Similar threads

A
Windows UI for disk formatting was a temporary solution that stuck for 30 years
Replies
14
Views
289
VariableSpike
VariableSpike
midian182
Disney Plus begins crackdown against password sharing
Replies
15
Views
376
ShadowDeath
S
Jimmy2x
Helldivers 2 players liberated a mech factory in record time, causing more server capacity...
Replies
7
Views
181
erickmendes
erickmendes

Latest posts

Back