25-GPU cluster can brute force Windows password in record time

By Shawn Knight ยท 61 replies
Dec 10, 2012
Post New Reply
  1. Fokissed

    Fokissed TS Rookie

  2. What if it guesses on random remembering what it guess before. And not going in order. It would be even faster.
  3. EXCellR8

    EXCellR8 The Conservative Posts: 1,835

    ...or just spend less than 10 min asking the appropriate party for the password. This has pretty much zero real life scenario relevance; what a waste of GPU horsepower.
    platinumsteel likes this.
  4. Better than that ... if the site knows anything about security, then the hash is calculated for the password and a random "salt" together. The salt is generated just for that user when the password is first created. The salt and the hash are both stored. So the attacker has to find a password that when hashed with that salt makes that hash. No dictionary is going to hold all passwords with all possible salt values.
    cliffordcooley likes this.
  5. And then that key becomes extremely valuable=worth killing for ;-)
  6. jonjonjon

    jonjonjon TS Rookie Posts: 18

    Lame. this is pretty much useless. for the most part this cant be used online. anyone with real pw worth cracking like bitlocker or truecrypt pw is going to use a 20+ character pw. all they did is create the world most expensive windows pw cracker. they could have saved all the money and downloaded microsofts msdart.
  7. PinothyJ

    PinothyJ TS Guru Posts: 460   +22

    At that length a dictionary attack would take longer than the eight length password with stupid characters...
  8. dj_sa

    dj_sa TS Rookie

    If you broke in the system to steal the hash, you'd steal the salt too.
  9. dj_sa

    dj_sa TS Rookie

    That obviously depends on the size of the wordlist. There are 16604 unique words/numbers in the Bible so that's huge, but since those are words, they make up passwords quicker than chracters. You can sort words by frequency:

    the 63924
    and 51696
    of 34734
    to 13561
    that 12913
    in 12667
    he 10420
    shall 9838
    unto 8997
    for 8971
  10. Zoltan Head

    Zoltan Head TS Booster Posts: 247   +27

    Why can't they just write it on a post-it and stick it to the monitor like most people? ;)
    dj_sa likes this.
  11. dj_sa

    dj_sa TS Rookie

    yah, since I was banned yesterday for trying to promote my crowdfunding campaign for a solution to this problem, I guess you'd only know if you PM me. :p
  12. PinothyJ

    PinothyJ TS Guru Posts: 460   +22

    But none of those words would be used...
  13. dj_sa

    dj_sa TS Rookie

    Are you sure? It was talking about passphrases/sentences, and many pages ago where people referred to an xkcd comic strip. correct and horse are both in the bible, interstingly, no battery nor staple were in the bible since it's before its time.

    Either way, frequency is some times take into consideration for dictionary attacks.
  14. PinothyJ

    PinothyJ TS Guru Posts: 460   +22

    None of those words would be used as you did not list any of those words in your frequency table.

    Four words using only the words in the bible equates to 76,006,528,794,009,856 possible combinations. While an eight character password with numbers, upper and lower case letters, and let's say a choice of thirty special characters (the amount on a US keyboard) comes up with 6,095,689,385,410,816 possible combinations. That is a figure that is twelve times easier to crack if you use a password that is bloody hard to remember. Not to mention the former example sky-rockets when you add a possibility for the first letter of one or all of the words to be upper-case (1,216,104,460,704,157,696 -- 200 times harder to crack), as well as taking into account modern words (the figure sits at about 64,000 'common words' which bring it to 16,777,216,000,000,000,000 -- 2,752 times larger -- and 268,435,456,000,000,000,000 -- 44,037 times larger -- for the possibility of an upper-case character starting one of the words).

    Soooo: at the end of that I think those 'experts' can stick it up their nose with the rubber hose...
  15. dj_sa

    dj_sa TS Rookie

    Some "experts" told me my campaign doesn't solve the biggest problem...etc... and I said, Rome wasn't built in a day. Anything is better than the current situation...
  16. Zoltan Head

    Zoltan Head TS Booster Posts: 247   +27

    As I understand it a team in Cambridge, UK are working on a system that will be able to build Rome in a day, while using less energy than an ordinary quasar.
  17. dj_sa

    dj_sa TS Rookie

    haha... you won't believe it was the same team who told me that... on the other hand, some security architect who works in the real world pledged for my campaign.
  18. crazyboots

    crazyboots TS Rookie

    I think just 4 7990 should able to do about the same thing lol I await the 8990's before I upgrade from my 7970 1ghz
  19. *adds a letter to his password*

    *trollface engage*
  20. It' s a comic ...
  21. Felipe Queirolo

    Felipe Queirolo TS Rookie

    I believe there are FirePro cards
  22. captaincranky

    captaincranky TechSpot Addict Posts: 13,005   +2,532

    Probably because boredom & fatigue set in after you've typed something as complex as, "1, 2, 3, 4, 5, 6", and nobody would be able to log on without taking a 10 minute coffee break.

    All just joking aside, likely because the bit width access and memory bandwidth of a modern single GPU far exceed that of the typical CPU. (at present 64 bits, versus single GPUs @256 bits). I'm thinking you could convince a GPU cluster to, "wild guess much faster".

    Are you saying a "Fire Pro" video card won't play "Crysis"? 'Cause that would really burn my buns. Have you seen the prices they charge for those things?

    To the upside, if the Fire Pro cards won't play Crysis, then not too many will fall into the wrong, unscrupulous hands.
  23. AES is a symmetrical encryprtion algorithm ... not a hash algorithm. SHA-256, 384, 512, etc. are hash algorithms. Once the AES encryption key is guessed, any password protected by the key is shot. SHA-512 has the advantage that each password has to be cracked individually (especially if it is salted.)
  24. RocketSteve

    RocketSteve TS Rookie

    So if we 'do the math' or maths for those in England, the possible number of combinations is 26 lowercase and 26 upper case and ten numbers and 31 symbols = 83
    To the power of 8 (as this is the password length) = 2252292232139041 combinations
    At 350 000 000 000 calcs per sec = 6435.12 secs to complete
    In hours = (/3600) = 1.78 hours

    Article states 5.5hrs. Something in error of my maths?
    As Brian Cox says 'It's always important to show your workings'...
  25. captaincranky

    captaincranky TechSpot Addict Posts: 13,005   +2,532

    Rocket, do the British really use the term "math" in the plural in this context.? As an uppity colonist, I'd substitute the term, "calculations".

    I tell you, sometimes it's like the Americans and Brits are speaking a different language. Although, in the case of the ANZAC nations, I think they actually are....;)

    As far as you mathematical results go, I couldn't tell you. I live alone and don't use passwords. Since my HDDs are chock full of erotic art, if somebody gets into my computer, they'll probably get grossed out and leave anyway....

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...