Welcome Stranger to OCC!Login | Register

Password-Cracking Expert Unveils 25-GPU Cluster to Crack Every Common Windows Password in Under Six Hours

Category: General News
Posted: December 10, 2012 08:00PM
Author: bp9801

GPU computing has improved a lot in recent years, but a new server cluster uses GPU computing for something a little different than Folding@Home. A password-cracking expert has shown off a 25-GPU cluster that can run through 350 billion guesses per second (take a moment to let that sink in). Jeremi Gosney, founder and CEO of Stricture Consulting Group, unveiled the monster setup last week during the Passwords^12 Conference in Oslo, Norway, and it uses a fairly new virtualization software to fully tap the 25 AMD Radeon video cards (no word on which). The 350 billion guesses happen when cracking the NTLM cryptographic algorithm found in every Windows OS since Server 2003. Basically, it can try 958 in five and a half hours to "brute force every possible eight-character password containing upper- and lower-case letters, digits, and symbols."

The GPU cluster uses the Virtual OpenCL cluster platform to let each card function as if on a single desktop, plus ocl-Hashcat Plus runs on top to allow the running of 44 other algorithms. Dictionary attacks can also be run, as can other ways, so the machine doesn't have to rely solely on brute force to crack a password. As Gosney puts it, they can "attack hashes approximately four times faster" than before. These speeds only apply to offline attacks against a database of lifted passwords stored with a one-way cryptographic hash, but can't be used in online attacks as websites restrict the number of guesses.

This cluster does have limitations against different algorithms, however. "Fast" algorithms, like SHA1, SHA2, SHA3, and MD5, can be cracked fairly quickly, while ones like Bcrypt, PBKDF2, and SHA512crypt are much harder. A mere 71,000 guesses per second can be made against Bcrypt while 364,000 guesses against SHA512crypt are possible, which are both vastly better than the "fast" algorithms.

If you're wondering how to protect yourself against hacks, it's safe to assume most websites use a "fast" algorithm. Passwords should be at least nine characters long (between 13 and 20 is a solid amount to aim for), and should never contain common names, words, or phrases. You can always make your own random password or use one of the various password management programs to randomly generate something for you.



Register as a member to subscribe comments.
venomoc on December 10, 2012 08:48PM
No word on which cards they used?
bp9801 on December 10, 2012 08:57PM
An older machine Gosney made used HD 6990s, but I didn't see anything about what's in this new one.
Guest comment
matt on December 10, 2012 08:56PM
whew, that was a close one. my wifi password i generated from grc perfect passwords should be safe for another 3.5761450179479551212824676792585e+105 years

This news has comment postings disabled because it is now archived.

© 2001-2014 Overclockers Club ® Privacy Policy

Also part of our network: TalkAndroid, Android Forum, iPhone Informer, Neoseeker, and Used Audio Classifieds

Elapsed: 0.0347619057