Password-Cracking Expert Unveils 25-GPU Cluster to Crack Every Common Windows Password in Under Six Hours

bp9801 - December 10, 2012 08:00PM in General News

GPU computing has improved a lot in recent years, but a new server cluster uses GPU computing for something a little different than Folding@Home. A password-cracking expert has shown off a 25-GPU cluster that can run through 350 billion guesses per second (take a moment to let that sink in). Jeremi Gosney, founder and CEO of Stricture Consulting Group, unveiled the monster setup last week during the Passwords^12 Conference in Oslo, Norway, and it uses a fairly new virtualization software to fully tap the 25 AMD Radeon video cards (no word on which). The 350 billion guesses happen when cracking the NTLM cryptographic algorithm found in every Windows OS since Server 2003. Basically, it can try 958 in five and a half hours to "brute force every possible eight-character password containing upper- and lower-case letters, digits, and symbols."

The GPU cluster uses the Virtual OpenCL cluster platform to let each card function as if on a single desktop, plus ocl-Hashcat Plus runs on top to allow the running of 44 other algorithms. Dictionary attacks can also be run, as can other ways, so the machine doesn't have to rely solely on brute force to crack a password. As Gosney puts it, they can "attack hashes approximately four times faster" than before. These speeds only apply to offline attacks against a database of lifted passwords stored with a one-way cryptographic hash, but can't be used in online attacks as websites restrict the number of guesses.

This cluster does have limitations against different algorithms, however. "Fast" algorithms, like SHA1, SHA2, SHA3, and MD5, can be cracked fairly quickly, while ones like Bcrypt, PBKDF2, and SHA512crypt are much harder. A mere 71,000 guesses per second can be made against Bcrypt while 364,000 guesses against SHA512crypt are possible, which are both vastly better than the "fast" algorithms.

If you're wondering how to protect yourself against hacks, it's safe to assume most websites use a "fast" algorithm. Passwords should be at least nine characters long (between 13 and 20 is a solid amount to aim for), and should never contain common names, words, or phrases. You can always make your own random password or use one of the various password management programs to randomly generate something for you.