EncryptionExpert show how to crack every common password in under six hours

Published 13 December 2012

GPU computing has improved considerably in recent years, and Jeremi Gosney, founder and CEO of Stricture Consulting Group, used a 25-GPU cluster that can run through 350 billion guesses per second to show how easy it would be to crack practically any password out there (easy, that is, if you can use a 25-GPU cluster )

GPU computing has improved considerably in recent years, and Jeremi Gosney, founder and CEO of Stricture Consulting Group, used a 25-GPU cluster that can run through 350 billion guesses per second to show how easy it would be to crack practically any password out there (easy, that is, if you can use a 25-GPU cluster ).

Arstechnicareports that Gosney demonstrated his feat last week during the Passwords^12 Conference in Oslo, Norway (see Gosney’s presentation here).

The 350 billion guesses happen when cracking the NTLM cryptographic algorithm found in every Windows OS since Server 2003. The cluster can try an astounding 958 combinations in just 5.5 hours, enough to brute-force every possible eight-character password containing upper- and lower-case letters, digits, and symbols.

The GPU cluster uses the Virtual OpenCL cluster platform to let each card function as if on a single desktop, plus ocl-Hashcat Plus which runs on top to allow the running of forty-four other algorithms. Gosney noted that Dictionary and other attacks can also be run, so the machine does not have to rely solely on brute force to crack a password. “Aattack hashes approximately four times faster” than before, he said.

He noted that these speeds only apply to offline attacks against a database of lifted passwords stored with a one-way cryptographic hash, but cannot be used in online attacks as Websites restrict the number of guesses.

Arstechincanotes that this cluster has limitations against different algorithms. “Fast” algorithms, like SHA1, SHA2, SHA3, and MD5, can be cracked fairly quickly, while ones like Bcrypt, PBKDF2, and SHA512crypt are much harder. A mere 71,000 guesses per second can be made against Bcrypt while 364,000 guesses against SHA512crypt are possible, which are both vastly better than the “fast” algorithms (see this earlier discussion of the weakness of passwords).

Arstechnicaoffers its readers this advice about password security:for

For the time being, readers should assume that the vast majority of their passwords are hashed with fast algorithms. That means passwords should never be less than nine characters, and using 13 or even 20 characters offers even better security. But long passwords aren’t enough. Given the prevalence of cracking lists measured in the hundreds of millions, it’s also crucial that passwords not be names, words, or common phrases. One easy way to make sure a passcode isn’t contained in such lists is to choose a text string that’s randomly generated using Password Safe or another password management program.

 

Homeland Security, Criminal Justice, Law & Public Policy - Master of Science Legal Studies 100% online - CALU Global Online
view counter
TECHEXPO - Exclusive Security-Cleared Hiring Events - Register Now!
view counter