Expert Show How to Crack Every Common Password in Under Six Hours.
Expert Show How to Crack Every Common Password in Under Six Hours.
GPU computing has
improved considerably in recent years, and Jeremi Gosney, founder and CEO of Stricture Consulting Group, used
a 25-GPU cluster that can run through 350
billion guesses per second to show how easy it would be to crack practically
any password out there (easy, that is, if you can use a 25-GPU cluster )
GPU computing has
improved considerably in recent years, and Jeremi Gosney, founder and CEO of Stricture
Consulting Group, used a 25-GPUcluster that
can run through 350 billion guesses per second to show how easy would be to
crack practically any password out there (easy, that is, if you can use a 25-GPU cluster ).
Arstechnicareports that
Gosney demonstrated his feat last week during thePasswords^12 Conference in Oslo, Norway (see Gosney’s presentation here).
The 350
billion guesses happen when cracking the NTLM cryptographic
algorithm found in every Windows OS since Server
2003. The cluster can try an astounding 958 combinations in just 5.5 hours, enough
to brute-force every possible eight-character password containing upper- and
lower-case letters, digits, and symbols.
The GPU cluster uses
the Virtual OpenCL cluster platform to let each card function as if on a
single desktop, plus ocl-Hashcat
Plus which runs on top to allow the running of forty-four other algorithms.
Gosney noted that Dictionary and other attacks can also be run, so the machine
does not have to rely solely on brute force to crack a password. “Aattack
hashes approximately four times faster” than before, he said.
He noted that
these speeds only apply to offline attacks against a database of lifted
passwords stored with a one-way cryptographic hash, but cannot be used in
online attacks as Websites restrict the number of guesses.
Arstechincanotes that this cluster has limitations against
different algorithms. “Fast” algorithms, like SHA1, SHA2, SHA3, and MD5, can be cracked fairly quickly, while ones like Bcrypt, PBKDF2, and
SHA512crypt are much harder. A mere 71,000 guesses per second can be made
against Bcrypt while 364,000 guesses against SHA512crypt are possible, which
are both vastly better than the “fast” algorithms (see this earlier discussion of the weakness of passwords).
Arstechnicaoffers its readers this advice about
password security:for
For the time being, readers should assume that the vast majority of
their passwords are hashed with fast algorithms. That means passwords should never
be less than nine characters, and using 13 or even 20 characters offers even
better security. But long passwords aren’t enough. Given the prevalence of
cracking lists measured in the hundreds of millions, it’s also crucial that
passwords not be names, words, or common phrases. One easy way to make sure a
passcode isn’t contained in such lists is to choose a text string that’s
randomly generated using Password
Safe or another password management program
Comments