Forum     

Go Back   Digit Technology Discussion Forum > News > Technology News
Register FAQ Calendar Mark Forums Read

Technology News News from the world of technology that our members stumble across. NOTE: Sources to be mentioned at the beginning of each post.


Reply
 
LinkBack Thread Tools Display Modes
Old 06-06-2011, 07:54 AM   #1 (permalink)
Mozilla Rep
 
sygeek's Avatar
 
Join Date: Apr 2011
Location: Lucknow
Posts: 1,471
Default Cheap GPUs are rendering strong passwords useless




Think that your eight-character password consisting of lowercase characters, uppercase characters and a sprinkling of numbers is strong enough to protect you from a brute force attack?

Think again!

Jon Honeyball writing for PC Pro has a sobering piece on how the modern GPU can be leveraged as a powerful tool against passwords once considered safe from bruteforce attack.


Take a cheap GPU (like the Radeon HD 5770) and the free GPU-powered password busting tool called ’ighashgpu‘ and you have yourself a lean, mean password busting machine. How lean and mean? Very:
Quote:
The results are startling. Working against NTLM login passwords, a password of “fjR8n” can be broken on the CPU in 24 seconds, at a rate of 9.8 million password guesses per second. On the GPU, it takes less than a second at a rate of 3.3 billion passwords per second.

Increase the password to 6 characters (pYDbL6), and the CPU takes 1 hour 30 minutes versus only four seconds on the GPU. Go further to 7 characters (fh0GH5h), and the CPU would grind along for 4 days, versus a frankly worrying 17 minutes 30 seconds for the GPU.
It gets worse. Throw in a nine-character, mixed-case random password, and while a CPU would take a mind-numbing 43 years to crack this, the GPU would be done in 48 days.

Surely throwing symbols in there keeps you safe, right? Wrong! Take a password consisting of seven characters, mixed-case/symbols random password like ‘F6&B is’ (note the space), that’s gotta be tough for a bruteforce attack. Right? A CPU will take some 75 days to churn through the possibilities, while a GPU is done with it in 7 hours.

What’s the solution? Well, Honeyball doesn’t know, and neither do I to be perfectly honest. What I do know is that this is a warning, and one that we need to take seriously. Unless we’re willing to move onto 15-16 characters, mixed-case/symbols random password (which will end up on Post-It Notes), passwords will soon only offer protection against honest people.

[UPDATE: Take a look at this - whitepixel 2 running with 4 x HD 5970 cards (8 x GPUs) capable of 33.1 billion MD5 password hashes/sec.]




Spoiler:


I was pointed in the direction of a blog posting talking about the use of GPU processors to launch brute-force attacks on passwords. GPUs are extremely good at this sort of workload, and the price/performance ratio has changed dramatically over the past few years. What might have seemed impossible even 36 months ago is now perfectly do-able on your desktop computer.

In this report, the author takes a fairly standard Radeon 5770 graphics card (you’ll find it on our A-List under Value Graphics Card), and uses a free tool called ighashgpu to run the brute-force password cracking tools on the GPU. To provide a comparison point with the capabilities of a standard desktop CPU, he uses a tool called “Cain & Abel”.

The results are startling. Working against NTLM login passwords, a password of “fjR8n” can be broken on the CPU in 24 seconds, at a rate of 9.8 million password guesses per second. On the GPU, it takes less than a second at a rate of 3.3 billion passwords per second.

Increase the password to 6 characters (pYDbL6), and the CPU takes 1 hour 30 minutes versus only four seconds on the GPU. Go further to 7 characters (fh0GH5h), and the CPU would grind along for 4 days, versus a frankly worrying 17 minutes 30 seconds for the GPU.

Now, I cannot imagine anyone managing to mandate a nine-character, mixed-case, random-character password on an organisation. But if you did, and you weren’t hanging from a tree by the end of the first working day, the CPU would take 43 years versus 48 days for the GPU.

He then went on to add in mixed symbols to create “F6&B is” (there is a space in there). CPU will take 75 days, GPU will take 7 hours.

What does this tell us? well, the stark reality is that even long and complex passwords are now toast. If you think you were being wise by forcing users to have randomisation in their passwords, then think again. It is utterly futile.

Yes, you can force your users to have a 15-character password consisting of random numbers and letters, and throw in punctuation as well. This is great as an idea, but we know that most users think that a password like “Barry1943Manilow” where 1943 was the year he was born, is complex and hard to remember. Is an IT manager really going to manage to get the CFO to log in using “fR4; $sYu 29 @QwmQz” without the combination ending up on a Post-it note in his wallet? Or stuck to the side of the screen? Because anything much less than this is going to be open to attack over the next few years.

A GPU of the type used by this chap is not unusual or high end. It is standard-issue stuff. Indeed, I have just sat through the AMD presentation here at Computex in Taiwan, and they made a big deal about putting GPU power into netbooks offering 500Gflops, without denting its 12-hour battery life. And that’s shipping within months.

All I can say is this: you have been warned. It is time to think long and hard about password security, and how you do your authentication. This has crept up on us in the background, and we really haven’t been paying attention. Nor has Microsoft, frankly, who should be having a whole raft of alternative, hardened solutions in place ready for its business customers to roll out.

What are the solutions? To be honest, I’m not sure. A combination of TPM, biometrics, passwords and maybe something else entirely new will be needed. But it’s clear that a complex password that users will actually accept for day-to-day authentication, and keep secret, might be history.
sygeek is offline   Reply With Quote
Advertisements. Register and be a member of the community to get rid of them.
Advertisement

Old 06-06-2011, 08:35 AM   #2 (permalink)
Passionate
 
jayantr7's Avatar
 
Join Date: Mar 2010
Location: India
Posts: 239
Default Re: Cheap GPUs are rendering strong passwords useless

Hmm... mind boggling results

But isn't there just a few password guessing chances so that brute force cannot be done?
jayantr7 is offline   Reply With Quote
Old 06-06-2011, 10:23 AM   #3 (permalink)
What The.... !!!
 
funkysourav's Avatar
 
Join Date: Jan 2009
Posts: 825
Default Re: Cheap GPUs are rendering strong passwords useless

if someone is hard arsed enough to spend 150$ and 50 days to crack one password of mine
i would be happy to email it to him
BTW all my passwords are random-Uppercase/lowercase/symbols/14 chars
funkysourav is offline   Reply With Quote
Old 06-06-2011, 10:45 AM   #4 (permalink)
Alpha Geek
 
Join Date: Jan 2007
Location: In your hearts
Posts: 828
Default Re: Cheap GPUs are rendering strong passwords useless

abhijangda is offline   Reply With Quote
Old 06-06-2011, 11:51 AM   #5 (permalink)
Alpha Geek
 
baccilus's Avatar
 
Join Date: Feb 2006
Location: Chandigarh
Posts: 949
Default Re: Cheap GPUs are rendering strong passwords useless

Online services usually allow only a fixed number of attempts on password.
__________________
Appreciate me now and avoid the rush!!
i5 2500K || 8GB DDRIII 1600 MHz RAM || Zotac GTX560Ti || Samsung 2233sw || Corsair GS600
baccilus is online now   Reply With Quote
Old 06-06-2011, 12:02 PM   #6 (permalink)
Right Off the Assembly Line
 
Join Date: Oct 2008
Posts: 26
Default Re: Cheap GPUs are rendering strong passwords useless

Quote:
Originally Posted by baccilus View Post
Online services usually allow only a fixed number of attempts on password.
The reason why I took NTLM hash for cracking using a GPU is most of us are using it. Aren't 95% of us are using Windows?
dvijaydev46 is offline   Reply With Quote
Old 06-06-2011, 01:53 PM   #7 (permalink)
TDF Sucks
 
Join Date: Apr 2008
Posts: 1,884
Default Re: Cheap GPUs are rendering strong passwords useless

What about SLI/Crossfire support?

I might just find it tempting for my 580 SLI lol
__________________
TDF Sucks.
Extreme Gamer is offline   Reply With Quote
Old 06-06-2011, 02:22 PM   #8 (permalink)
Right Off the Assembly Line
 
Join Date: Oct 2008
Posts: 26
Default Re: Cheap GPUs are rendering strong passwords useless

ighashgpu does support SLI/CF. But Radeons are generally faster for password cracking.
dvijaydev46 is offline   Reply With Quote
Old 06-06-2011, 02:27 PM   #9 (permalink)
Wahahaha~!
 
Faun's Avatar
 
Join Date: Dec 2006
Location: Pune/there
Posts: 7,683
Default Re: Cheap GPUs are rendering strong passwords useless

My password is 30 characters long
__________________
Blog | Flickr | Battlelog
Spoiler:
Asus Z68 V-Pro|i5 2500k|TRUE Black|Ripjaws X|U2311H|N560GTX|D7000|XONAR STX|RE272|RE0|CC51|XE200PRO Walnut| TD II V2| Ultraphile|N5800

Mono
Faun is online now   Reply With Quote
Old 06-06-2011, 03:49 PM   #10 (permalink)
Sami Hyypiä, LFC legend
 
Liverpool_fan's Avatar
 
Join Date: Jun 2007
Location: Нью-Дели
Posts: 2,138
Default Re: Cheap GPUs are rendering strong passwords useless

Quote:
Originally Posted by Faun View Post
My password is 30 characters long
I hope it is stored in plaintext then.
__________________
Experience true education in Computer Science - http://www.udacity.com | http://www.coursera.org

Spoiler:
Read before asking / messaging any moderator for any query: FAQ + answers for new members

Read all the sticky threads before asking any type of query. Most basic questions are answered in those.
Don't use forum for chatting. Visit http://webchat.freenode.net/?channels=krow, enter nick and connect.
Liverpool_fan is online now   Reply With Quote
Old 06-06-2011, 06:19 PM   #11 (permalink)
Mozilla Rep
 
sygeek's Avatar
 
Join Date: Apr 2011
Location: Lucknow
Posts: 1,471
Default Re: Cheap GPUs are rendering strong passwords useless

Usually brute forcing is the final option to crack a password. Before it these options are considered:
1. Guessing the Password
2. Phishing

This routine is usually followed for cracking a specific's person account, otherwise hacking an entire site (or it's account's database) is a whole entire case.
sygeek is offline   Reply With Quote
Old 06-06-2011, 08:27 PM   #12 (permalink)
Apprentice
 
Join Date: Mar 2004
Posts: 99
Default Re: Cheap GPUs are rendering strong passwords useless

very intresting
__________________
Vicky Advani
---------------------------------------------------------------------------------------
I said "no" to drugs, but they just wouldn't listen.
vickyadvani is offline   Reply With Quote
Old 06-06-2011, 11:39 PM   #13 (permalink)
Your Ad here
 
nisargshah95's Avatar
 
Join Date: Feb 2010
Location: Mahesana, Gujarat, India
Posts: 326
Thumbs up Re: Cheap GPUs are rendering strong passwords useless

Great!
__________________
Quote:
“The Web is like a dominatrix. Everywhere I turn, I see little buttons ordering me to Submit.”
ASUS P5KPL AM/PS | P4 @ 3.07GHz | Ubuntu 11.04 / Win Server 2k8 / XP SP3 | 1GB DDR2 | Samsung HD080HJ 80GB
nisargshah95 is offline   Reply With Quote
Old 07-06-2011, 05:02 AM   #14 (permalink)
iDota
 
Sarath's Avatar
 
Join Date: Apr 2011
Location: Bangalore, Visakhapatnam, Abu Dhabi
Posts: 2,667
Default Re: Cheap GPUs are rendering strong passwords useless

It cant be used on websites such as FB, Gmail, Yahoo etc which allow only limited attempts.

However its scary for all the other secured documents and applications.

Although I have seen more people falling for personal...err hacking or I dont know what it is called where a combination of personal information usually gives good results.
As someone said- There is no cure for human stupidity.

Also key tracing by logging in the key strokes of the keyboard is used for hacking.
Sarath is offline   Reply With Quote
Old 07-06-2011, 09:55 AM   #15 (permalink)
Super Moderator
 
asingh's Avatar
 
Join Date: May 2008
Location: New Delhi
Posts: 5,550
Default Re: Cheap GPUs are rendering strong passwords useless

Obviously this is done via brute-force. I could not figure out which password it hacks. How to define the file location..?
__________________
MSI P45 Platinum(BIOS v1.7B)|Q9550[E0]@3.85Ghz@1.320V[453x8.5]MCH@1.184V|ICH@1.55V|DDR_V_Ref_A_B@1.05V|NH-D14|Corsair TWIN2X4096-8500C5(5-5-5-15)@1089Mhz@2.14V
2xHD4890[Xfire]@1000/900[MEM/GPU]|Corsair 650TX|Seagate180GB+80GB+WD1TB|SONY-DVD-R|CM690|2x120mm Scythe Ultra Kaze|DELL S2409W|APC 1100VA|Scythe Kaze Server
Windows 7 Ultimate RTM - 64BIT|Catalyst 10.5 (8.14.10.0753) forced with RadeonPRO|PS3 160GB|Sony 40EX520|AC Ryan POHD Mini|APC 800VA|APC 800VA|D425KT|CM100 Elite|2TB WD|Acer D255

Test your spoiler tags before submitting
asingh is offline   Reply With Quote
Old 07-06-2011, 10:16 AM   #16 (permalink)
Mozilla Rep
 
sygeek's Avatar
 
Join Date: Apr 2011
Location: Lucknow
Posts: 1,471
Default Re: Cheap GPUs are rendering strong passwords useless

^It checks the password against a Hash-File until Brute forcing finally gets the correct combination.

Last edited by sygeek; 07-06-2011 at 10:21 AM.
sygeek is offline   Reply With Quote
Old 07-06-2011, 11:00 AM   #17 (permalink)
Right Off the Assembly Line
 
Join Date: Oct 2008
Posts: 26
Default Re: Cheap GPUs are rendering strong passwords useless

Quote:
Originally Posted by asingh View Post
Obviously this is done via brute-force. I could not figure out which password it hacks. How to define the file location..?
Well, what I did there was I exported my system password hash using Cain. Used Cain to generate an NTLM hash for a random password, put that in to the exported file, imported the hashes to Cain to crack it using CPU. Used the same hash to crack with GPU using ighashgpu.
dvijaydev46 is offline   Reply With Quote
Old 07-06-2011, 10:05 PM   #18 (permalink)
Unmountable Boot Volume
 
Cyrus_the_virus's Avatar
 
Join Date: Sep 2007
Location: Kerala
Posts: 907
Default Re: Cheap GPUs are rendering strong passwords useless

Quote:
Originally Posted by Sarath View Post
It cant be used on websites such as FB, Gmail, Yahoo etc which allow only limited attempts.
Quote:
Originally Posted by baccilus View Post
Online services usually allow only a fixed number of attempts on password.
The point here is not someone directly trying it on websites.
Quote:
The point isn’t to blindly guess at passwords, the point is to take a known MD5 hash and determine what the plaintext password is that created that hash.
So, when a hacker gets access to any online database, he has access to all the MD5 hash eg: (23fho23sdf2352kjfd), with this kind of power, he could figure out what password created that exact hash and hence has access to anything that password uses.

Till date hackers who have successfully hacked into databases have only been able to get to the database but things like passwords were never cracked because it was in MD5 hash algorithm. Now the hackers can figure it out faster!
__________________
Webhosting for Rs12/month!!
http://www.thinkdigit.com/forum/showthread.php?t=74717

http://www.outpowerhosting.com
Cyrus_the_virus is offline   Reply With Quote
Old 08-06-2011, 07:03 AM   #19 (permalink)
Mozilla Rep
 
sygeek's Avatar
 
Join Date: Apr 2011
Location: Lucknow
Posts: 1,471
Default Re: Cheap GPUs are rendering strong passwords useless

Nice Explanation, Cyrus_the_virus .

To everyone who thinks brute-forcing a password means multiple password attempts on a site, well, it is not. Refer the the above post!

Brute-forcing is always done against some kind of hash until the correct combination is finally retrieved.
sygeek is offline   Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


 
Latest Threads
- by Tenida
- by Who
- by clmlbx
- by Charan
- by abhidev

Advertisement




All times are GMT +5.5. The time now is 08:17 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2012, vBulletin Solutions, Inc.

Search Engine Optimization by vBSEO 3.3.2