Cheap GPUs are rendering strong passwords useless

[sygeek]

Cheap GPUs are rendering strong passwords useless

Think that your eight-character password consisting of lowercase characters, uppercase characters and a sprinkling of numbers is strong enough to protect you from a brute force attack?

Think again!

Jon Honeyball writing for PC Pro has a sobering piece on how the modern GPU can be leveraged as a powerful tool against passwords once considered safe from bruteforce attack.

Take a cheap GPU (like the Radeon HD 5770) and the free GPU-powered password busting tool called ’ighashgpu‘ and you have yourself a lean, mean password busting machine. How lean and mean? Very:

The results are startling. Working against NTLM login passwords, a password of “fjR8n” can be broken on the CPU in 24 seconds, at a rate of 9.8 million password guesses per second. On the GPU, it takes less than a second at a rate of 3.3 billion passwords per second.

Increase the password to 6 characters (pYDbL6), and the CPU takes 1 hour 30 minutes versus only four seconds on the GPU. Go further to 7 characters (fh0GH5h), and the CPU would grind along for 4 days, versus a frankly worrying 17 minutes 30 seconds for the GPU.

It gets worse. Throw in a nine-character, mixed-case random password, and while a CPU would take a mind-numbing 43 years to crack this, the GPU would be done in 48 days.

Surely throwing symbols in there keeps you safe, right? Wrong! Take a password consisting of seven characters, mixed-case/symbols random password like ‘F6&B is’ (note the space), that’s gotta be tough for a bruteforce attack. Right? A CPU will take some 75 days to churn through the possibilities, while a GPU is done with it in 7 hours.

What’s the solution? Well, Honeyball doesn’t know, and neither do I to be perfectly honest. What I do know is that this is a warning, and one that we need to take seriously. Unless we’re willing to move onto 15-16 characters, mixed-case/symbols random password (which will end up on Post-It Notes), passwords will soon only offer protection against honest people.

[UPDATE: Take a look at this - whitepixel 2 running with 4 x HD 5970 cards (8 x GPUs) capable of 33.1 billion MD5 password hashes/sec.]

PC Pro's Full Article
How a cheap graphics card could crack your password in under a second

Spoiler:

I was pointed in the direction of a blog posting talking about the use of GPU processors to launch brute-force attacks on passwords. GPUs are extremely good at this sort of workload, and the price/performance ratio has changed dramatically over the past few years. What might have seemed impossible even 36 months ago is now perfectly do-able on your desktop computer.

In this report, the author takes a fairly standard Radeon 5770 graphics card (you’ll find it on our A-List under Value Graphics Card), and uses a free tool called ighashgpu to run the brute-force password cracking tools on the GPU. To provide a comparison point with the capabilities of a standard desktop CPU, he uses a tool called “Cain & Abel”.

The results are startling. Working against NTLM login passwords, a password of “fjR8n” can be broken on the CPU in 24 seconds, at a rate of 9.8 million password guesses per second. On the GPU, it takes less than a second at a rate of 3.3 billion passwords per second.

Increase the password to 6 characters (pYDbL6), and the CPU takes 1 hour 30 minutes versus only four seconds on the GPU. Go further to 7 characters (fh0GH5h), and the CPU would grind along for 4 days, versus a frankly worrying 17 minutes 30 seconds for the GPU.

Now, I cannot imagine anyone managing to mandate a nine-character, mixed-case, random-character password on an organisation. But if you did, and you weren’t hanging from a tree by the end of the first working day, the CPU would take 43 years versus 48 days for the GPU.

He then went on to add in mixed symbols to create “F6&B is” (there is a space in there). CPU will take 75 days, GPU will take 7 hours.

What does this tell us? well, the stark reality is that even long and complex passwords are now toast. If you think you were being wise by forcing users to have randomisation in their passwords, then think again. It is utterly futile.

Yes, you can force your users to have a 15-character password consisting of random numbers and letters, and throw in punctuation as well. This is great as an idea, but we know that most users think that a password like “Barry1943Manilow” where 1943 was the year he was born, is complex and hard to remember. Is an IT manager really going to manage to get the CFO to log in using “fR4; $sYu 29 @QwmQz” without the combination ending up on a Post-it note in his wallet? Or stuck to the side of the screen? Because anything much less than this is going to be open to attack over the next few years.

A GPU of the type used by this chap is not unusual or high end. It is standard-issue stuff. Indeed, I have just sat through the AMD presentation here at Computex in Taiwan, and they made a big deal about putting GPU power into netbooks offering 500Gflops, without denting its 12-hour battery life. And that’s shipping within months.

All I can say is this: you have been warned. It is time to think long and hard about password security, and how you do your authentication. This has crept up on us in the background, and we really haven’t been paying attention. Nor has Microsoft, frankly, who should be having a whole raft of alternative, hardened solutions in place ready for its business customers to roll out.

What are the solutions? To be honest, I’m not sure. A combination of TPM, biometrics, passwords and maybe something else entirely new will be needed. But it’s clear that a complex password that users will actually accept for day-to-day authentication, and keep secret, might be history.

[jayantr7]

Hmm... mind boggling results

But isn't there just a few password guessing chances so that brute force cannot be done?

[funkysourav]

if someone is hard arsed enough to spend 150$ and 50 days to crack one password of mine
i would be happy to email it to him
BTW all my passwords are random-Uppercase/lowercase/symbols/14 chars

[abhijangda]

[baccilus]

Online services usually allow only a fixed number of attempts on password.

[dvijaydev46]

Online services usually allow only a fixed number of attempts on password.

The reason why I took NTLM hash for cracking using a GPU is most of us are using it. Aren't 95% of us are using Windows?

[Extreme Gamer]

What about SLI/Crossfire support?

I might just find it tempting for my 580 SLI lol

[dvijaydev46]

ighashgpu does support SLI/CF. But Radeons are generally faster for password cracking.

[Faun]

My password is 30 characters long

[Liverpool_fan]

My password is 30 characters long

I hope it is stored in plaintext then.

[sygeek]

Usually brute forcing is the final option to crack a password. Before it these options are considered:
1. Guessing the Password
2. Phishing

This routine is usually followed for cracking a specific's person account, otherwise hacking an entire site (or it's account's database) is a whole entire case.

[vickyadvani]

very intresting

[nisargshah95]

Great!

[Sarath]

It cant be used on websites such as FB, Gmail, Yahoo etc which allow only limited attempts.

However its scary for all the other secured documents and applications.

Although I have seen more people falling for personal...err hacking or I dont know what it is called where a combination of personal information usually gives good results.
As someone said- There is no cure for human stupidity.

Also key tracing by logging in the key strokes of the keyboard is used for hacking.

[asingh]

Obviously this is done via brute-force. I could not figure out which password it hacks. How to define the file location..?

[sygeek]

^It checks the password against a Hash-File until Brute forcing finally gets the correct combination.

[dvijaydev46]

Obviously this is done via brute-force. I could not figure out which password it hacks. How to define the file location..?

Well, what I did there was I exported my system password hash using Cain. Used Cain to generate an NTLM hash for a random password, put that in to the exported file, imported the hashes to Cain to crack it using CPU. Used the same hash to crack with GPU using ighashgpu.

[Cyrus_the_virus]

It cant be used on websites such as FB, Gmail, Yahoo etc which allow only limited attempts.

Online services usually allow only a fixed number of attempts on password.

The point here is not someone directly trying it on websites.

The point isn’t to blindly guess at passwords, the point is to take a known MD5 hash and determine what the plaintext password is that created that hash.

So, when a hacker gets access to any online database, he has access to all the MD5 hash eg: (23fho23sdf2352kjfd), with this kind of power, he could figure out what password created that exact hash and hence has access to anything that password uses.

Till date hackers who have successfully hacked into databases have only been able to get to the database but things like passwords were never cracked because it was in MD5 hash algorithm. Now the hackers can figure it out faster!

[sygeek]

Nice Explanation, Cyrus_the_virus .

To everyone who thinks brute-forcing a password means multiple password attempts on a site, well, it is not. Refer the the above post!

Brute-forcing is always done against some kind of hash until the correct combination is finally retrieved.