Elcomsoft turns your PC into a password cracking supercomputer (gulp)
by Thomas Ricker 
posted Oct 24th 2007 at 9:16AM
[Via NewScientist, thanks Sultan]
Read [warning: PDF]
[Via NewScientist, thanks Sultan]
Read [warning: PDF]
[Via NewScientist, thanks Sultan]
Read [warning: PDF]
Previous
Palm Pixi review
ASUS UL80Vt review
HP Envy 15 unboxing and hands-on
Motorola DROID review
Crazy-hinged Dell Adamo XPS hands-on!
BlackBerry Bold 9700 hands-on and impressions
HTC's HD2 hands-on
Sony Ericsson XPERIA X10 hands-on
Engadget Podcast 171 - 11.13.2009
Breaking news Feed
- Palm Pre WebOS 1.3.1 update available now
- T-Mobile launching BlackBerry Bold 9700 on November 16 for $199.99
- Dell Mini 3i officially set for imminent launch in Brazil and China
- Samsung Behold II hits T-Mobile on November 18th, unboxed today (now with video!)
- Boxee inks deal with first hardware partner: a 'Boxee Box' is coming
- Palm's Pixi TV spot heads in a new direction, bids adieu to creepy redhead
- Zune HD Marketplace now loaded with free 3D games
- Saygus VPhone to bring video calls and a bit of chub to Android and Verizon
- Kindle for PC app out now, Mac version to soon follow
- Nokia N900 is now shipping!
Featured stories Feed
- How would you change Garmin-Asus' nuvifone G60?
- HP dm3t review
- The Engadget Show: Philippe Starck Q&A bonus round
- The Engadget Show: Inside the mind of designer Philippe Starck
- Editorial: Hey, AT&T -- drop lawsuits, not calls
- Chumby One review
- Ask Engadget: Best multitouch monitor?
- Samsung Behold II hits T-Mobile on November 18th, unboxed today (now with video!)
- BlackBerry Storm2 hands-on and impressions
- Palm Pixi review
- Dream Theater adding even more metal to God of War III soundtrack
- Weekly Webcomic Wrapup is becoming its own worst enemy
- OnLive 'works on cell phones too,' says Perlman
- Swag Saturday: Xbox 360 and PlayStation 3 controllers for all those holiday games
- Darksiders dev diary contains your daily recommended dose of epicness
Resources
Sections
WIN Network
- Autos
- Technology
- Lifestyle
- Gaming
- Finance
- Entertainment on AOL
- Lifestyle on AOL
- Sports on AOL
- Travel on AOL
- Also on AOL
Reader Comments (Page 1 of 2)
craig @ Feb 12th 2008 10:21PM
need to password of my mobile samsung SGH-D508
InsertNameHere @ Sep 14th 2008 5:01AM
OK i just need to feed my triple 280GTX's some o dis shit an ill be able to hack the defence network in like a month!
Tom @ Sep 27th 2008 6:56PM
Well ATI/AMD are currently making a really really BIG mistake! I happen to have an HD 4870 and its a great gaming card, but can i find any software that uses its 1.2 TFLOP GPU for cracking, physics, or any other fancy jobs that used to be CPU only? NO, none what so ever, and it's taking off big time now with Nvidia CUDA. What the heck are ATI/AMD playing at.
loosely_coupled @ Oct 13th 2008 5:37PM
The 8800 Ultra is an overpriced, outdated card. The GTX 280 is only $450 and twice as fast, and so is the dual-GPU 9800GX2.
GeForce 8800 Ultra 128 shaders 1512mhz
GeForce 9800 GX2 256 shaders 1500mhz
GeForce GTX 280 240 shaders 1296mhz
badenglishihave @ Oct 24th 2007 9:24AM
Holy **** that's fast.
Joseph @ Oct 24th 2007 2:36PM
I agree, looks like they will need to rename "brute force"
Unknown @ Jul 1st 2008 8:41AM
ya rename it to rape force
Tony @ Oct 24th 2007 9:25AM
Sweeet! Gotta love when MS partners tear it apart and humiliate it publicly! Long live MS talent and security!
phenom @ Oct 24th 2007 10:13AM
You know people hacked the iphones encryption within days of it coming out, so I dont know what you're cheering about.
fuzzy @ Oct 24th 2007 10:21AM
You know that NTLMv2 hashes use RC5, right?
fuzzy @ Oct 24th 2007 10:54AM
Err... MD5. What am I saying?
L. Cyphre @ Oct 24th 2007 9:29AM
Gonna break into the Pentagon and start the nuclear holocaust, brb.
Josh @ Oct 24th 2007 12:27PM
Could probably get away with an 8400GS for that one... saw one on sale for $30 after rebate last week.
Fraggle @ Oct 31st 2007 11:19AM
So can I justify that 2nd 8800 now. I still haven't found a excuse my gf would see valid for the first. I don't thinking Hacking some TEA will be too convincing. Opinion withheld to I try it later.
P.s. Folding also need to get the Generic GPU support, ATI only is disturbing.
crypt @ Oct 24th 2007 9:42AM
Here that, ..... Thats the sound of 10,000 System Administrators Cringing.
Oh.crap.
Darkest Daze @ Oct 24th 2007 1:33PM
No crap, it's hard enough to keep stuff secure now, and stuff like this will just make it even worse. Plus, I don't really think this software applies to 90% of home computers since if they use a password at all, it's most likely "password".
Ben @ Oct 24th 2007 9:41AM
Alright, where do I get this software???? My 8800GTX is hungry!
Thomas T. @ Oct 24th 2007 9:51AM
Well then prepare to shell out $1,300 for the cheapo version or $13,000 for the "blow your socks off and then decrypt the polyester threads" version...
mdm-adph @ Oct 24th 2007 10:22AM
...or just wait for the open source version.
shamowfski @ Oct 24th 2007 10:48AM
Or you could acquire the software through other means. Like for free and stuff. What?
rockintom @ Oct 24th 2007 12:53PM
Heh, why not use the cheap one to crack the registry on the expensive one?
slug @ Oct 24th 2007 9:43AM
Hmmm... Quad Sli anyone? haha!
Never realised GPUs were so much more powerful then CPUs!?! Or are they more efficient?
Love to see how OSXs 'top notch security' holds out against this.
mdm-adph @ Oct 24th 2007 10:30AM
As I've heard it, it's not that GPU's are necessarily more powerful than CPU's, it's just that they just process certain types of mathematical functions faster, which makes them ideally suited for number-crunching. A GPU could never replace your CPU, at least not today.
Zorque @ Oct 24th 2007 10:33AM
The difference is in the type of processing they do. They're specialized for graphic display, meaning they do a lot of floating point operations. That makes a GPU really well-suited for doing certain types of math, whereas CPUs often came with a co-processor specifically designed to do math for them.
r3loaded @ Oct 24th 2007 11:07AM
Another difference between CPUs and GPUs is that CPUs are designed to handle many tasks in a serial fashion, whereas GPUs handle many tasks in parallel. This makes GPUs suitable for graphics calculations, Folding@Home work and password cracking
Stephen Lang @ Oct 24th 2007 1:44PM
I guess the good ol' Intel integrated GMA950 on my MacBook will still be slow at this... ;-)
Trent @ Oct 24th 2007 3:16PM
It's not the floating point math. The newest version of the GPU's (Direct 10 capable) are capable of high precision, high speed INTEGER math. This is key because cryptology is based on integer math, not floating point and the DX10 cards are the first cards to support integer operations. The 8800 has 128 independent pipes, whereas your CPU has about 8 pipes per core. Not only that but they do that math in a single clock, where your CPU is multistage and might take 3-4 clock cycles to run an operation.
Your GPU can't do anything complex like a general purpose CPU, but for sheer number crunching they are putting CPU's to shame. That's what happens when you need to do vertex calculations on 100 million triangles every second.
boe @ Oct 24th 2007 9:48AM
I guess it depends on what passwords it can crack besides Vista if I'm interested or not. I can just change the administrator password or users passwords without cracking them - even if I don't know the admin password. What would be helpful to me is end users always password protect documents, zip files, rar files and then forget what the password is. It takes a long time for me to hack those - if this can hack those faster I'm excited.
wrabbit @ Oct 24th 2007 9:48AM
See I always thought the reason GPUs were considered more powerful was 'cause they were specialized. But if they can do what a CPU can do but faster then the question becomes - why the hell doesn't Intel and AMD take advantage of the technology being used to make GPUs - obviously it's superior, so what's holding them back?
John @ Oct 24th 2007 10:21AM
GPUs are optimized for floating point,parallel operations. You have to have an application that CAN take advantage of the GPU, and then you have to have an application WRITTEN to take advantage of the GPU. Not all applications can be written this way, and even fewer are.
mdm-adph @ Oct 24th 2007 10:32AM
AMD did take advantage of this technology... when they bought out ATI. *rimshot*
Brooks Moses @ Oct 25th 2007 12:48AM
Why not? Because GPUs don't do everything CPUs do, by a long shot. They don't handle exceptions and interrupts. They don't do "if" statements and code branches very quickly. They don't do most of the memory management that a CPU does. They don't do serial calculations as quickly as CPUs. (They're only faster because they're doing lots of copies of the same calculation with different data. If you don't need that, they're no help.) And so forth and so on.
Have a look at some pictures of the die for a CPU and a GPU. There are lots of things that take up lots of space on the CPU die that aren't on the GPU die. All of those things are important for making a usable computer, and are things the GPU doesn't do.
The technology here is really pretty simple. Choose what you want the chip to do well, and design it to do that. A GPU is made to do lots and lots of nearly identical calculations very quickly, and nothing else. A CPU is not particularly made to do that, because 99 percent of the time, nobody cares. (Except when the calculations are actually for graphics, and the CPU doesn't do those.)
Peter @ Oct 24th 2007 9:52AM
It doesn't specifically say if it's NTLM or NTLMv2. The original NTLM hash has been known to be weak for many years and you shouldn't be using it anyway.
Now, if they are brute forcing an NTLMv2 hash in 5 days we are in big trouble.
20+ character passphrases anyone?
syadasti @ Oct 24th 2007 9:59AM
It specifies Vista which uses NTLM 2 by default so it sounds like trouble.
Nushio (NDF - Blue) @ Oct 24th 2007 11:07AM
If you're smart enough to memorize a 20-digit passphrase, then why not get the hell out of Windows and migrate to Unix/Linux/Mac/BSD/JavaOS or anything better?
Trent @ Oct 24th 2007 3:20PM
Unix isn't going to save you from this. This is sheer brute force cryptology. It's going to be capable of cracking any cryptology, including military spec crypto.
Wwhat @ Oct 24th 2007 7:00PM
Not quite true, there are encryption standards that require an estimated thousand years, now you can speed that up but you;d still be looking at years of effort.
And there are encryptions that can NEVER be bruteforced because they are designed to not be mathematical but use a reference table, and if they make the right moves to prevent frequency analysis it's just not possible.
slug @ Oct 24th 2007 9:55AM
Then we must feed it!!
http://www.elcomsoft.com/edpr.html
Sander de Regt @ Oct 24th 2007 9:57AM
I just hope it doesn't brute force guess my Engadget comment password. I can't imagine how incoherent my comments will seem THEN!
Sander de Regt @ Oct 24th 2007 9:58AM
BTW I bet this software will never guess my birthday anyway.
Jason @ Oct 24th 2007 10:04AM
This is nothing new, and if the patent investigator does his job, it should get denied. Now I am not saying the program itself is not interesting, I am just saying I have on many occasions during the course of my job over the last 5 years seen agent based encryption breaking applications on a number of 3 digit organizations...
phenom @ Oct 24th 2007 10:17AM
Of course it can, Vista was just an example.
fuzzy @ Oct 24th 2007 10:26AM
You could do the same, and faster (but with a lot of pre-load) by populating a rainbow table. There are a lot of people selling rainbow tables, too.
Although cracking NTLM hashes is a common first app for parallel computing architectures, this idea is really nothing new. The novelty and beauty of it all is that a single (or dual or whatever) PCIe card that is in a lot of our machines has the computational power to do very math intensive tasks. Put it to work for Folding@Home or something like that.
HineyWipe @ Oct 24th 2007 10:28AM
And what is more scary than a program that uses a GPU to crack? The US Patent office giving a patent to the Russians to do this!
CosterMonger @ Oct 24th 2007 10:31AM
Of course it is impressive but I don't think it should get the patent
reason 1. the patent system is corrupt and geared towards lame American inventions
reason 2. I'm sure it will fall into one of those national security concerns
reason 3. It has already be done with other processors, it stupid to start having patents for software that are separate for each device. {but hey it is a stupid patent system, right?}
reason 4. what happens if AMD survives long enough to make the fusion
nxb @ Oct 24th 2007 10:59AM
This may be a stupid question, but does this render PGP useless to some degree?
Wwhat @ Oct 24th 2007 6:55PM
PGP uses pretty long keys by default and even longer when you elect to, it's not as weak as all that.
orclev @ Oct 24th 2007 2:55PM
You do know that anyone who knows anything about security hasn't been using MD5 for some time now due to it being trivial to crack with Rainbow Tables right?
Mike @ Oct 24th 2007 11:07AM
Can anyone email me a source link to hacking protected word files. My sister forgot her passwords to a few word and excel files and I have no idea how to reopen the files. What's a rainbow table? I am new to this and thanks!
getz76 @ Oct 24th 2007 11:38AM
@ Mike:
http://www.justfuckinggoogleit.com/search.pl?query=rainbow+table