GPUs democratize brute force password hacking
By Joseph L. Flatley 
posted August 16th 2010 4:11PM
posted August 16th 2010 4:11PM
It seems that the availability of increasingly powerful GPUs, when combined with brute-force password cracking tools, is making it increasingly easy to crack passwords -- even if they're extremely well thought out, with symbols and quirky capitalization and all that. How short is too short? According to computer scientists at the Georgia Tech Research Institute, "a seven-character password is hopelessly inadequate, and as GPU power continues to go up every year, the threat will increase." A better alternative, he suggested, would be a 12-character combination of upper and lower case letters, symbols and digits. Of course, processors are only getting more powerful and hardware less expensive -- soon even seven-plus character passwords may become the digital equivalent of unlocked doors. And if that weren't bad enough, a recent study by an Internet security company called BitDefender has determined that some 250,000 user names, email addresses, and passwords used for social networking sites are freely available online -- and seventy-five percent of these folks use the same password for their email and social networking. So, when dreaming up fancy new twelve character passwords, make sure you're creating unique passwords for all your various accounts. It would be a shame if your Starsky & Hutch FanFicForum account left you vulnerable to identity theft.
yay!
@ZetsubouJinrui fail first post
Am I missing something or is it trivially easy to avoid being brute forced by having your login system just lock an account after 'x' attempts, or add a 30 second delay after 'x' attempts?
True, if you have this on most systems and then use the same password on a system that allows infinite attempts your security is voided by the weakest link.
Ultimatley, good practice at the login.authentication point would defeat all of these brute force techniques?
Well, short of them breaching a site and having access to the DB and password hashes. Again, that's not directly a brute force password problem though.
@saitir That leaves you exposed to a nasty DoS attack, where someone who hates you can lock _you_ out indefinitely
Actually it's full of shit. The length of a password means nothing. Nada. Zero. Null.
It's all about the algorithm used.
You can crack a "fking" 30 char password that's DES encrypted in no time.
Now go crack a proper 8 char password that's SHA256 hashed. Good luck, see you in 25 years granted that technology advance and flaws are found in the algorithm, otherwise we'll count per thousand of thousands before it's broken.
Passwords that are commonly bruteforced anyway are unproper passwords like "ilovetina" or w/e like "august2010marta".
This is solved by using digital keys (now your 8 char password is a 4096bit key for example), the digital key is secured by the noob password, but the key is used to authenticate, thus the attacker can only brute the key on the client's disk itself if he gets it.
but if he gets that far, it means he can already snif keystrokes etc, thus the digital key served its purpose extremely well already.
the password is just a small additional security in that case, to avoid coworkers using ur stuff, and if u used a proper password, might also resist anyone else for a few hundred years.
@saitir
No, it's engadget that's missing something. Cracking with gpus only apply to something that can be done offline, like an encrypted hdd, NOT Facebook, gmail, engadget etc. After the first million million attempts (which is going to take years as it is limited by network delay, not gpu speed) I'm pretty sure facebook will realize something is up.
This is for offline stuff only, guys.
@saitir You are missing something, as is the article (what was I saying about engadget's lack of technical knowledge?). Allow me to elucidate.
On computers and most websites, passwords are stored in a database (of course). However rather than just storing them unaltered in a file, actually a one-way hash of the password is stored. E.g. the hash of "mypassword" is d84c7934a7a786d26da3d34d5f7c6c86. It is very easy to work out d84c7934a7a786d26da3d34d5f7c6c86 from "mypassword", but to work out "mypassword" from d84c7934a7a786d26da3d34d5f7c6c86 you have to basically try a ton of different passwords until you get one that matches. That is what these GPU programs do. So if you have access to that hash, you can use it to find the password.
Many years ago (around the time of windows 98 and unix), anyone who had access to a computer could read the hashes for every other user. At the time, cracking them was fairly hard, but obviously this was a bad idea, and now you have to be root/Administrator to read the hashes. This makes the ability to crack password hashes largely pointless - if you have the hash, security has already been compromised.
Now, if we look at websites, obviously they don't (or shouldn't) give out the hashes, and many store passwords in plain text anyway. The only time this would be useful is if you manage to hack into a website that stores passwords hashed, and want to find out what the passwords are so you can use them on other websites. But you can't use this password cracker to hack into the website in the first place. You have to use another method.
Furthermore, as another user noted you can always use a more complicated hash function to slow it down.
@ZetsubouJinrui
I'd be interested if this sped up WPA/WPA2 brute force cracking.
Someone better tell American Express. They limit the length of your password on their site. As if that weren't moronic enough already, they limit it to eight characters.
Now, what kind of financial institution forces REDUCED security on its customers? Yep, an ignorant one like American Express.
@Timmmmmm:
recovering password from d84c7934a7a786d26da3d34d5f7c6c86 is trivial just Google it - there are a few results
Rainbow tables are pretty damn good too. This one, for example, contains every single password with 14 characters or fewer, including special characters:
http://www.md5decrypter.co.uk/rainbow-tables.aspx
@Information Central
Agreed. I had to truncate my password due to their lousy limited number of password characters.
@saitir All correct. Except that brute force attacks wont happen against your typical and irrelevant weblogins.
The problem here is the article. Nobody in this business is after your facebook account by means of brute force attacks, even though the article implies it.
Now let me SLI in a AMD board!!!! with usb 3.0 xD
@Cainhunpi
SLI chips are made by nVidia... which is in direct competition with AMD. Not going to happen ever.
Correction, licensed by nVidia. Still not going to happen ever.
@Cainhunpi Doesn't AMD/ATI use crossfire? Google says yes.
@engadgethead Uh... SLI has been available on AMD motherboards for years.
Get your facts straight, jesus christ.
@SarnGate People are confusing AMD motherboard to mean AMD Chipset, and not just the proc. True AMD Chipset does not allow for SLi, but an AMD proc can be put in an nVidia Chipset that supports AMD procs.
Also, AMD GPUs cannot SLi, and vice versa...
@DJ Tama Take a look at this:
http://www.benchtec.co.uk/forums/archive/index.php?t-5379.html
Guess what SLI works on AMD chipsets.
@RampantNinja That's driver hacking. They are basically fooling the OS into thinking the option can be turned on and the driver will attempt to do it via software rather than hardware like the MBs are designed to do. Interesting link though, but I wouldn't gamble my system's stability just to make SLi run on non-standard hardware.
1Password. EOM.
@tintin220 /agree
@tintin220
or LastPass
I'm supposed to remember these 800 unique 12 digit passwords?! There's not enough space on my monitor for all the sticky notes! Oooh! Good excuse for a second monitor.
@Sp4rky I know a guy who literally just changes his password to the month and the year each time he needs to change it. Bring on the fingerprint scanners, if they have my finger I couldn't care less about them having anything else.
@d0mth0ma5 LOL the company I used to work for used to require that we changed passwords every 3 months. So most users simply incremented them: Imacat1, Imacat2, Imacat3, etc. Yeah, *very* secure *rolls eyes*
@LANjackal
I think that's standard procedure pretty much everywhere (the company policy and the users' strategy)
@tikigawd Really, I just have 2 and every time they want me to change I switch to the other. They don't record my previous passwords and just know it's different than my current one.
@Sp4rky It's pretty silly, so long as you have different passwords for your important stuff it hardly matters that someone hacks your hello kitty fan forum account. Unless that's what you consider super important in life.
As long as you have a few different passwords and use the most secure ones for the important stuff you should be fine with like 3-4 passwords.
Installing a keylogger seems like a much simpler solution than 10 gpus running for 72 hours.
@engadgetcomexcludeengadget
u prolly meant 72 decades
using a rar cracking software with the help of cuda im getting 6700 passwords a second and got to 7 characters in about 7+ hours with GTX 480 (numbers letters and symbols)
@owned66
what software do you use to crack rar passwords with your gtx480?
@boomslang06
there are 2 software available and both free which use ur gpu
1 can use both ati and nvidia + multiple gpus and another one that can only use nvidia and only 1 gpu which i use because its easier to run
(both of them must be run by CMD which took me 1 hour to figure it out)
i use cRARk
if u want any more info just go to youtube a search for my name "CRAKZIGOOD"
@owned66
What's the time difference between cracking 7 characters and 8 characters?
@geoken a day or 2 maybe more
but im talking about lower case letters + upper case + numbers + every symbol thats about 72+ characters
if ur only gona use numbers thats about 7 times faster to get to 7 characters
X_X
game over for cloud-based services i think we should all just go back to old fashion model-T Fords shot guns
Please list some websites where I can see if my password has been exposed =-(
@KannedFarU
Do you realize what you're asking for? Even if you go to such a website and don't see your exposed credentials, it's impossible for you to be sure they have not been exposed if you fear they have been.
If you're in doubt, change it...
@tikigawd In a world built by man, there can only be doubt
It's 21st century and we still use text as our password. *sigh*
@sinkingshriek I completely agree. I tried to use my penis as a password, but the ISP said it was too short. *sigh*
@billgrovegmailcom
LMMFAO!!!
Every once in a while, you may have a day so fcuk'd up that you begin pondering how high is that bridge on the way from work. And then. Just then, does someone's candid comment bring you back from the Darkside.
Thank you my man...
@sinkingshriek
Not trying to be a dick, but hence passWORD...
Wow, this article was very hard to read. It's as though sentences were copied and pasted out of order; some even in the middle of another sentence.
"According to computer scientists at the Georgia Tech Research Institute, "a seven-character password is hopelessly inadequate, and as GPU power continues to go up every year, the threat will A better alternative, he suggested, would be a 12-character combination of upper and lower case letters, symbols and digits. Of course, processors are only getting more powerful and hardware less expensive -- soon even seven-plus character passwords may become the digital equivalent of unlocked doors."
Have a password that is 12 characters long, includes letters and symbols, a different password than 5 other ones, change it every 6 months, and don't write it down.
But make sure it's easy to remember. Seems simple enough.
@MrX8503 Actually it is easy, instead of simple words use complete sentences even with spaces. IE 'I love eating t0fu on Fridays!@!'
@Jonas P Damn it! Now I have to go change my password!
In reality, preventing the brute force of passwords shouldn't be handled by using password complexity and length. A simple account lockout after multiple failed attempts or forcing users to have to wait five seconds between attempts would prevent a brute force attack no matter how fast a GPU is.
@murraj2 The five seconds would annoy me less than the lockout, coming in on a Tuesday after a long weekend and blearily typing in the wrong password 3 times before remembering you were made to change it on a Friday gets old pretty fast.