http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/ Engadget Comments for http://www.engadget.com/media/feedlogo.gif http://www.engadget.com en-us Copyright 2012 Weblogs, Inc. The contents of this feed are available for non-commercial use only. Blogsmith http://www.blogsmith.com/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/Aug 16th 2010 4:13PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/Aug 16th 2010 4:29PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/
True, if you have this on most systems and then use the same password on a system that allows infinite attempts your security is voided by the weakest link.

Ultimatley, good practice at the login.authentication point would defeat all of these brute force techniques?

Well, short of them breaching a site and having access to the DB and password hashes. Again, that's not directly a brute force password problem though.]]>Aug 16th 2010 4:55PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/Aug 16th 2010 5:00PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/It's all about the algorithm used.
You can crack a "fking" 30 char password that's DES encrypted in no time.

Now go crack a proper 8 char password that's SHA256 hashed. Good luck, see you in 25 years granted that technology advance and flaws are found in the algorithm, otherwise we'll count per thousand of thousands before it's broken.

Passwords that are commonly bruteforced anyway are unproper passwords like "ilovetina" or w/e like "august2010marta".
This is solved by using digital keys (now your 8 char password is a 4096bit key for example), the digital key is secured by the noob password, but the key is used to authenticate, thus the attacker can only brute the key on the client's disk itself if he gets it.
but if he gets that far, it means he can already snif keystrokes etc, thus the digital key served its purpose extremely well already.
the password is just a small additional security in that case, to avoid coworkers using ur stuff, and if u used a proper password, might also resist anyone else for a few hundred years.]]>Aug 16th 2010 5:13PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/No, it's engadget that's missing something. Cracking with gpus only apply to something that can be done offline, like an encrypted hdd, NOT Facebook, gmail, engadget etc. After the first million million attempts (which is going to take years as it is limited by network delay, not gpu speed) I'm pretty sure facebook will realize something is up.
This is for offline stuff only, guys.]]>Aug 16th 2010 6:09PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/
On computers and most websites, passwords are stored in a database (of course). However rather than just storing them unaltered in a file, actually a one-way hash of the password is stored. E.g. the hash of "mypassword" is d84c7934a7a786d26da3d34d5f7c6c86. It is very easy to work out d84c7934a7a786d26da3d34d5f7c6c86 from "mypassword", but to work out "mypassword" from d84c7934a7a786d26da3d34d5f7c6c86 you have to basically try a ton of different passwords until you get one that matches. That is what these GPU programs do. So if you have access to that hash, you can use it to find the password.

Many years ago (around the time of windows 98 and unix), anyone who had access to a computer could read the hashes for every other user. At the time, cracking them was fairly hard, but obviously this was a bad idea, and now you have to be root/Administrator to read the hashes. This makes the ability to crack password hashes largely pointless - if you have the hash, security has already been compromised.

Now, if we look at websites, obviously they don't (or shouldn't) give out the hashes, and many store passwords in plain text anyway. The only time this would be useful is if you manage to hack into a website that stores passwords hashed, and want to find out what the passwords are so you can use them on other websites. But you can't use this password cracker to hack into the website in the first place. You have to use another method.

Furthermore, as another user noted you can always use a more complicated hash function to slow it down.]]>Aug 16th 2010 6:21PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/
I'd be interested if this sped up WPA/WPA2 brute force cracking.]]>Aug 16th 2010 7:52PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/
Now, what kind of financial institution forces REDUCED security on its customers? Yep, an ignorant one like American Express.]]>Aug 16th 2010 7:58PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/
recovering password from d84c7934a7a786d26da3d34d5f7c6c86 is trivial just Google it - there are a few results

Rainbow tables are pretty damn good too. This one, for example, contains every single password with 14 characters or fewer, including special characters:

http://www.md5decrypter.co.uk/rainbow-tables.aspx]]>Aug 16th 2010 9:47PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/
Agreed. I had to truncate my password due to their lousy limited number of password characters. ]]>Aug 16th 2010 11:28PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/
The problem here is the article. Nobody in this business is after your facebook account by means of brute force attacks, even though the article implies it.]]>Aug 17th 2010 2:11AMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/Aug 16th 2010 4:15PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/
SLI chips are made by nVidia... which is in direct competition with AMD. Not going to happen ever.]]>Aug 16th 2010 4:33PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/Aug 16th 2010 4:34PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/Aug 16th 2010 5:00PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/
Get your facts straight, jesus christ.]]>Aug 16th 2010 5:16PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/
Also, AMD GPUs cannot SLi, and vice versa...]]>Aug 16th 2010 5:52PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/
http://www.benchtec.co.uk/forums/archive/index.php?t-5379.html

Guess what SLI works on AMD chipsets.]]>Aug 16th 2010 10:23PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/Aug 17th 2010 11:54AMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/Aug 16th 2010 4:15PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/Aug 16th 2010 5:06PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/
or LastPass]]>Aug 16th 2010 6:14PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/Aug 16th 2010 4:15PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/Aug 16th 2010 4:24PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/Aug 16th 2010 4:29PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/I think that's standard procedure pretty much everywhere (the company policy and the users' strategy)]]>Aug 16th 2010 4:38PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/Aug 16th 2010 4:48PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/As long as you have a few different passwords and use the most secure ones for the important stuff you should be fine with like 3-4 passwords. ]]>Aug 16th 2010 6:04PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/Aug 16th 2010 4:16PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/u prolly meant 72 decades]]>Aug 16th 2010 5:18PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/Aug 16th 2010 4:17PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/
what software do you use to crack rar passwords with your gtx480? ]]>Aug 16th 2010 4:51PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/there are 2 software available and both free which use ur gpu
1 can use both ati and nvidia + multiple gpus and another one that can only use nvidia and only 1 gpu which i use because its easier to run
(both of them must be run by CMD which took me 1 hour to figure it out)
i use cRARk
if u want any more info just go to youtube a search for my name "CRAKZIGOOD"]]>Aug 16th 2010 4:57PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/
What's the time difference between cracking 7 characters and 8 characters?]]>Aug 16th 2010 5:41PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/but im talking about lower case letters + upper case + numbers + every symbol thats about 72+ characters
if ur only gona use numbers thats about 7 times faster to get to 7 characters ]]>Aug 16th 2010 5:58PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/game over for cloud-based services i think we should all just go back to old fashion model-T Fords shot guns]]>Aug 16th 2010 4:19PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/Aug 16th 2010 4:23PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/
Do you realize what you're asking for? Even if you go to such a website and don't see your exposed credentials, it's impossible for you to be sure they have not been exposed if you fear they have been.

If you're in doubt, change it...
]]>Aug 16th 2010 6:01PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/Aug 16th 2010 6:07PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/Aug 16th 2010 4:23PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/Aug 16th 2010 4:32PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/
LMMFAO!!!

Every once in a while, you may have a day so fcuk'd up that you begin pondering how high is that bridge on the way from work. And then. Just then, does someone's candid comment bring you back from the Darkside.

Thank you my man...]]>Aug 17th 2010 12:02AMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/
Not trying to be a dick, but hence passWORD...]]>Aug 17th 2010 7:41AMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/
"According to computer scientists at the Georgia Tech Research Institute, "a seven-character password is hopelessly inadequate, and as GPU power continues to go up every year, the threat will A better alternative, he suggested, would be a 12-character combination of upper and lower case letters, symbols and digits. Of course, processors are only getting more powerful and hardware less expensive -- soon even seven-plus character passwords may become the digital equivalent of unlocked doors."]]>Aug 16th 2010 4:25PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/
But make sure it's easy to remember. Seems simple enough. ]]>Aug 16th 2010 4:25PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/Aug 16th 2010 4:58PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/Aug 16th 2010 5:50PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/Aug 16th 2010 4:25PMhttp://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/http://www.engadget.com/2010/08/16/gpus-democratize-brute-force-password-hacking/Aug 16th 2010 4:38PM