Cheap GPUs are rendering strong passwords useless

Cheap GPUs are rendering strong passwords useless

Summary: Think that your eight-character password consisting of lowercase characters, uppercase characters and a sprinkling of numbers is strong enough to protect you from a brute force attack?Think again!

SHARE:
TOPICS: Processors
212

Think that your eight-character password consisting of lowercase characters, uppercase characters and a sprinkling of numbers is strong enough to protect you from a brute force attack?

Think again!

Jon Honeyball writing for PC Pro has a sobering piece on how the modern GPU can be leveraged as a powerful tool against passwords once considered safe from bruteforce attack.

Take a cheap GPU (like the Radeon HD 5770) and the free GPU-powered password busting tool called 'ighashgpu' and you have yourself a lean, mean password busting machine. How lean and mean? Very:

The results are startling. Working against NTLM login passwords, a password of "fjR8n" can be broken on the CPU in 24 seconds, at a rate of 9.8 million password guesses per second. On the GPU, it takes less than a second at a rate of 3.3 billion passwords per second.

Increase the password to 6 characters (pYDbL6), and the CPU takes 1 hour 30 minutes versus only four seconds on the GPU. Go further to 7 characters (fh0GH5h), and the CPU would grind along for 4 days, versus a frankly worrying 17 minutes 30 seconds for the GPU.

It gets worse. Throw in a nine-character, mixed-case random password, and while a CPU would take a mind-numbing 43 years to crack this, the GPU would be done in 48 days.

Surely throwing symbols in there keeps you safe, right? Wrong! Take a password consisting of seven characters, mixed-case/symbols random password like 'F6&B is' (note the space), that's gotta be tough for a bruteforce attack. Right? A CPU will take some 75 days to churn through the possibilities, while a GPU is done with it in 7 hours.

What's the solution? Well, Honeyball doesn't know, and neither do I to be perfectly honest. What I do know is that this is a warning, and one that we need to take seriously. Unless we're willing to move onto 15-16 characters, mixed-case/symbols random password (which will end up on Post-It Notes), passwords will soon only offer protection against honest people.

[UPDATE: Take a look at this - whitepixel 2 running with 4 x HD 5970 cards (8 x GPUs) capable of 33.1 billion MD5 password hashes/sec.

Via: SimonZerafa of PC-Technical]

Topic: Processors

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

212 comments
Log in or register to join the discussion
  • Mitigation

    So would an effective mitigation to brute force attacks be lock-down after failed logins or would this be bypassed in some way?
    OrlandoHatch
    • RE: Cheap GPUs are rendering strong passwords useless

      @OrlandoHatch
      These tools operate on the file containing the password hashes, which anyone can access. Since they are only making guesses against the hashes, there are no "failed logins". The only login attempt would be the correct login after they retrieve the correct password.
      hotwirez@...
      • RE: Cheap GPUs are rendering strong passwords useless

        @hotwirez@...
        Which anyone can access? I don't follow you. My website keeps the passwords in a MySQL database, which NOT just anyone can access. Could you explain further?
        matthewlinux
      • RE: Cheap GPUs are rendering strong passwords useless

        @mathewlinux@...
        In many cases such as on users computers, the hash is the only thing protecting the passwords. And even in the case of a database of passwords, the hashes protect the passwords in the case that someone gets hold of your database (an increasingly common possibility; all it takes is one sql injection venerability).

        However many of these problems could be remedied via salting (to force hackers to attempt to hack passwords one at a time), key strengthening or a more complex hashing function (to increase the complexity of computing hashes), or simply using longer passwords (I have been using 16 random alphanumeric characters for years).
        tomdwright
      • Anyone?

        @ hotwirez@...

        Eh? Even assuming you've got local login privileges, Unix has restricted access to the password hashes since the late 80s (Xenix was the first, in 1987), typically only allowing root to access them. As far as I know, NT-based Windows has always restricted access to the password hashes to the Local System account (the closest thing to root on Windows). Linux was rather behind the curve in this, as it was in many things before IBM stepped into the picture to help modernise it, and some distributions still used the antique Unix method of a world readable /etc/password file years after everyone else had stopped, but I doubt there are even any Linux systems that do that today.

        Granted, this could be a problem if you lose your laptop and aren't using volume-level encryption, since anyone with physical access to the unencrypted file system can get the hashes, but if you're doing anything sensitive and aren't using volume-level encryption, you're asking for trouble.
        WilErz
      • More layers not longer passwords

        @tomdwright...
        I think the word you were looking for was 'vulnerability' venerable is something VERY different.
        However... using longer passwords dos nothing but increase the amount of GPUs necessary to brute-force it. Additional layers such as two-part challenge/response, biometrics or multi-party key management are going to be key here and will become ever more important as data growth continues at it's current rate.
        Silesti
      • RE: Cheap GPUs are rendering strong passwords useless

        @hotwirez@... in the case of hashes, it doesn't even have to be the correct password; all the 'cracked' password needs is to produce the same hash value.

        But, quick - have that ighashgpu program tell what password matches this
        636babe28def8ca075f3ca91a7313dc2
        hash value?
        Darr247
      • RE: Cheap GPUs are rendering strong passwords useless

        @darr247...
        "636babe28def8ca075f3ca91a7313dc2" = "Darr"
        dan@...
      • RE: Cheap GPUs are rendering strong passwords useless

        @dan@... really? That's the ONLY match you came up with?
        Darr247
      • RE: Cheap GPUs are rendering strong passwords useless

        @Darr247... Why would dan@ give you more matches? The one he gave you is correct. What is your point?
        agbags
      • RE: Cheap GPUs are rendering strong passwords useless

        @everyone

        Anyone with physical access to your machine can access your Windows SAM file and get the NTLM hashes for all users on the machine. That's what I was saying. You don't have to even be logged on to the machine to get the password hashes if you use something like NTFSDos to get the files.

        I know there are ways to reset the root password in Linux distros; I'm unsure as to whether you can get at the password hashes via the single-user login. I'm no Linux expert..
        hotwirez@...
      • Only root can read the password hashes.

        @hotwirez@...: [i]I know there are ways to reset the root password in Linux distros; I'm unsure as to whether you can get at the password hashes via the single-user login. I'm no Linux expert..[/i]
        ye
      • RE: Cheap GPUs are rendering strong passwords useless

        @WilErz@...
        It's been a while since you've used Linux, hasn't it?
        When I ran RedHat 5.0 in 1998 the world readable /etc/passwd file did NOT contain passwords. They were/are in the root only readable /etc/shadow file, encrypted. Ubuntu/Kubuntu machines do not allow remote root login ... see below.

        @hotwirez@..
        If you have physical access to a PC then passwords don't matter, the box is owned. Adding the "single" word to the Grub login string gives root access. At the root prompt one can issue "passwd acctname", which results in a prompt for a new password for acctname, followed by a re-entry verification prompt. If one does NOT have physical access to the box then they must hack into a user account, and then attempt to elevate their privileges to the root level. The default configuration for Ubuntu/Kubuntu systems is no ACK response to any port probe, and if the wireless router ping is turned off the machine's presence can only be deduced by upstream server traffic analysis, a task most hacker won't waste time doing.

        Regardless. One idea is to read & write 4,096 character mixed passwords to an SD chip or small USB stick, and have the password query utility read the port during boot up instead.
        GreyGeek77
      • RE: Cheap GPUs are rendering strong passwords useless

        @hotwirez@...
        So move the password hashes to a password protected space that has to have a login.
        Ram@...
      • RE: Cheap GPUs are rendering strong passwords useless

        Great and fantastic blog. I am interested very much in the subject matter of your blog, it?s my first visit.<a href="http://cosmetology-schools-us.com">cosmetology schools</a>
        Amanda123456
      • RE: Cheap GPUs are rendering strong passwords useless

        @hotwirez@...
        However, Ed is certainly not the only guy on ZDNet that does this<a href="http://www.prefabrikhazirevfiyatlari.com">prefabrik ev fiyatlar?</a>
        ottoman1
    • RE: Cheap GPUs are rendering strong passwords useless

      You can secure PC from physical access by encrypting filesystem and booting from USB stick containing private key. By using strong encryption, without the USB key your HD will be useless.

      From remote access, if you prevent using bruteforce, it does not matter how much calculation power intruder have.
      Leo T
  • Even with GPU my 12-signs password will take many years to decipher

    And my main password is 16-symbols long, case sensitive, digits including, and I remember it without post-it notes.<br><br>That is total death for brute force until at least the coming of quantum supecomputers in 2030.
    DDERSSS
    • RE: Cheap GPUs are rendering strong passwords useless

      @denisrs You are missing the point - yet again. Your password is not a password for Joe Public or Gov't users (my brother works for the FBI, they have strict rules). What you described is for Geeks i.e. the readers of these blogs, not Joe User. For every Geek there are probably 100's or 1000's of users with simple passwords.
      ItsTheBottomLine
      • RE: Cheap GPUs are rendering strong passwords useless

        @ItsTheBottomLine That's why two-factor auth should become standard.
        daengbo