madison

Hardware 2.0

Adrian Kingsley-Hughes
Home / News & Blogs / Hardware 2.0

Cheap GPUs are rendering strong passwords useless

By | June 1, 2011, 4:35am PDT

Think that your eight-character password consisting of lowercase characters, uppercase characters and a sprinkling of numbers is strong enough to protect you from a brute force attack?

Think again!

Jon Honeyball writing for PC Pro has a sobering piece on how the modern GPU can be leveraged as a powerful tool against passwords once considered safe from bruteforce attack.

Take a cheap GPU (like the Radeon HD 5770) and the free GPU-powered password busting tool called ’ighashgpu‘ and you have yourself a lean, mean password busting machine. How lean and mean? Very:

The results are startling. Working against NTLM login passwords, a password of “fjR8n” can be broken on the CPU in 24 seconds, at a rate of 9.8 million password guesses per second. On the GPU, it takes less than a second at a rate of 3.3 billion passwords per second.

Increase the password to 6 characters (pYDbL6), and the CPU takes 1 hour 30 minutes versus only four seconds on the GPU. Go further to 7 characters (fh0GH5h), and the CPU would grind along for 4 days, versus a frankly worrying 17 minutes 30 seconds for the GPU.

It gets worse. Throw in a nine-character, mixed-case random password, and while a CPU would take a mind-numbing 43 years to crack this, the GPU would be done in 48 days.

Surely throwing symbols in there keeps you safe, right? Wrong! Take a password consisting of seven characters, mixed-case/symbols random password like ‘F6&B is’ (note the space), that’s gotta be tough for a bruteforce attack. Right? A CPU will take some 75 days to churn through the possibilities, while a GPU is done with it in 7 hours.

What’s the solution? Well, Honeyball doesn’t know, and neither do I to be perfectly honest. What I do know is that this is a warning, and one that we need to take seriously. Unless we’re willing to move onto 15-16 characters, mixed-case/symbols random password (which will end up on Post-It Notes), passwords will soon only offer protection against honest people.

[UPDATE: Take a look at this - whitepixel 2 running with 4 x HD 5970 cards (8 x GPUs) capable of 33.1 billion MD5 password hashes/sec.

Via: SimonZerafa of PC-Technical]

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Hardware 2.0”

Topics

Adrian Kingsley-Hughes, Strong Password, GPU

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology.

Disclosure

Adrian Kingsley-Hughes

All opinions expressed on Hardware 2.0 are those of Adrian Kingsley-Hughes. Every effort is made to ensure that the information posted is accurate. If you have any comments, queries or corrections, please contact Adrian via the email link here. Any possible conflicts of interest will be posted below. [Updated: February 23, 2010] - Adrian Kingsley-Hughes has no business relationships, affiliations, investments, or other actual/potential conflicts of interest relating to the content posted so far on this blog.

Biography

Adrian Kingsley-Hughes

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology -- whether that be by learning to program, building a PC from a pile of parts, or helping them get the most from their new MP3 player or digital camera.

Adrian has authored/co-authored technical books on a variety of topics, ranging from programming to building and maintaining PCs. His most recent books include "Build the Ultimate Custom PC", "Beginning Programming" and "The PC Doctor's Fix It Yourself Guide". He has also written training manuals that have been used by a number of Fortune 500 companies.

Adrian also runs a popular blog under the name The PC Doctor, where he covers a range of computer-related topics -- from security to repairing and upgrading.

Talkback Most Recent of 200 Talkback(s)

  • Mitigation
    So would an effective mitigation to brute force attacks be lock-down after failed logins or would this be bypassed in some way?
    ZDNet Gravatar
    OrlandoHatch
    1st Jun
  • RE: Cheap GPUs are rendering strong passwords useless
    @OrlandoHatch
    These tools operate on the file containing the password hashes, which anyone can access. Since they are only making guesses against the hashes, there are no "failed logins". The only login attempt would be the correct login after they retrieve the correct password.
    ZDNet Gravatar
    hotwirez@...
    1st Jun
  • RE: Cheap GPUs are rendering strong passwords useless
    @hotwirez@...
    Which anyone can access? I don't follow you. My website keeps the passwords in a MySQL database, which NOT just anyone can access. Could you explain further?
    ZDNet Gravatar
    matthewlinux
    1st Jun
  • RE: Cheap GPUs are rendering strong passwords useless
    @mathewlinux@...
    In many cases such as on users computers, the hash is the only thing protecting the passwords. And even in the case of a database of passwords, the hashes protect the passwords in the case that someone gets hold of your database (an increasingly common possibility; all it takes is one sql injection venerability).

    However many of these problems could be remedied via salting (to force hackers to attempt to hack passwords one at a time), key strengthening or a more complex hashing function (to increase the complexity of computing hashes), or simply using longer passwords (I have been using 16 random alphanumeric characters for years).
    ZDNet Gravatar
    tomdwright
    1st Jun
  • Anyone?
    @ hotwirez@...

    Eh? Even assuming you've got local login privileges, Unix has restricted access to the password hashes since the late 80s (Xenix was the first, in 1987), typically only allowing root to access them. As far as I know, NT-based Windows has always restricted access to the password hashes to the Local System account (the closest thing to root on Windows). Linux was rather behind the curve in this, as it was in many things before IBM stepped into the picture to help modernise it, and some distributions still used the antique Unix method of a world readable /etc/password file years after everyone else had stopped, but I doubt there are even any Linux systems that do that today.

    Granted, this could be a problem if you lose your laptop and aren't using volume-level encryption, since anyone with physical access to the unencrypted file system can get the hashes, but if you're doing anything sensitive and aren't using volume-level encryption, you're asking for trouble.
    ZDNet Gravatar
    WilErz
    1st Jun
  • More layers not longer passwords
    @tomdwright...
    I think the word you were looking for was 'vulnerability' venerable is something VERY different.
    However... using longer passwords dos nothing but increase the amount of GPUs necessary to brute-force it. Additional layers such as two-part challenge/response, biometrics or multi-party key management are going to be key here and will become ever more important as data growth continues at it's current rate.
    ZDNet Gravatar
    Silesti
    1st Jun
  • RE: Cheap GPUs are rendering strong passwords useless
    @hotwirez@... in the case of hashes, it doesn't even have to be the correct password; all the 'cracked' password needs is to produce the same hash value.

    But, quick - have that ighashgpu program tell what password matches this
    636babe28def8ca075f3ca91a7313dc2
    hash value?
    ZDNet Gravatar
    Darr247
    1st Jun
  • RE: Cheap GPUs are rendering strong passwords useless
    @darr247...
    "636babe28def8ca075f3ca91a7313dc2" = "Darr"
    ZDNet Gravatar
    dan@...
    1st Jun
  • RE: Cheap GPUs are rendering strong passwords useless
    @dan@... really? That's the ONLY match you came up with?
    ZDNet Gravatar
    Darr247
    1st Jun
  • RE: Cheap GPUs are rendering strong passwords useless
    @Darr247... Why would dan@ give you more matches? The one he gave you is correct. What is your point?
    ZDNet Gravatar
    agbags
    2nd Jun
  • RE: Cheap GPUs are rendering strong passwords useless
    @everyone

    Anyone with physical access to your machine can access your Windows SAM file and get the NTLM hashes for all users on the machine. That's what I was saying. You don't have to even be logged on to the machine to get the password hashes if you use something like NTFSDos to get the files.

    I know there are ways to reset the root password in Linux distros; I'm unsure as to whether you can get at the password hashes via the single-user login. I'm no Linux expert..
    ZDNet Gravatar
    hotwirez@...
    3rd Jun
  • Only root can read the password hashes.
    @hotwirez@...: I know there are ways to reset the root password in Linux distros; I'm unsure as to whether you can get at the password hashes via the single-user login. I'm no Linux expert..
    ZDNet Gravatar
    ye
    3rd Jun
  • RE: Cheap GPUs are rendering strong passwords useless
    @WilErz@...
    It's been a while since you've used Linux, hasn't it?
    When I ran RedHat 5.0 in 1998 the world readable /etc/passwd file did NOT contain passwords. They were/are in the root only readable /etc/shadow file, encrypted. Ubuntu/Kubuntu machines do not allow remote root login ... see below.

    @hotwirez@..
    If you have physical access to a PC then passwords don't matter, the box is owned. Adding the "single" word to the Grub login string gives root access. At the root prompt one can issue "passwd acctname", which results in a prompt for a new password for acctname, followed by a re-entry verification prompt. If one does NOT have physical access to the box then they must hack into a user account, and then attempt to elevate their privileges to the root level. The default configuration for Ubuntu/Kubuntu systems is no ACK response to any port probe, and if the wireless router ping is turned off the machine's presence can only be deduced by upstream server traffic analysis, a task most hacker won't waste time doing.

    Regardless. One idea is to read & write 4,096 character mixed passwords to an SD chip or small USB stick, and have the password query utility read the port during boot up instead.
    ZDNet Gravatar
    GreyGeek77
    5th Jun
  • RE: Cheap GPUs are rendering strong passwords useless
    @hotwirez@...
    So move the password hashes to a password protected space that has to have a login.
    ZDNet Gravatar
    Ram@...
    7th Jun
  • RE: Cheap GPUs are rendering strong passwords useless
    Great and fantastic blog. I am interested very much in the subject matter of your blog, it?s my first visit. cosmetology schools
    ZDNet Gravatar
    Amanda123456
    10th Sep
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources