New Password Recovery Technique Uses CPU and GPU Together

BaCa writes to mention that a new hardware/software combination has been created by a company called ElcomSoft that will reportedly allow cryptography professionals to build cheap PCs that work like supercomputers for the specific task of retrieving lost passwords. Utilizing a combination of the CPU and the GPU the task of brute forcing a password may be reduced by as much as a factor of 25. "Until recently, graphic cards' GPUs couldn't be used for applications such as password recovery. Older graphics chips could only perform floating-point calculations, and most cryptography algorithms require fixed-point mathematics. Today's chips can process fixed-point calculations. And with as much as 1.5 Gb of onboard video memory and up to 128 processing units, these powerful GPU chips are much more effective than CPUs in performing many of these calculations."

Nice euphemism

[otmar]

"Password Recovery" sounds so much more benign than "Cracking Passwords".

Hello, Mr. Orwell. *wave*

How does this qualify for a patent?

[Nathanbp]

What seems to have been missed in the discussion so far is that this company is applying for a patent on their technique, which they claim is "revolutionary." I really hope that this doesn't get granted, as it would open a whole new realm of stupid patents for "X on a graphics card," which is about as stupid a patent as "X on the internet."

What about FPGAs?

[FlyByPC]

FPGAs (Field-Programmable Gate Arrays) sound like they would be just the ticket for SIMD (single-instruction-multiple-data) calculations such as this. Configure up a bunch of FPGA chips to do the encryption calculations on a zillion combinations in parallel...

Re:Interesting, but it doesn't matter

[flyingfsck]

All password checks on my machines take 10 seconds minimum. A strategic 'sleep(10)' does the trick. There is no need to calculate MD5 hashes repeatedly to waste an attacker's time. A nice sleep() allows the server to go do something more useful.

Re:Interesting, but it doesn't matter

The "sleep 10" idea is pretty much a waste of your time to code unless you also limit the number of incoming connections. It would be fine in the old days with a dedicated connection to a serial port on the back of the computer, but now all an attacker has to do is open up a few hundred connections to your machine and multiplex the attack. The attacker will not care that at any instant 99.9% of his connections are in the "sleep 10" state, as long as he can find one of the connections that is ready to accept another password.

http://utcc.utoronto.ca/~cks/space/blog/sysadmin/NetworkAuthDelays explains this issue, pointing out that all the delay does is annoy users who make typos, whilst not hurting attackers.

Re:Poorly written article

[cdekadt]

Yes. It's terrible. All this company has done is use CUDA for what it was meant to be used. Big whoop. If they get a patent for it, it's really, really sad. And quite honestly, the number of passwords to test increases exponentially with length. It doesn't matter if they get a speed-up of 100x.

Re:Just wonderful

[StressedEd]

There is nothing magical about biometrics, at the end of the day it is still a regular old password comprised of 1s and 0s
Except that you can't change the password when it's compromised.