Slashdot Mirror
New Password Recovery Technique Uses CPU and GPU Together
BaCa writes to mention that a new hardware/software combination has been created by a company called ElcomSoft that will reportedly allow cryptography professionals to build cheap PCs that work like supercomputers for the specific task of retrieving lost passwords. Utilizing a combination of the CPU and the GPU the task of brute forcing a password may be reduced by as much as a factor of 25. "Until recently, graphic cards' GPUs couldn't be used for applications such as password recovery. Older graphics chips could only perform floating-point calculations, and most cryptography algorithms require fixed-point mathematics. Today's chips can process fixed-point calculations. And with as much as 1.5 Gb of onboard video memory and up to 128 processing units, these powerful GPU chips are much more effective than CPUs in performing many of these calculations."
Pricing for these apps is pretty steep at $1,299 per machine license. Well, maybe not so steep if you consider how valuable it could be for you. It doesn't say if that has the GPU utilization with it yet or not.
Also, I wonder if they've investigated using SLI & CrossFire with these. That seems like something obvious to me but not included in the article. I'm unaware of their implementation but it sounds like it could be parallelized--and accross 2 or even 4 cards, that could get hilariously powerful.
My work here is dung.
I used to think the same. "Eight characters is enough for now, but it's only a matter of time..."
Then I realized that this doesn't mean IT departments will require longer passwords. Rather, this is the death of the password, in place of other authentication methods (smartcard, biometrics, others, and combinations of everything).
It won't be immediate, or close to it... but a 25x increase in the speed of bruteforcing passwords will certaintly speed up the process by which passwords are obseleted.
Or to just stop using passwords. Why can't I login with a USB key that has some piece of information which is signed using my private key on it?
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
I've read the article (such as it is), and it keeps claiming that this is a technique to recover "lost passwords". But I don't really believe that is the purpose of this software, and I have to ask "What is the difference between a 'lost password" and a password that belongs to someone else and not you?". Does anyone else really believe that the actual use of this software will be to assist the majority of users recover their own passwords? I do not. I suspect it might be harder to patent a tool for identity theft than for recovering "lost passwords" though.
I'm an American. I love this country and the freedoms that we used to have.
Anyone car to point me to one of these mythical video cards with 128 processors and 1.5 gig of fast on board memory? Also, at the price point they are asking for this software (1200USD per seat) it seems like this is hardly cost competitive with doing this same sort of thing using commercially available FPGA dev/prototype boards and open source software designed for this EXACT task.
-*The above statement is printed entirely on recycled electrons*-
True, but it you create an easy way for a user to disable their own account this isn't as much of a problem. Create a 1.800 where you put in a (much easier) password that will allow you to disable access to your account. This way, if your key gets stolen, you just go into I.T. in the morning and have them issue you a new one.
Not to mention the fact that when talking about password, your biggest enemy is some phiser sitting in russia....who is NOT very likely to fly to the states to steal your key. If your data actually is important enough to justify a hiring somebody to steal it, then chances are you are using biometrics/bullets to lock people out anyhow. If you're not, then tell you CIO to stop spending money on frosted glass NOCs that are suspended from the ceiling above your data center that is kept at a constant 42 degress and tell him to start spending it on real engineers.
NewslilySocial News. No lolcats allowed.
Because USB is insecure.
(assuming XP) When you plug in your USB key to login to your banking website it reads the signed key/password/whatever and signs you in. Great. Meanwhile... your screen-saver and the 'search bar' you installed also read your key and upload it to Mr. Nasty.
What you would need is a USB key with a processor to do the signing/challenge response internally.
Add 1 letter and you've increased the time it takes to hack by 26x (although it's probably closer to 100x with punctuation and the like). So 25x is irrelevant. So is 250x. Only something that makes it non-exponential would really make a difference.
I never got why people have so much trouble making up and remembering long passwords. I'm going to assume everyone here understands leetspeak, and enjoys something (i apologize to all the chronically depressed, i'm not trying to be an insensitive clod).
/., use the tagline and translate it into leet. Example: NewsForNerdsStuffThatMatters becomes N3w5F0rN3rd557uff7h47m4773r5
If you like music, use lyrics and translate them into leet. Example: WelcomeToTheJungle becomes W31c0m3707h3Jung13
If you like movies, use famous quotes and translate them into leet. Example: FranklyMyDearIJustDontGiveADamn becomes Fr4nk1yMyD34r1Jus7D0n7G1v34D4mn
If you think your funny, use jokes and translate them into leet. Example: ThisWebServerIsASeriesOfTubes becomes 7h1sW3b53rv3r15453r13s0f6ub3s
If you have need a password for root on
All these passwords are extremely easy to remember, and if you have a standard translation method (ie: 1 is always I and never L) you will prevent confusion that could lead to you forgetting your password. For added protection add symbols like Pipe for L or ? for Q.
unless you're using a crappy password scheme like Vista's, for example.
This is a process that lets you brute-force passwords 25 times faster. That's pretty neat, I'm not arguing that. It's extremely clever. But this speed [i]shouldn't matter[/i], because cracking passwords a mere 25 times faster shouldn't matter either. The problem comes down to how people are designing a lot of password schemes. They're aiming for speed. The article says the new technique can try ten million passwords per second on a single computer. Division tells us that, beforehand, the computer could process 400,000 passwords per second.
When was the last time you had four hundred thousand users logging into a single computer per second?
Checking a password should be slow. Brutally slow. I mean, quite literally, that just checking to see if the user's password hashes correctly should take at least a hundredth of a second. You're not going to have a hundred users logging in per second on a single computer anyway, our modern database-driven sites couldn't handle the load of displaying the login pages, so why are we making our password schemes so flimsy?
If you use a slow password hash generation - and this can be something as simple as iterating MD5 over itself ten thousand times - whoever's trying to brute-force your password scheme is going to have a horrible, horrible time of it. Add a basic salt to the mix and you will not have anything to worry about from this. If your password checker takes a hundredth of a second, then 25 times faster means your adversary is going to spend $1300 on software in order to try 2500 passwords per second. If you have an appropriate salting system that's 2500 passwords for a single user. This is not the death knell for passwords, or anywhere near it. If anything, it's the death knell for crappy password hashes - but it's not even that, since you could trivially foresee things like this years in advance.
Brute-force password cracking, by its very nature, is millions of times more expensive than merely verifying a valid user. From there, it's up to you to determine how safe you want your passwords to be. Personally? I'm fine with wasting a few extra hundredths of a second per user.
Breaking Into the Industry - A development log about starting a game studio.
No:
lUser: 1.800.pas.swrd
Phone Operator: Hello, this is Ryan in the I.T. department, how may I help you?
lUser: Omg! i left my purse on the table in the restaurant, my key was in there....will you disable my account?
Phone Operator: Sure may i have the password?
lUser: The password is bananas
Phone Operator: No, thats not the password, you only get two more tries before I call the number we have on file for this user and ask her what the problem is.
lUser: AHHH AHHA AHHHHHH is the password, uhhh....... *click*
NewslilySocial News. No lolcats allowed.
GPUs were foremost designed to execute large numbers of linearly-ordered simple matrix/vector operations per clock cycle. When it comes to generating 3D, there isn't much in the way of branching, recursion or conditional execution involved. I haven't checked recently, but it used to be that a "pixel pipeline" referred to a unit that could do a 4x4 * 4x1 operation in a single clock (16 multiplies and 12 adds).
Coincidentally this also helps a large number of scientific applications, such as molecular dynamics, or physics applications that can be converted into vectors and manipulated, such as kinematics (this is what a physics engine often does).
Game tree searches (I've written a few in my time) are usually highly recursive with exponential growth (branching factor). It would be very difficult to transform these into an efficient set of linearly-ordered vector operations. For example the static evaluator on many (older) chess engines consists of a painful set of heuristics and exceptions to heuristics, and exceptions to exceptions to heuristics. It is a very chaotic flow problem.
Education is a better safeguard of liberty than a standing army.
Edward Everett (1794 - 1865)
a company called ElcomSoft
How short Slashdotters' memories are. ElcomSoft is the Russian company Dmitry Sklarov was working for when he wrote the ebook software that got him thrown in jail when he visited the USA, after Adobe made a DMCA complaint against him.
Minor correction - I know what you mean when you say "linearly-ordered" but a more accurate way to describe it would be: large sets of independent operations per clock-cycle. The sequential encoding that happens between clock cycles is true of most processors, and not specific to GPUs. The key is high performance is the lack of communication between separate instances of the pixel shader which is a property of the independence of the sub-problems.
You're right about the chess search, in contrast to what the poster above you claims, a GPU would not be suitable for evaluating the heuristic because of the branching control flow within the heuristic. An interesting scoring function would be to try and encode a neural network that can score the position: then data packing would be an issue but a neural net can be converted into very efficient GPU code as long as the number of pixels that you are gathering the position from is quite low.
The real performance killer would be the scatter at the other end - once a position is scored the card needs to perform sorting to filter out the high scoring positions from the low. This sorting may be avoidable on the newer CUDA cards as their memory architecture allows an efficient scatter without the need to sort data.
Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
Happily, it seems some companies are finally getting the message that longer passwords does not necessarily mean a more secure system. I know of at least one well-known security software company that has recently revised its stringent password policy from "super long, with numbers and punctuation, changed every 30 days" down to "less long, and you don't have to change it nearly as often".
I'm guessing they had a security audit quietly done, wherein it was discovered that paying a janitor $20 to look for password Post-Its or doing a quick social engineering telephone call could break past more security than 100,000 CPU-hours of password cracking.
http://cltracker.net -- powerful craigslist multi-city search
Anyone ever considered using the PS3 for stuff like this? Seems like you have all the processing power you need (relatively speaking), but what else would you need to take into consideration?