Blazing Fast Password Recovery With New ATI Cards

An anonymous reader writes "ElcomSoft accelerates the recovery of Wi-Fi passwords and password-protected iPhone and iPod backups by using ATI video cards. The support of ATI Radeon 5000 series video accelerators allows ElcomSoft to perform password recovery up to 20 times faster compared to Intel top of the line quad-core CPUs, and up to two times faster compared to enterprise-level NVIDIA Tesla solutions. Benchmarks performed by ElcomSoft demonstrate that ATI Radeon HD5970 accelerated password recovery works up to 20 times faster than Core i7-960, Intel's current top of the line CPU unit."

Portrayal

[Dan+East]

I like the way this is portrayed in a totally positive light, as if a person, upon forgetting the password to their device, is going to go out and buy one of these video cards, install it in a machine capable of supporting it (PSU wattage, bus speed, OS, etc), purchase the proprietary "password breaker" software (sold by the company that authored this "story"), all just to recover their password. I think the typical usage for this type of setup is of a more nefarious sort.

Re:Portrayal

[Rene+S.+Hollan]

Try posting bail when no one else has access to your money or collateral and no one is willing to advance you a loan for that purpose. You first have to get to your lawyer (assuming you have one, and not a public defender who won't give a crap), have him draw up (or use a boilerplate) power of attorney form so s/he can access your funds, have a notary witness your signature at the jail (often not possible since the only physical (non-video) visitor you can have is your lawyer), and take that to your bank during business hours.

A debit/credit card might work, and you might indeed have it on your person when you are arrested. But, it will be safely stored with your personal possessions, and not provided to anyone other than upon filing in a release form, that your jailer may not approve (generally the deputy overseeing the jail module where you are held). Have you got your debit/credit card number memorized? The expiration date? The code on the back?

Things that can take a few minutes over the phone can take many days when one is in jail.

Re:103000 passwords per second. So?

[WuphonsReach]

At 103000 attempts per seconds, that's... 421 years oh.

Still within the realm of cracking, especially if those passwords guard a few million dollars of assets. 421 years sounds like a lot until you add things like:

- Crossfire or SLI where you have multiple boards installed
- Setup half a dozen machines to work on the problem
- Apply a botnet to the problem
- Future improvements in technology
- Apply some heuristics to the guessing process

All of which can easily shave off at least 2 orders of magnitude and possibly 3 orders of magnitude. Which reduces that 421 years down to a few months (or worse).

8 character passwords are pretty much dead in the water now. Or at least they need to be phased out within the next few years. Or protected by rate-limiters which control how fast passwords can be tried. (Personally, I always assume that the attacker has the stored hash and can apply parallelism to the attack. Which means that rate limiters should not be relied on to prevent cracks.)