Blazing Fast Password Recovery With New ATI Cards

An anonymous reader writes "ElcomSoft accelerates the recovery of Wi-Fi passwords and password-protected iPhone and iPod backups by using ATI video cards. The support of ATI Radeon 5000 series video accelerators allows ElcomSoft to perform password recovery up to 20 times faster compared to Intel top of the line quad-core CPUs, and up to two times faster compared to enterprise-level NVIDIA Tesla solutions. Benchmarks performed by ElcomSoft demonstrate that ATI Radeon HD5970 accelerated password recovery works up to 20 times faster than Core i7-960, Intel's current top of the line CPU unit."

Stop with the advertising

[ShadowRangerRIT]

This isn't really about GPUs, it's an advert for ElcomSoft products. The whole summary is in marketing-speak for crying out loud.

Re:Stop with the advertising

[ShadowRangerRIT]

And for the curious, TFA is no better. They're calling it a benchmark so they can advertise more effectively, that's all.

Re:Stop with the advertising

[Lord+Ender]

As an IT security guy, I found this to be informative, actually. When analyzing the security of a system or organization, I need to know not just what is theoretically possible, but what can be done with already-existing software and hardware.

This article gives me some idea as to what attacks are currently practical (and for what key lengths).

When research or engineering achievements come from the commercial (rather than academic) sector, it isn't really reasonable to expect an academic tone. They're tooting their own horn, but they are doing it about something important.

Portrayal

[Dan+East]

I like the way this is portrayed in a totally positive light, as if a person, upon forgetting the password to their device, is going to go out and buy one of these video cards, install it in a machine capable of supporting it (PSU wattage, bus speed, OS, etc), purchase the proprietary "password breaker" software (sold by the company that authored this "story"), all just to recover their password. I think the typical usage for this type of setup is of a more nefarious sort.

Re:Portrayal

[ElectricTurtle]

Being found not guilty does not mean he didn't spend time in jail. Not everybody is released on their own recognizance pending trials.

Re:Portrayal

[russotto]

No, the US jury found him not guilty.

No, the charges against Sklyarov were dropped and he was released as part of a deal in which Elcomsoft agreed to accept US jurisdiction. The US jury then found Elcomsoft not guilty.

Re:Portrayal

[hatten]

Wow, I didn't knew clippy could do password cracking!

Re:Portrayal

Dude, I was there. Defcon 9.

He didn't "enter a hostile country" unless you think the USA hates everybody and is hostile to all.

Dmitriy broke no US laws and broke no Russian laws. No US entity had complained about his activities before his arrest. He had every right to think he'd not be bothered.

But he he angered a powerful and amoral US corporation named Adobe, so they had their government lackeys detain him. When Adobe took a horrible blog-beating and a nearly instantaneous sales hit they asked the fedguv to drop the charges and the USA said "no, you turned him in, you don't prosecute DCMA, we do - he stays in jail for a year until we eventually get around to trying him and finding him not guilty". The worm turned on its master, very funny for everyone but Dmitriy's wife and infant children.

What did Dmitriy do that brought corporate wrath down on him? He revealed in a public forum that Adobe's e-book cipher, which they were shopping to authors as "hard encryption", was ROT-13. I was there when he did it. That's right, Adobe was telling authors that their technology would prevent duplication of their books, but their copy-protection was ROT-13. It's beyond parody.

Dmitriy revealed to e-book authors that Adobe had ripped them off. For that, he was held in durance vile.

Why did he do it? Not for the challenge, it was trivial! He did it so people could back up their legally purchased e-Books and so that blind people could read e-books. For that, he was held.

Re:Portrayal

[Rene+S.+Hollan]

Try posting bail when no one else has access to your money or collateral and no one is willing to advance you a loan for that purpose. You first have to get to your lawyer (assuming you have one, and not a public defender who won't give a crap), have him draw up (or use a boilerplate) power of attorney form so s/he can access your funds, have a notary witness your signature at the jail (often not possible since the only physical (non-video) visitor you can have is your lawyer), and take that to your bank during business hours.

A debit/credit card might work, and you might indeed have it on your person when you are arrested. But, it will be safely stored with your personal possessions, and not provided to anyone other than upon filing in a release form, that your jailer may not approve (generally the deputy overseeing the jail module where you are held). Have you got your debit/credit card number memorized? The expiration date? The code on the back?

Things that can take a few minutes over the phone can take many days when one is in jail.

Re:My password.

[FireofEvil]

1, 2, 3, 4, 5? That's amazing! I've got the same combination on my luggage!

GPUs

[Thyamine]

This isn't the first story about how crazy fast GPUs are for crunching. I know very little about that level of hardware, but why aren't we incorporating these types of things into CPUs? Is the coding/assembly so different that it doesn't translate? Do they only do certain kinds of processing really well (it is a GPU after all), so it couldn't handle other more 'mundane' OS needs?

Re:GPUs

GPU's are better at doing certain calculations generally, and are very good at parallel processing seeing as graphics can be broken down to be processed parallel very quickly. For this, gpu's have a ton of cores. So in a way processors are indeed starting to follow with multicore systems but it is nowhere near the number GPU's use. High end GPU's now have 480+ processor cores on a card these days, thats a lot more then 4 core intel's ;). But if you had a ton of cores on the processor, each additional one doesn't add too much to actual cpu power as most things must be done linearly, not parallel. Just helps with multitasking really. Which is why a few cores are useful, but overall power of the core is better then having a ton of them. Graphics cards go with a ton of lower speed cores.

Re:GPUs

[John+Napkintosh]

The last sentence nails it. They only do certain types of operations well, and the frequency with which I upgrade GPUs compared to CPUs - or more specifically, the fact that I very rarely replace both at the same time - leads me to believe I'm better off having them separate. Maybe there are parts of the GPU which could be incorporated into the CPU, and I think that might be what the Core i3/5/7 processors are doing with GMA integration.

Re:GPUs

[SuperMog2002]

Is the coding/assembly so different that it doesn't translate? Do they only do certain kinds of processing really well (it is a GPU after all), so it couldn't handle other more 'mundane' OS needs?

Yes, exactly. CPUs are built from the ground up to do scalar math really, really fast. That lends itself well to doing tasks that must be performed in sequence, such as running an individual thread. However, they've only recently gained the ability to do more than one thing at a time (dual core processors), and even now high end CPUs can only do six calculations at once (6 core processors).

Meanwhile, GPUs are built to do vector math really, really fast. They can't do individual adds anywhere near as fast as a CPU can, but they can do dozens of them at the same time.

Which type of processor is best for which job depends entirely on the nature of the math involved and how parallelizable the task is. In the case of 3D graphics, drawing a frame involves tons of vector arithmetic work, which is why your 1 GHz GPU will run circles around your 3 GHz CPU for that task (and is also where the GPU gets its name from). In the case mentioned in the article, password cracking is highly parallelizable: you've gotta run 100 million tests, and the outcome of any one test has zero influence on the other tests, so the more you can run at the same time, the better. By running it on the GPU, each individual test will take a bit longer than running it on the CPU would, but you'll be able to run dozens simultaneously instead of just a few, and will thus get your results much faster.

CPUs certainly have their place, though. Some tasks simply must be done in sequence and cannot be easily divided up in to seperate parallel tasks. The CPU will get these done much faster, since running them on the GPU would incur the speed penalty without realizing any benefit.

I've simplified it a bit for the sake of explanation, but that's the gist of it. Hope that helps!

Re:GPUs

[ShadowRangerRIT]

That's not really the same thing. The Intel 80 core prototype was still a CPU at heart, they just made improvements to communication. GPUs are quite different. GPUs are designed as primarily floating point processors (though newer ones can do low precision integer math with similar efficiency), but more importantly, they are vector processors with virtually no support for conditional statements and optimized for sequential access to memory instead of random access. They're halfway between dedicated circuitry and a general purpose CPU; what they can do, they do *very* well, and they can generalize a little, but tasks they weren't designed for need to be rewritten to accommodate their quirks, and eventually reach a point of diminishing returns. Integrating GPUs into the CPU will allow more programs to use it (and possibly speed processing and enable new scenarios where the CPU and GPU need to communicate frequently), but for run of the mill computing tasks, the relatively inflexible design of GPUs is a problem.

Slashvertisement

Hey Editors,

You forgot a link to the buying page
For as low as 1.399,- € you can start cracking^Wrecovering passwords today.

Re:Slashvertisement

[cOldhandle]

In case anyone wants to play around with this tech without paying (or rolling your own): I tried out this free (as in beer) windows software yesterday: http://golubev.com/rargpu.htm It seemed to work very effectively - I was able to brute force 5 lower case letter only passwords on RAR files in a couple of minutes on a GTX260. It also has some advanced options to specify mutations of strings to try, and to use word lists.

boo

boo slashvertisement

Re:Out of curiosity...

[cbope]

Normal. Running GP-GPU or CUDA apps has no effect on output to the screen. We do it for medical imaging processing.

Re:My password is safe

[idontgno]

Dude, haven't you heard? It's really insecure to use such a short password. And yours is surely the shortest EVAR.

Re:My password is safe

[Linker3000]

Try resetting someone's password to 'obvious' when they call in with a 'forgotten password'. Then see how long you can string them along by saying "I've reset your password - the new one's obvious..."

Caller: "What? Like my surname?"
You: "No, it's obvious"
Caller "First name?"
You "No"
Caller "letmein?"

Yeah, it's been a bad day!

Re:103000 passwords per second. So?

[WuphonsReach]

At 103000 attempts per seconds, that's... 421 years oh.

Still within the realm of cracking, especially if those passwords guard a few million dollars of assets. 421 years sounds like a lot until you add things like:

- Crossfire or SLI where you have multiple boards installed
- Setup half a dozen machines to work on the problem
- Apply a botnet to the problem
- Future improvements in technology
- Apply some heuristics to the guessing process

All of which can easily shave off at least 2 orders of magnitude and possibly 3 orders of magnitude. Which reduces that 421 years down to a few months (or worse).

8 character passwords are pretty much dead in the water now. Or at least they need to be phased out within the next few years. Or protected by rate-limiters which control how fast passwords can be tried. (Personally, I always assume that the attacker has the stored hash and can apply parallelism to the attack. Which means that rate limiters should not be relied on to prevent cracks.)