Slashdot Mirror
Cheap GPUs Rendering Strong Passwords Useless
StrongGlad writes with a story at ZDNet describing how it's getting easier to use GPU processing against passwords once considered quite strong.
"Take a cheap GPU (like the Radeon HD 5770) and the free GPU-powered password busting tool called 'ighashgpu' and you have yourself a lean, mean password busting machine. How lean and mean? Working against NTLM login passwords, a password of 'fjR8n' can be broken on the CPU in 24 seconds, at a rate of 9.8 million password guesses per second. On the GPU, it takes less than a second at a rate of 3.3 billion passwords per second. Increase the password to 6 characters (pYDbL6), and the CPU takes 1 hour 30 minutes versus only four seconds on the GPU. Go further to 7 characters (fh0GH5h), and the CPU would grind along for 4 days, versus a frankly worrying 17 minutes 30 seconds for the GPU."
This is about offline hash cracking, not bruteforcing passwords over a network connection.
Emotions! In your brain!
Exponential growth. Get the point?
Using the same scaling as the summary, you can crack 8 characters with about 64 GPU hours, which is about $50 on AWS.
By the time you get to 10 characters, you are talking $700k. 12 characters is into the billions. Of course, I doubt that AWS will scale their fleet to billions of servers just so you can rent it for one hour, so you're going to have to pay to build your own data centers and, for that matter, chip factories.
Even for Slashdot, this is a little pathetic: the link is to a ZDNet article, which regurgitates a PCPro article, which in turn regurgitates a blog post by the guy who actually ran the tests, Vijay Devakumar. And here's Ivan Golubev, who wrote the cracking tool.
Still, ZDNet's advertisers thank you for the hits!
Screw the general population. I'm a geek and a 120+ WPM @ 98% accuracy typist to boot and I can't even enter our administrative password more than 50% of the time at work.