New 25-GPU Monster Devours Strong Passwords In Minutes

chicksdaddy writes "A presentation at the Passwords^12 Conference in Oslo, Norway (slides), has moved the goalposts on password cracking yet again. Speaking on Monday, researcher Jeremi Gosney (a.k.a epixoip) demonstrated a rig that leveraged the Open Computing Language (OpenCL) framework and a technology known as Virtual Open Cluster (VCL) to run the HashCat password cracking program across a cluster of five, 4U servers equipped with 25 AMD Radeon GPUs communicating at 10 Gbps and 20 Gbps over Infiniband switched fabric. Gosney's system elevates password cracking to the next level, and effectively renders even the strongest passwords protected with weaker encryption algorithms, like Microsoft's LM and NTLM, obsolete. In a test, the researcher's system was able to generate 348 billion NTLM password hash checks per second. That renders even the most secure password vulnerable to compute-intensive brute force and wordlist (or dictionary) attacks. A 14 character Windows XP password hashed using LM for example, would fall in just six minutes, said Per Thorsheim, organizer of the Passwords^12 Conference. For some context: In June, Poul-Henning Kamp, creator of the md5crypt() function used by FreeBSD and other, Linux-based operating systems, was forced to acknowledge that the hashing function is no longer suitable for production use — a victim of GPU-powered systems that could perform 'close to 1 million checks per second on COTS (commercial off the shelf) GPU hardware,' he wrote. Gosney's cluster cranks out more than 77 million brute force attempts per second against MD5crypt."

Use different passwords for different things

[TheLink]

My conclusion is to use different passwords for different things. They don't have to be that strong.

As long as the passwords are strong enough to prevent brute forcing over the _NETWORK_ they are strong enough. If you don't pick an overly stupid password then either you or the site is going to be pwned before the hackers brute-force/guess your password over the network.

If someone has hacked into the site to obtain the hashes, it's likely they can do other stuff anyway (make transactions, get your info, maybe even get the plaintext of your password), so don't waste your time making and using super long passwords.

Re:Use different passwords for different things

[bmo]

Pretty much this. Brute forcing passwords over the Internet is silly and non-productive.

>it's likely they can do other stuff anyway

What, you mean like the Youporn chat registration list that had the usernames and passwords *and* verification email addresses in plaintext? Or like when Yahoo was compromised? Or like dozens of other companies were compromised? Or like when EMC was spear-phished out of RSA tokens?

My concern isn't someone with a hundred Tesla cards cracking passwords. My concern is dumb admins and people falling for social-engineering.

--
BMO

Re:Use different passwords for different things

i think email should be on the top list of priority - because "reset your password" on every other system tends to use your email address. lose control of your email and you've lost control of everything else.

This is hype: NTLM is broken by design

[slb]

This is well known and no sane people uses NTLM auth anymore, even Microsoft recommend to deactivate this authentication method. The idiots at Microsoft used a DES ECB implementation instead of CBC that anyone with two ounce of crypto knowledge would choose. The practical impact of this very bad design choice is that a 14 character password has as much complexity as two independant 7 characters passwords ! So when the authors brag about cracking a 14 character password in 6 minutes, what they're really doing is cracking two 7 character passwords in 6 minutes, this is entirely different and not impressive at all.

Re:Ob "correct horse battery staple"

[mwvdlee]

You mean your system allows users to enter weak passwords?

Re:MD5? Windoze XP? INSECURE LEGACY!!

[PlusFiveTroll]

There problem is there is still tons of old sites that have MD5 storing passwords. Then there is the second problem of password reuse. Username/Password reuse is the more dangerous of the two, because it can render an account on a system with strong passwords where then local attacks can be attempted.

Re:my password

[bogie]

And many password strength checkers don't catch that either and let you think you are picking a good password.

Single factor authentication has had it's run. Now it's deader than a doornail. Time to move on and stop living in the past.

Re:my password

[hawguy]

1.... 2.... 3.... 4.... 5....

29 characters, including spaces...not bad. As long as the attacker doesn't know anything about your password and has to test all ASCII printable characters, that's over 180 bits of entropy in your password. So I think you're safe - the article says it would take 5 hours to hack an 8 character NTLM password. (which is not the same as LM (WinXP))

I think NTLM only keeps a 128bit hash, so if it were possible to brute force the entire key space, the attacker would likely find a hash collision that works as your password before finding your actual password.

Re:my password

[Technician]

My door lock is even more secure with a 4 digit pin. 3 failed attempts lock it out for several minutes. More failed attempts lock it for an hour. It doen't bother to tell you it is ignoring you during that period. A penalty instead of millions of free retries should stop that without physical access.