Password-cracking feats at blistering speed shown in Oslo

Dec 11, 2012 by Nancy Owano weblog

(—Remember when the running advice for password setup was to avoid using your name backwards? My how we have smelled the coffee. A new rig-and-burn presentation for an audience of academics and security professionals at the Passwords^12 Conference in Oslo, Norway, earlier this month, demonstrated that password-cracking is an easy game with crippling amounts of password theft capable of happening at crippling speed.

Researcher Jeremi Gosney, the founder and CEO of Stricture Consulting Group, was the thinker behind the hardware and software setup that could make 350 billion guesses per second. The result was that eight-character could fall in hours; some passwords could be had in minutes. The deployment that was capable of 350 billion guesses per second was a five- cluster with 25 AMD Radeon and virtualization software. The password-penetrating design was able to unleash unexpected speed, ripping through Windows passcodes. Security Ledger runs a detailed account of the rig's specs and results. According to reports, his approach was enough to brute force eight-character passwords containing upper- and lower-case letters, digits, and symbols, in just hours.

The brute forcing algorithms went to work at speeds that are remarkable. He showed that with the right improved software and powerful hardware, such attacks are quite feasible. His setup is only relevant toward offline attacks, where the thief has already retrieved a password database or file. The cluster that he used would not be relevant to online attacks against a live system. His scenario applies to exploits involving collections of leaked or stolen passwords.

Gosney's success, however, in ripping through eight character passwords will only make security professionals that much more aware of what they already know, that older algorithms and shorter length passwords are vulnerable to attacks. System breaches leading to substantial password leaks have been part of news headlines for some time. Gosney said in an email to Ars Technica that "We can attack hashes approximately four times faster than we could previously." Gosney has been working on clustering approaches for the last four or five years.

The GPU cluster in his recent presentation uses a cluster platform to let each card function as if on a single desktop plus ocl-Hashcat Plus.

The general rule for computer users is to think about long and strong passwords, between 13 and 20 characters, if possible. If worried about choosing words that are too "common," users can turn to password management tools, which are designed to help a user create passwords that are less vulnerable.

Explore further: Most internet anonymity software leaks users' details

More information:

Related Stories

Are you any good at creating passwords?

Jan 30, 2010

There's an interesting little study that's been done by security firm Imperva, which analyzed some 32 million passwords posted online in December by some enterprising hacker.

Online passwords are insecure: study

Apr 03, 2012

Online passwords are so insecure that one per cent can be cracked within 10 guesses, according to the largest ever sample analysis.

Recommended for you

New approach to online compatibility

6 hours ago

Many of the online social networks match users with each other based on common keywords and assumed shared interests based on their activity. A new approach that could help users find new friends and contacts with a greater ...

Most internet anonymity software leaks users' details

20 hours ago

Virtual Private Networks (VPNs) are legal and increasingly popular for individuals wanting to circumvent censorship, avoid mass surveillance or access geographically limited services like Netflix and BBC ...

WikiLeaks says NSA spied on French business

22 hours ago

WikiLeaks has released documents that it says show that the U.S. National Security Agency eavesdropped on France's top finance officials and high-stakes French export bids over a decade in what the group called targeted economic ...

Google gets extended deadline to answer EU case

23 hours ago

Brussels has given Google an extension until mid-August to answer an anti-trust case alleging that the tech giant abuses its search engine's market dominance, a company spokesman said Monday.

Facebook opens first Africa office

Jun 29, 2015

Facebook announced Monday it had opened its first African office in Johannesburg as part of its efforts "to help people and businesses connect" on the continent.

User comments : 8

Adjust slider to filter visible comments by rank

Display comments: newest first

3 / 5 (4) Dec 11, 2012
The password is just the first line of defense. Number of errors is the second. Security questions the third.
Care to offer a fourth?
2.7 / 5 (7) Dec 11, 2012
Time between password attempts is also a good defence. For example in my network, 3 false attempts to log in freezes the account for 30 minutes.
1.8 / 5 (4) Dec 12, 2012
As a teacher I can say that freezing account is a very interesting feature. My account appeared frozen often a minute before class. I wonder who did that...
1 / 5 (2) Dec 12, 2012
Fourth, limit the number of sites you use it. Fifth, change the password often.

Like anyone does that stuff. Personally I'm for the death penalty for identity thieves but I would settle for life without parole. A few of those and identity theft would stop.
not rated yet Dec 12, 2012
Many places don't allow symbols in a password. That makes cracking them much simpler.
not rated yet Dec 12, 2012
Security is based on something you know, something you have, or something you are.

Passwords are only one part of the security puzzle.

If you're concerned about password cracking, then use multi-factor authentication.
not rated yet Dec 12, 2012
"If worried about choosing words that are too "common," users can turn to password management tools, which are designed to help a user create passwords that are less vulnerable."

.. so they only have to break your master password and get the rest for free. OTOH I use PW management and its easier for me to remember one massive secure password than 20 easy/medium ones.
not rated yet Dec 13, 2012
Personally I'm for the death penalty for identity thieves but I would settle for life without parole. A few of those and identity theft would stop.

No, it wouldn't. Identity theft is a problem, but reckless policies like this - of which we already have too many - are more harmful than the crime and don't actually solve the problem.

Potential solutions are to make identity theft impossible (good luck with that), or make it inconsequential (stop linking everything to identity), or make it easier to detect when authentication is compromised and prevent/undo the damages.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.