Password-cracking feats at blistering speed shown in Oslo

December 11, 2012 by Nancy Owano weblog

(—Remember when the running advice for password setup was to avoid using your name backwards? My how we have smelled the coffee. A new rig-and-burn presentation for an audience of academics and security professionals at the Passwords^12 Conference in Oslo, Norway, earlier this month, demonstrated that password-cracking is an easy game with crippling amounts of password theft capable of happening at crippling speed.

Researcher Jeremi Gosney, the founder and CEO of Stricture Consulting Group, was the thinker behind the hardware and software setup that could make 350 billion guesses per second. The result was that eight-character could fall in hours; some passwords could be had in minutes. The deployment that was capable of 350 billion guesses per second was a five- cluster with 25 AMD Radeon and virtualization software. The password-penetrating design was able to unleash unexpected speed, ripping through Windows passcodes. Security Ledger runs a detailed account of the rig's specs and results. According to reports, his approach was enough to brute force eight-character passwords containing upper- and lower-case letters, digits, and symbols, in just hours.

The brute forcing algorithms went to work at speeds that are remarkable. He showed that with the right improved software and powerful hardware, such attacks are quite feasible. His setup is only relevant toward offline attacks, where the thief has already retrieved a password database or file. The cluster that he used would not be relevant to online attacks against a live system. His scenario applies to exploits involving collections of leaked or stolen passwords.

Gosney's success, however, in ripping through eight character passwords will only make security professionals that much more aware of what they already know, that older algorithms and shorter length passwords are vulnerable to attacks. System breaches leading to substantial password leaks have been part of news headlines for some time. Gosney said in an email to Ars Technica that "We can attack hashes approximately four times faster than we could previously." Gosney has been working on clustering approaches for the last four or five years.

The GPU cluster in his recent presentation uses a cluster platform to let each card function as if on a single desktop plus ocl-Hashcat Plus.

The general rule for computer users is to think about long and strong passwords, between 13 and 20 characters, if possible. If worried about choosing words that are too "common," users can turn to password management tools, which are designed to help a user create passwords that are less vulnerable.

Explore further: Are you any good at creating passwords?

More information:

Related Stories

Are you any good at creating passwords?

January 30, 2010

There's an interesting little study that's been done by security firm Imperva, which analyzed some 32 million passwords posted online in December by some enterprising hacker.

Recommended for you

Interactive tool lifts veil on the cost of nuclear energy

August 24, 2015

Despite the ever-changing landscape of energy economics, subject to the influence of new technologies and geopolitics, a new tool promises to root discussions about the cost of nuclear energy in hard evidence rather than ...

Smart home heating and cooling

August 28, 2015

Smart temperature-control devices—such as thermostats that learn and adjust to pre-programmed temperatures—are poised to increase comfort and save energy in homes.


Adjust slider to filter visible comments by rank

Display comments: newest first

3 / 5 (4) Dec 11, 2012
The password is just the first line of defense. Number of errors is the second. Security questions the third.
Care to offer a fourth?
2.7 / 5 (7) Dec 11, 2012
Time between password attempts is also a good defence. For example in my network, 3 false attempts to log in freezes the account for 30 minutes.
1.8 / 5 (4) Dec 12, 2012
As a teacher I can say that freezing account is a very interesting feature. My account appeared frozen often a minute before class. I wonder who did that...
1 / 5 (2) Dec 12, 2012
Fourth, limit the number of sites you use it. Fifth, change the password often.

Like anyone does that stuff. Personally I'm for the death penalty for identity thieves but I would settle for life without parole. A few of those and identity theft would stop.
not rated yet Dec 12, 2012
Many places don't allow symbols in a password. That makes cracking them much simpler.
not rated yet Dec 12, 2012
Security is based on something you know, something you have, or something you are.

Passwords are only one part of the security puzzle.

If you're concerned about password cracking, then use multi-factor authentication.
not rated yet Dec 12, 2012
"If worried about choosing words that are too "common," users can turn to password management tools, which are designed to help a user create passwords that are less vulnerable."

.. so they only have to break your master password and get the rest for free. OTOH I use PW management and its easier for me to remember one massive secure password than 20 easy/medium ones.
not rated yet Dec 13, 2012
Personally I'm for the death penalty for identity thieves but I would settle for life without parole. A few of those and identity theft would stop.

No, it wouldn't. Identity theft is a problem, but reckless policies like this - of which we already have too many - are more harmful than the crime and don't actually solve the problem.

Potential solutions are to make identity theft impossible (good luck with that), or make it inconsequential (stop linking everything to identity), or make it easier to detect when authentication is compromised and prevent/undo the damages.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.