Password-cracking feats at blistering speed shown in Oslo

Dec 11, 2012 by Nancy Owano weblog

(Phys.org)—Remember when the running advice for password setup was to avoid using your name backwards? My how we have smelled the coffee. A new rig-and-burn presentation for an audience of academics and security professionals at the Passwords^12 Conference in Oslo, Norway, earlier this month, demonstrated that password-cracking is an easy game with crippling amounts of password theft capable of happening at crippling speed.

Researcher Jeremi Gosney, the founder and CEO of Stricture Consulting Group, was the thinker behind the hardware and software setup that could make 350 billion guesses per second. The result was that eight-character could fall in hours; some passwords could be had in minutes. The deployment that was capable of 350 billion guesses per second was a five- cluster with 25 AMD Radeon and virtualization software. The password-penetrating design was able to unleash unexpected speed, ripping through Windows passcodes. Security Ledger runs a detailed account of the rig's specs and results. According to reports, his approach was enough to brute force eight-character passwords containing upper- and lower-case letters, digits, and symbols, in just hours.

The brute forcing algorithms went to work at speeds that are remarkable. He showed that with the right improved software and powerful hardware, such attacks are quite feasible. His setup is only relevant toward offline attacks, where the thief has already retrieved a password database or file. The cluster that he used would not be relevant to online attacks against a live system. His scenario applies to exploits involving collections of leaked or stolen passwords.

Gosney's success, however, in ripping through eight character passwords will only make security professionals that much more aware of what they already know, that older algorithms and shorter length passwords are vulnerable to attacks. System breaches leading to substantial password leaks have been part of news headlines for some time. Gosney said in an email to Ars Technica that "We can attack hashes approximately four times faster than we could previously." Gosney has been working on clustering approaches for the last four or five years.

The GPU cluster in his recent presentation uses a cluster platform to let each card function as if on a single desktop plus ocl-Hashcat Plus.

The general rule for computer users is to think about long and strong passwords, between 13 and 20 characters, if possible. If worried about choosing words that are too "common," users can turn to password management tools, which are designed to help a user create passwords that are less vulnerable.

Explore further: US Congress decriminalizes cellphone unlocking

More information: passwords12.at.ifi.uio.no/Jere… _HPC_Passwords12.pdf
securityledger.com/new-25-gpu-… asswords-in-seconds/
www.overclockersclub.com/news/33354/

Related Stories

Are you any good at creating passwords?

Jan 30, 2010

There's an interesting little study that's been done by security firm Imperva, which analyzed some 32 million passwords posted online in December by some enterprising hacker.

Online passwords are insecure: study

Apr 03, 2012

Online passwords are so insecure that one per cent can be cracked within 10 guesses, according to the largest ever sample analysis.

Recommended for you

Scalping can raise ticket prices

Jul 25, 2014

Scalping gets a bad rap. For years, artists and concert promoters have stigmatized ticket resale as a practice that unfairly hurts their own sales and forces fans to pay exorbitant prices for tickets to sold-out concerts. ...

Study shows role of media in sharing life events

Jul 24, 2014

To share is human. And the means to share personal news—good and bad—have exploded over the last decade, particularly social media and texting. But until now, all research about what is known as "social sharing," or the ...

User comments : 8

Adjust slider to filter visible comments by rank

Display comments: newest first

rwinners
3 / 5 (4) Dec 11, 2012
The password is just the first line of defense. Number of errors is the second. Security questions the third.
Care to offer a fourth?
verkle
2.7 / 5 (7) Dec 11, 2012
Time between password attempts is also a good defence. For example in my network, 3 false attempts to log in freezes the account for 30 minutes.
Expiorer
1.8 / 5 (4) Dec 12, 2012
As a teacher I can say that freezing account is a very interesting feature. My account appeared frozen often a minute before class. I wonder who did that...
Moebius
1 / 5 (2) Dec 12, 2012
Fourth, limit the number of sites you use it. Fifth, change the password often.

Like anyone does that stuff. Personally I'm for the death penalty for identity thieves but I would settle for life without parole. A few of those and identity theft would stop.
dschlink
not rated yet Dec 12, 2012
Many places don't allow symbols in a password. That makes cracking them much simpler.
Drewdad
not rated yet Dec 12, 2012
Security is based on something you know, something you have, or something you are.

Passwords are only one part of the security puzzle.

If you're concerned about password cracking, then use multi-factor authentication.
LagomorphZero
not rated yet Dec 12, 2012
"If worried about choosing words that are too "common," users can turn to password management tools, which are designed to help a user create passwords that are less vulnerable."

.. so they only have to break your master password and get the rest for free. OTOH I use PW management and its easier for me to remember one massive secure password than 20 easy/medium ones.
Meyer
not rated yet Dec 13, 2012
Personally I'm for the death penalty for identity thieves but I would settle for life without parole. A few of those and identity theft would stop.

No, it wouldn't. Identity theft is a problem, but reckless policies like this - of which we already have too many - are more harmful than the crime and don't actually solve the problem.

Potential solutions are to make identity theft impossible (good luck with that), or make it inconsequential (stop linking everything to identity), or make it easier to detect when authentication is compromised and prevent/undo the damages.