Password-cracking feats at blistering speed shown in Oslo

Dec 11, 2012 by Nancy Owano weblog

(Phys.org)—Remember when the running advice for password setup was to avoid using your name backwards? My how we have smelled the coffee. A new rig-and-burn presentation for an audience of academics and security professionals at the Passwords^12 Conference in Oslo, Norway, earlier this month, demonstrated that password-cracking is an easy game with crippling amounts of password theft capable of happening at crippling speed.

Researcher Jeremi Gosney, the founder and CEO of Stricture Consulting Group, was the thinker behind the hardware and software setup that could make 350 billion guesses per second. The result was that eight-character could fall in hours; some passwords could be had in minutes. The deployment that was capable of 350 billion guesses per second was a five- cluster with 25 AMD Radeon and virtualization software. The password-penetrating design was able to unleash unexpected speed, ripping through Windows passcodes. Security Ledger runs a detailed account of the rig's specs and results. According to reports, his approach was enough to brute force eight-character passwords containing upper- and lower-case letters, digits, and symbols, in just hours.

The brute forcing algorithms went to work at speeds that are remarkable. He showed that with the right improved software and powerful hardware, such attacks are quite feasible. His setup is only relevant toward offline attacks, where the thief has already retrieved a password database or file. The cluster that he used would not be relevant to online attacks against a live system. His scenario applies to exploits involving collections of leaked or stolen passwords.

Gosney's success, however, in ripping through eight character passwords will only make security professionals that much more aware of what they already know, that older algorithms and shorter length passwords are vulnerable to attacks. System breaches leading to substantial password leaks have been part of news headlines for some time. Gosney said in an email to Ars Technica that "We can attack hashes approximately four times faster than we could previously." Gosney has been working on clustering approaches for the last four or five years.

The GPU cluster in his recent presentation uses a cluster platform to let each card function as if on a single desktop plus ocl-Hashcat Plus.

The general rule for computer users is to think about long and strong passwords, between 13 and 20 characters, if possible. If worried about choosing words that are too "common," users can turn to password management tools, which are designed to help a user create passwords that are less vulnerable.

Explore further: Twitter rules out Turkey office amid tax row

More information: passwords12.at.ifi.uio.no/Jeremi_Gosney_Password_Cracking_HPC_Passwords12.pdf
securityledger.com/new-25-gpu-monster-devours-passwords-in-seconds/
www.overclockersclub.com/news/33354/

Related Stories

Are you any good at creating passwords?

Jan 30, 2010

There's an interesting little study that's been done by security firm Imperva, which analyzed some 32 million passwords posted online in December by some enterprising hacker.

Online passwords are insecure: study

Apr 03, 2012

Online passwords are so insecure that one per cent can be cracked within 10 guesses, according to the largest ever sample analysis.

Recommended for you

Twitter rules out Turkey office amid tax row

16 hours ago

Social networking company Twitter on Wednesday rejected demands from the Turkish government to open an office there, following accusations of tax evasion and a two-week ban on the service.

How does false information spread online?

19 hours ago

Last summer the World Economic Forum (WEF) invited its 1,500 council members to identify top trends facing the world, including what should be done about them. The WEF consists of 80 councils covering a wide range of issues including social media. Members come ...

User comments : 8

Adjust slider to filter visible comments by rank

Display comments: newest first

rwinners
3 / 5 (4) Dec 11, 2012
The password is just the first line of defense. Number of errors is the second. Security questions the third.
Care to offer a fourth?
verkle
2.7 / 5 (7) Dec 11, 2012
Time between password attempts is also a good defence. For example in my network, 3 false attempts to log in freezes the account for 30 minutes.
Expiorer
1.8 / 5 (4) Dec 12, 2012
As a teacher I can say that freezing account is a very interesting feature. My account appeared frozen often a minute before class. I wonder who did that...
Moebius
1 / 5 (2) Dec 12, 2012
Fourth, limit the number of sites you use it. Fifth, change the password often.

Like anyone does that stuff. Personally I'm for the death penalty for identity thieves but I would settle for life without parole. A few of those and identity theft would stop.
dschlink
not rated yet Dec 12, 2012
Many places don't allow symbols in a password. That makes cracking them much simpler.
Drewdad
not rated yet Dec 12, 2012
Security is based on something you know, something you have, or something you are.

Passwords are only one part of the security puzzle.

If you're concerned about password cracking, then use multi-factor authentication.
LagomorphZero
not rated yet Dec 12, 2012
"If worried about choosing words that are too "common," users can turn to password management tools, which are designed to help a user create passwords that are less vulnerable."

.. so they only have to break your master password and get the rest for free. OTOH I use PW management and its easier for me to remember one massive secure password than 20 easy/medium ones.
Meyer
not rated yet Dec 13, 2012
Personally I'm for the death penalty for identity thieves but I would settle for life without parole. A few of those and identity theft would stop.

No, it wouldn't. Identity theft is a problem, but reckless policies like this - of which we already have too many - are more harmful than the crime and don't actually solve the problem.

Potential solutions are to make identity theft impossible (good luck with that), or make it inconsequential (stop linking everything to identity), or make it easier to detect when authentication is compromised and prevent/undo the damages.

More news stories

Simplicity is key to co-operative robots

A way of making hundreds—or even thousands—of tiny robots cluster to carry out tasks without using any memory or processing power has been developed by engineers at the University of Sheffield, UK.

Microsoft CEO is driving data-culture mindset

(Phys.org) —Microsoft's future strategy: is all about leveraging data, from different sources, coming together using one cohesive Microsoft architecture. Microsoft CEO Satya Nadella on Tuesday, both in ...

Floating nuclear plants could ride out tsunamis

When an earthquake and tsunami struck the Fukushima Daiichi nuclear plant complex in 2011, neither the quake nor the inundation caused the ensuing contamination. Rather, it was the aftereffects—specifically, ...

New clinical trial launched for advance lung cancer

Cancer Research UK is partnering with pharmaceutical companies AstraZeneca and Pfizer to create a pioneering clinical trial for patients with advanced lung cancer – marking a new era of research into personalised medicines ...

More vets turn to prosthetics to help legless pets

A 9-month-old boxer pup named Duncan barreled down a beach in Oregon, running full tilt on soft sand into YouTube history and showing more than 4 million viewers that he can revel in a good romp despite lacking ...