Password-cracking feats at blistering speed shown in Oslo

Dec 11, 2012 by Nancy Owano weblog

(Phys.org)—Remember when the running advice for password setup was to avoid using your name backwards? My how we have smelled the coffee. A new rig-and-burn presentation for an audience of academics and security professionals at the Passwords^12 Conference in Oslo, Norway, earlier this month, demonstrated that password-cracking is an easy game with crippling amounts of password theft capable of happening at crippling speed.

Researcher Jeremi Gosney, the founder and CEO of Stricture Consulting Group, was the thinker behind the hardware and software setup that could make 350 billion guesses per second. The result was that eight-character could fall in hours; some passwords could be had in minutes. The deployment that was capable of 350 billion guesses per second was a five- cluster with 25 AMD Radeon and virtualization software. The password-penetrating design was able to unleash unexpected speed, ripping through Windows passcodes. Security Ledger runs a detailed account of the rig's specs and results. According to reports, his approach was enough to brute force eight-character passwords containing upper- and lower-case letters, digits, and symbols, in just hours.

The brute forcing algorithms went to work at speeds that are remarkable. He showed that with the right improved software and powerful hardware, such attacks are quite feasible. His setup is only relevant toward offline attacks, where the thief has already retrieved a password database or file. The cluster that he used would not be relevant to online attacks against a live system. His scenario applies to exploits involving collections of leaked or stolen passwords.

Gosney's success, however, in ripping through eight character passwords will only make security professionals that much more aware of what they already know, that older algorithms and shorter length passwords are vulnerable to attacks. System breaches leading to substantial password leaks have been part of news headlines for some time. Gosney said in an email to Ars Technica that "We can attack hashes approximately four times faster than we could previously." Gosney has been working on clustering approaches for the last four or five years.

The GPU cluster in his recent presentation uses a cluster platform to let each card function as if on a single desktop plus ocl-Hashcat Plus.

The general rule for computer users is to think about long and strong passwords, between 13 and 20 characters, if possible. If worried about choosing words that are too "common," users can turn to password management tools, which are designed to help a user create passwords that are less vulnerable.

Explore further: LinkedIn membership hits 300 million

More information: passwords12.at.ifi.uio.no/Jeremi_Gosney_Password_Cracking_HPC_Passwords12.pdf
securityledger.com/new-25-gpu-monster-devours-passwords-in-seconds/
www.overclockersclub.com/news/33354/

Related Stories

Are you any good at creating passwords?

Jan 30, 2010

There's an interesting little study that's been done by security firm Imperva, which analyzed some 32 million passwords posted online in December by some enterprising hacker.

Online passwords are insecure: study

Apr 03, 2012

Online passwords are so insecure that one per cent can be cracked within 10 guesses, according to the largest ever sample analysis.

Recommended for you

LinkedIn membership hits 300 million

Apr 18, 2014

The career-focused social network LinkedIn announced Friday it has 300 million members, with more than half the total outside the United States.

Researchers uncover likely creator of Bitcoin

Apr 18, 2014

The primary author of the celebrated Bitcoin paper, and therefore probable creator of Bitcoin, is most likely Nick Szabo, a blogger and former George Washington University law professor, according to students ...

White House updating online privacy policy

Apr 18, 2014

A new Obama administration privacy policy out Friday explains how the government will gather the user data of online visitors to WhiteHouse.gov, mobile apps and social media sites. It also clarifies that ...

User comments : 8

Adjust slider to filter visible comments by rank

Display comments: newest first

rwinners
3 / 5 (4) Dec 11, 2012
The password is just the first line of defense. Number of errors is the second. Security questions the third.
Care to offer a fourth?
verkle
2.7 / 5 (7) Dec 11, 2012
Time between password attempts is also a good defence. For example in my network, 3 false attempts to log in freezes the account for 30 minutes.
Expiorer
1.8 / 5 (4) Dec 12, 2012
As a teacher I can say that freezing account is a very interesting feature. My account appeared frozen often a minute before class. I wonder who did that...
Moebius
1 / 5 (2) Dec 12, 2012
Fourth, limit the number of sites you use it. Fifth, change the password often.

Like anyone does that stuff. Personally I'm for the death penalty for identity thieves but I would settle for life without parole. A few of those and identity theft would stop.
dschlink
not rated yet Dec 12, 2012
Many places don't allow symbols in a password. That makes cracking them much simpler.
Drewdad
not rated yet Dec 12, 2012
Security is based on something you know, something you have, or something you are.

Passwords are only one part of the security puzzle.

If you're concerned about password cracking, then use multi-factor authentication.
LagomorphZero
not rated yet Dec 12, 2012
"If worried about choosing words that are too "common," users can turn to password management tools, which are designed to help a user create passwords that are less vulnerable."

.. so they only have to break your master password and get the rest for free. OTOH I use PW management and its easier for me to remember one massive secure password than 20 easy/medium ones.
Meyer
not rated yet Dec 13, 2012
Personally I'm for the death penalty for identity thieves but I would settle for life without parole. A few of those and identity theft would stop.

No, it wouldn't. Identity theft is a problem, but reckless policies like this - of which we already have too many - are more harmful than the crime and don't actually solve the problem.

Potential solutions are to make identity theft impossible (good luck with that), or make it inconsequential (stop linking everything to identity), or make it easier to detect when authentication is compromised and prevent/undo the damages.

More news stories

Ex-Apple chief plans mobile phone for India

Former Apple chief executive John Sculley, whose marketing skills helped bring the personal computer to desktops worldwide, says he plans to launch a mobile phone in India to exploit its still largely untapped ...

Airbnb rental site raises $450 mn

Online lodging listings website Airbnb inked a $450 million funding deal with investors led by TPG, a source close to the matter said Friday.

Health care site flagged in Heartbleed review

People with accounts on the enrollment website for President Barack Obama's signature health care law are being told to change their passwords following an administration-wide review of the government's vulnerability to the ...

A homemade solar lamp for developing countries

(Phys.org) —The solar lamp developed by the start-up LEDsafari is a more effective, safer, and less expensive form of illumination than the traditional oil lamp currently used by more than one billion people ...

NASA's space station Robonaut finally getting legs

Robonaut, the first out-of-this-world humanoid, is finally getting its space legs. For three years, Robonaut has had to manage from the waist up. This new pair of legs means the experimental robot—now stuck ...

Filipino tests negative for Middle East virus

A Filipino nurse who tested positive for the Middle East virus has been found free of infection in a subsequent examination after he returned home, Philippine health officials said Saturday.

Egypt archaeologists find ancient writer's tomb

Egypt's minister of antiquities says a team of Spanish archaeologists has discovered two tombs in the southern part of the country, one of them belonging to a writer and containing a trove of artifacts including reed pens ...