New 25 GPU monster devours passwords in seconds

Whenever you sign up for a place that requires a username and a password, you’re often told to put a capital letter, at least one symbol (usually a number) and make it at least six characters in length. Passwords are also put on private networks to prevent unauthorized access. Some of the most common passwords that we use (mostly out of convenience rather than account or network security) include birthdays, names of loved ones, and even simple ones such as “xyz123” and even the word “password” itself. The capital letters, symbols, and character length ensure additional security, but is that really enough to thwart a cyber attack?

Two of the most common ways hackers can obtain your password include sending you deceptive emails with links in them that contain keyloggers (phishing) or brute forcing passwords using programs that use every possible character combination for a number of characters. The brute force method can take quite a bit of computing power due to the extreme loads that the computer is under while it is guessing passwords.

Researcher Jeremi “epixoip” Gosney demonstrated a rig at the Passwords^12 conference in Oslo, Norway that leveraged the Open Computing Language (OpenCL) framework and Virtual OpenCL to run the HashCat password cracking program across a cluster of five 4U servers equipped with 25 AMD Radeon GPUs and communicating at 10 Gbps over Infiniband switched fabric, making even the strongest passwords fall and placing the blame on weak encryption algorithms, such as LAN Manager (LM) and NTLM, which provides a challenge-response authentication mechanism, in which clients are able to prove their identities without sending a password to the server.

The researcher’s system was able to churn through 348 billion NTLM password hashes per second. That renders even the most secure password vulnerable to compute-intensive brute force and word list (or dictionary) attacks. The word list (or dictionary) method is another form of password cracking where the program checks passwords against a lengthy word list to find a match. “A 14 character Windows XP password hashed using LM, for example, would fall in just six minutes,” said Per Thorsheim, organizer of the Passwords^12 Conference. “Passwords on Windows XP? Not good enough anymore,” Thorsheim added.

LM Is what is used on Win XP, and LM converts all lowercase chars to uppercase, is at most 14 chars long, and splits the password into two 7 char strings before hashing—so we only have to crack 69^7 combinations at most for LM. At 20 Gbps we can get through that in about 6 minutes. With 348 billion NTLM [password hashes] per second, this means we could rip through any 8 character password (95^8 combinations) in 5.5 hours,” said Gosney.

“Tools like Gosney’s GPU cluster aren’t suited for an ‘online’ attack scenario against a live system. Rather, they’re used in ‘offline’ attacks against collections of leaked or stolen passwords that were stored in encrypted form,” Thorsheim said. “In that situation, attackers aren’t limited to a set number of password attempts—hardware and software limitations are all that matter.”

In light of this information, everyone should take the necessary precautions to ensure the security of your network or any accounts you use—change your passwords often, and make them hard for anyone but you to guess. Some network security experts even advise that you write your passwords down on a piece of paper—hackers still can’t hack into those.