x404.co.uk
http://x404.co.uk/forum/

Update: New 25 GPU Monster Devours Passwords In Seconds
http://x404.co.uk/forum/viewtopic.php?f=3&t=17796		 Page 1 of 1
Author:  Amnesia10 [ Wed Dec 05, 2012 3:05 pm ]
Post subject:  Update: New 25 GPU Monster Devours Passwords In Seconds
http://securityledger.com/new-25-gpu-monster-devours-passwords-in-seconds/

Quote:
There needs to be some kind of Moore’s law analog to capture the tremendous advances in the speed of password cracking operations. Just within the last five years, there’s been an explosion in innovation in this ancient art, as researchers have realized that they can harness specialized silicon and cloud based computing pools to quickly and efficiently break passwords.


Gosney’s set-up uses a pool of 25 virtual AMD GPUs to brute force even very strong passwords.

A presentation at the Passwords^12 Conference in Oslo, Norway (slides available here - PDF), has moved the goalposts, again. Speaking on Monday, researcher Jeremi Gosney (a.k.a epixoip) demonstrated a rig that leveraged the Open Computing Language (OpenCL) framework and a technology known as Virtual OpenCL Open Cluster (VCL) to run the HashCat password cracking program across a cluster of five, 4U servers equipped with 25 AMD Radeon GPUs and communicating at 10 Gbps and 20 Gbps over Infiniband switched fabric.

Gosney’s system elevates password cracking to the next level, and effectively renders even the strongest passwords protected with weaker encryption algorithms, like Microsoft’s LM and NTLM, obsolete.

In a test, the researcher’s system was able to churn through 348 billion NTLM password hashes per second. That renders even the most secure password vulnerable to compute-intensive brute force and wordlist (or dictionary) attacks. A 14 character Windows XP password hashed using LM NTLM (NT Lan Manager), for example, would fall in just six minutes, said Per Thorsheim, organizer of the Passwords^12 Conference.

[Note of clarification from Jeremi: "LM Is what is used on Win XP, and LM converts all lowercase chars to uppercase, is at most 14 chars long, and splits the password into two 7 char strings before hashing -- so we only have to crack 69^7 combinations at most for LM. At 20 G/s we can get through that in about 6 minutes. With 348 billion NTLM per second, this means we could rip through any 8 character password (95^8 combinations) in 5.5 hours." ]

“Passwords on Windows XP? Not good enough anymore,” Thorsheim said.
Author:  Linux_User [ Wed Dec 05, 2012 4:54 pm ]
Post subject:  Re: Update: New 25 GPU Monster Devours Passwords In Seconds
Two-step authentication for the win. I use Google Authenticator and a Yubikey for extra peace of mind.

Sent from my LT26i using Tapatalk 2
Author:  finlay666 [ Wed Dec 05, 2012 11:18 pm ]
Post subject:  Re: Update: New 25 GPU Monster Devours Passwords In Seconds
2 Stage isn't feasable for many systems though, especially for system to system communication or API based access systems

In order of hashing algorithms which are worth the time to use....

SCrypt -> BCrypt -> SHA (512-256-128-1) -> MD5

SCrypt is better than BCrypt as it is hard limited by memory (both are limited by CPU and exponentially increase in time taken based on the number of passes) so the best benefit of the 25 GPUs (assuming they are a single logical processor per gpu) is parallel processing

That said SHA (even salted) is pretty useless now and has been for some time against a dictionary/variation combo
Author:  ChurchCat [ Thu Dec 06, 2012 12:44 am ]
Post subject:  Re: Update: New 25 GPU Monster Devours Passwords In Seconds
It is true that I am not the brightest of kitties,so am I missing something?

If the "cracking" computer can try 348 billion passwords a second surely this only helps if the computer being cracked can accept the them at this speed.

Will your average PC accept password tries at this rate?


Would a counter measure of only accepting a password attempt every 20 seconds be a simple solution?

Image
Author:  Amnesia10 [ Thu Dec 06, 2012 3:39 am ]
Post subject:  Re: Update: New 25 GPU Monster Devours Passwords In Seconds
ChurchCat wrote:
Would a counter measure of only accepting a password attempt every 20 seconds be a simple solution?

Image

It might but that might only work when you do not have physical access. I suspect that there would also be other workarounds that would by pass that. There would still be other weak links that would enable this method to be used.
Author:  big_D [ Thu Dec 06, 2012 5:32 am ]
Post subject:  Re: Update: New 25 GPU Monster Devours Passwords In Seconds
You would have to have hacked the computer and exported the password database in order to perform such an attack.
Author:  Amnesia10 [ Thu Dec 06, 2012 5:37 am ]
Post subject:  Re: Update: New 25 GPU Monster Devours Passwords In Seconds
It also could work on password protected files which have been copied to the host machine for decryption.
Author:  finlay666 [ Thu Dec 06, 2012 9:57 am ]
Post subject:  Re: Update: New 25 GPU Monster Devours Passwords In Seconds
Linux_User wrote:
Two-step authentication for the win. I use Google Authenticator and a Yubikey for extra peace of mind.

Sent from my LT26i using Tapatalk 2


2 Factor Auth - hacked
http://arstechnica.com/security/2012/12 ... nd-phones/
Author:  Linux_User [ Thu Dec 06, 2012 11:52 am ]
Post subject:  Re: Re: Update: New 25 GPU Monster Devours Passwords In Seconds
finlay666 wrote:
Linux_User wrote:
Two-step authentication for the win. I use Google Authenticator and a Yubikey for extra peace of mind.

Sent from my LT26i using Tapatalk 2


2 Factor Auth - hacked
http://arstechnica.com/security/2012/12 ... nd-phones/

That doesn't affect my Yubikey or my card reader from my bank. My other bank uses telephone calls to authorise payments, not text messages.

Sent from my HTC One X using Tapatalk 2
Page 1 of 1 All times are UTC
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/