| Author |
Message |
|
Amnesia10
Legend
Joined: Fri Apr 24, 2009 2:02 am
Posts: 29240
Location: Guantanamo Bay (thanks bobbdobbs)
|
 http://securityledger.com/new-25-gpu-monster-devours-passwords-in-seconds/ | | | | Quote: There needs to be some kind of Moore’s law analog to capture the tremendous advances in the speed of password cracking operations. Just within the last five years, there’s been an explosion in innovation in this ancient art, as researchers have realized that they can harness specialized silicon and cloud based computing pools to quickly and efficiently break passwords.
Gosney’s set-up uses a pool of 25 virtual AMD GPUs to brute force even very strong passwords.
A presentation at the Passwords^12 Conference in Oslo, Norway (slides available here - PDF), has moved the goalposts, again. Speaking on Monday, researcher Jeremi Gosney (a.k.a epixoip) demonstrated a rig that leveraged the Open Computing Language (OpenCL) framework and a technology known as Virtual OpenCL Open Cluster (VCL) to run the HashCat password cracking program across a cluster of five, 4U servers equipped with 25 AMD Radeon GPUs and communicating at 10 Gbps and 20 Gbps over Infiniband switched fabric.
Gosney’s system elevates password cracking to the next level, and effectively renders even the strongest passwords protected with weaker encryption algorithms, like Microsoft’s LM and NTLM, obsolete.
In a test, the researcher’s system was able to churn through 348 billion NTLM password hashes per second. That renders even the most secure password vulnerable to compute-intensive brute force and wordlist (or dictionary) attacks. A 14 character Windows XP password hashed using LM NTLM (NT Lan Manager), for example, would fall in just six minutes, said Per Thorsheim, organizer of the Passwords^12 Conference.
[Note of clarification from Jeremi: "LM Is what is used on Win XP, and LM converts all lowercase chars to uppercase, is at most 14 chars long, and splits the password into two 7 char strings before hashing -- so we only have to crack 69^7 combinations at most for LM. At 20 G/s we can get through that in about 6 minutes. With 348 billion NTLM per second, this means we could rip through any 8 character password (95^8 combinations) in 5.5 hours." ]
“Passwords on Windows XP? Not good enough anymore,” Thorsheim said. | | | | |
_________________Do concentrate, 007... "You are gifted. Mine is bordering on seven seconds." https://www.dropbox.com/referrals/NTg5MzczNTkhttp://astore.amazon.co.uk/wwwx404couk-21
|
| Wed Dec 05, 2012 3:05 pm |
|
|
|
Linux_User
I haven't seen my friends in so long
Joined: Tue May 05, 2009 3:29 pm
Posts: 7173
|
Two-step authentication for the win. I use Google Authenticator and a Yubikey for extra peace of mind.
Sent from my LT26i using Tapatalk 2
|
| Wed Dec 05, 2012 4:54 pm |
|
|
|
finlay666
Spends far too much time on here
Joined: Thu Apr 23, 2009 9:40 pm
Posts: 4876
Location: Newcastle
|
2 Stage isn't feasable for many systems though, especially for system to system communication or API based access systems
In order of hashing algorithms which are worth the time to use....
SCrypt -> BCrypt -> SHA (512-256-128-1) -> MD5
SCrypt is better than BCrypt as it is hard limited by memory (both are limited by CPU and exponentially increase in time taken based on the number of passes) so the best benefit of the 25 GPUs (assuming they are a single logical processor per gpu) is parallel processing
That said SHA (even salted) is pretty useless now and has been for some time against a dictionary/variation combo
_________________TwitterCharlie Brooker: Macs are glorified Fisher-Price activity centres for adults; computers for scaredy cats too nervous to learn how proper computers work; computers for people who earnestly believe in feng shui.
|
| Wed Dec 05, 2012 11:18 pm |
|
|
|
ChurchCat
Doesn't have much of a life
Joined: Sat Apr 25, 2009 7:57 am
Posts: 1652
|
It is true that I am not the brightest of kitties,so am I missing something? If the "cracking" computer can try 348 billion passwords a second surely this only helps if the computer being cracked can accept the them at this speed. Will your average PC accept password tries at this rate? Would a counter measure of only accepting a password attempt every 20 seconds be a simple solution?  _________________A Mac user 
|
| Thu Dec 06, 2012 12:44 am |
|
|
|
Amnesia10
Legend
Joined: Fri Apr 24, 2009 2:02 am
Posts: 29240
Location: Guantanamo Bay (thanks bobbdobbs)
|
It might but that might only work when you do not have physical access. I suspect that there would also be other workarounds that would by pass that. There would still be other weak links that would enable this method to be used. _________________Do concentrate, 007... "You are gifted. Mine is bordering on seven seconds." https://www.dropbox.com/referrals/NTg5MzczNTkhttp://astore.amazon.co.uk/wwwx404couk-21
|
| Thu Dec 06, 2012 3:39 am |
|
|
|
big_D
What's a life?
Joined: Thu Apr 23, 2009 8:25 pm
Posts: 10691
Location: Bramsche
|
You would have to have hacked the computer and exported the password database in order to perform such an attack.
_________________
"Do you know what this is? Hmm? No, I can see you do not. You have that vacant look in your eyes, which says hold my head to your ear, you will hear the sea!" - Londo Molari
Executive Producer No Agenda Show 246
|
| Thu Dec 06, 2012 5:32 am |
|
|
|
Amnesia10
Legend
Joined: Fri Apr 24, 2009 2:02 am
Posts: 29240
Location: Guantanamo Bay (thanks bobbdobbs)
|
It also could work on password protected files which have been copied to the host machine for decryption.
_________________Do concentrate, 007... "You are gifted. Mine is bordering on seven seconds." https://www.dropbox.com/referrals/NTg5MzczNTkhttp://astore.amazon.co.uk/wwwx404couk-21
|
| Thu Dec 06, 2012 5:37 am |
|
|
|
finlay666
Spends far too much time on here
Joined: Thu Apr 23, 2009 9:40 pm
Posts: 4876
Location: Newcastle
|
_________________TwitterCharlie Brooker: Macs are glorified Fisher-Price activity centres for adults; computers for scaredy cats too nervous to learn how proper computers work; computers for people who earnestly believe in feng shui.
|
| Thu Dec 06, 2012 9:57 am |
|
|
|
Linux_User
I haven't seen my friends in so long
Joined: Tue May 05, 2009 3:29 pm
Posts: 7173
|
That doesn't affect my Yubikey or my card reader from my bank. My other bank uses telephone calls to authorise payments, not text messages. Sent from my HTC One X using Tapatalk 2
|
| Thu Dec 06, 2012 11:52 am |
|
|
