December 11, 2012
Multiple-GPU Computer Hacks Any Windows Password In Under Six Hours
Michael Harper for redOrbit.com — Your Universe Online
For the most part, cracking a password is easy. To un-hash a hashed password, hackers and security experts mostly fall back on simple trial and error. If one combination didn´t work, then another combination will. This sounds incredibly tedious, of course, so those trying to unlock these passwords hand the job over to computers which are capable of making guess after guess after guess, millions of them, for hours at a time. These computers can churn on this data for days if need be until they find the right combination.
Earlier this week, one password expert unveiled a new computer which uses the strong muscle of multiple GPUs to burn through password data at blazing speed. With the power of 25 AMD Radeon GPUs, Jeremi Gosney´s Linux-based machine can cycle through as many as 350 billion password guesses every second. This machine is so fast, it can try every possible Windows password in less than 6 hours.
According to Ars Technica, Gosney´s machine matches the brute force strength of 25 GPUs with a piece of software called ocl-Hashcat Plus. This piece of software runs on Linux, is optimized for GPU-based computing, and allows the machine to utilize 44 password-cracking algorithms at once. The GPU cluster also runs on the Virtual OpenCL cluster platform, which allows each of these GPUs to operate as if they were running on one desktop computer.
This cluster is also aided by a vast dictionary of words often used in passwords and is guided by many different programming rules. In other words, the machine is capable of overcoming nearly any attempt to fool it or create a 100% iron-clad password.
Put together, these elements allow the machine to not only rip through hashed passwords, it is also capable of brute-force attacks, trying millions of passwords containing lower and uppercase letters, digits and symbols, all at once.
"What this cluster means is, we can do all the things we normally would with Hashcat, just at a greatly accelerated rate," explained Gosney in an interview with Ars Technica. "We can attack hashes approximately four times faster than we could previously."
Gosney chose the Passwords^12 conference in Oslo, Norway to unveil his new machine, though this isn´t the first GPU cluster he´s created to crack passwords.
Previously, Gosney created a computer with 4 AMD Radeon graphics cards which was capable of churning through 88 billion guesses each second. He then used this machine to crack most of the 6.5 million LinkedIn passwords leaked this summer.
Gosney says his new cluster would be able to do the same four times faster than the previous machine. While the 4 GPU machine was capable of making 15.5 billion guesses per second against the SHA1 encryption used to “salt” the LinkedIn passwords, the new machine can handle 63 billion guess per second.
Gosney´s new machine is an unbridled beast of a machine, but it does its best work offline. For a myriad of reasons, these passwords can´t be tried and tried again at the Web site level. Instead, this machine does its best work when in a situation similar to this year´s LinkedIn breach. Hackers found these hashed passwords and released them into the Internet in large files. Gosney downloaded these files and set his machine to work, unlocking each of the codes.
This machine is proof that weak passwords are becoming even easier to crack. Therefore, it is imperative that all users take a few minutes to review their security settings, create new and secure passwords for every account they hold (banking sites, social media, etc) and create backups of important data. Remember, when creating new passwords, stay away from sequential numbers, such as 1,2,3,4 or using common words or phrases, such as “Password,” or “Sex."