25-GPU cluster cracks every standard Windows password in <6 hours

[Farstrider]

A password-cracking expert has unveiled a computer cluster that can cycle through as many as 350 billion guesses per second. It's an almost unprecedented speed that can try every possible Windows passcode in the typical enterprise in less than six hours.

The five-server system uses a relatively new package of virtualization software that harnesses the power of 25 AMD Radeon graphics cards. It achieves the 350 billion-guess-per-second speed when cracking password hashes generated by the NTLM cryptographic algorithm that Microsoft has included in every version of Windows since Server 2003. As a result, it can try an astounding 95⁸ combinations in just 5.5 hours, enough to brute force every possible eight-character password containing upper- and lower-case letters, digits, and symbols. Such password policies are common in many enterprise settings. The same passwords protected by Microsoft's LM algorithm?which many organizations enable for compatibility with older Windows versions?will fall in just six minutes.

The Linux-based GPU cluster runs the Virtual OpenCL cluster platform, which allows the graphics cards to function as if they were running on a single desktop computer. ocl-Hashcat Plus, a freely available password-cracking suite optimized for GPU computing, runs on top, allowing the machine to tackle at least 44 other algorithms at near-unprecedented speeds. In addition to brute-force attacks, the cluster can bring that speed to cracks that use a variety of other techniques, including dictionary attacks containing millions of words.

"What this cluster means is, we can do all the things we normally would with Hashcat, just at a greatly accelerated rate," Jeremi Gosney, the founder and CEO of Stricture Consulting Group, wrote in an e-mail to Ars. "We can attack hashes approximately four times faster than we could previously."

Gosney unveiled the machine last week at the Passwords^12 conference in Oslo, Norway. He previously used a computer equipped with four AMD Radeon HD6990 graphics cards that could make about 88 billion guesses per second against NTLM hashes. As Ars previously reported in a feature headlined "Why passwords have never been weaker?and crackers have never been stronger," Gosney used the machine to crack 90 percent of the 6.5 million password hashes belonging to users of LinkedIn. In addition to the power of his hardware, his attack was aided by a 500 million-strong word list and a variety of advanced programming rules.

Using the new cluster, the same attack would moved about four times faster. That's because the machine is able to make about 63 billion guesses against SHA1, the algorithm used to hash the LinkedIn passwords, versus the 15.5 billion guesses his previous hardware was capable of. The cluster can try 180 billion combinations per second against the widely used MD5 algorithm, which is also about a four-fold improvement over his older system.

The speeds apply to so-called offline cracks, in which password lists are retrieved by hackers who exploit vulnerabilities on website or network servers. The passwords are typically stored using one-way cryptographic hash functions, which generate a unique string of characters for each unique string of plaintext. In theory, hashes can't be mathematically reversed. The only way to crack them is to run guesses through the same cryptographic function. When the output of a particular guess matches a hash in a compromised list, the corresponding password has been cracked.

The technique doesn't apply to online attacks, because, among other reasons, most websites limit the number of guesses that can be made for a given account.

The advent of GPU computing over the past decade has contributed to huge boosts in offline password cracking. But until now, limitations imposed by computer motherboards, BIOS systems, and ultimately software drivers limited the number of graphics cards running on a single computer to eight. Gosney's breakthrough is the result of using VCL virtualization, which spreads larger numbers of cards onto a cluster of machines while maintaining the ability for them to function as if they're on a single computer.

Source: ARS technica

Welcome to Radeon City, population: 8. It's one of five servers that make up a high-performance password-cracking cluster.

[Jason S. Global Moderator]

seems to me that people should be using more than 8 characters these days, but i know better. people love their simple P455w0rd5, and letmein's

impressive stuff, of course, but i dont think it's very scary for businesses. a cracker/hacker would need to gain access to the domain first. if they can, the business has much bigger problems...

[Ambroos]

A Windows password doesn't exactly keep your things secure :p I use that as a security against classmates posting messages to my Facebook or my mom using my Windows account. For anything else you should really be using proper file-level encryption with a secure and long password.

[Argi]

Story is misleading - this is an offline hack and 8 character passwords aren't really considered secure to begin with.

[redvamp128]

Now that is scary.... but

(just kidding)

The question is how much heat and power is the machine using???

I personally have seen 20 monitors with 10 cards each dual display. This takes the cake...