Password-cracking chip causes security concerns

A technique for cracking computer passwords using inexpensive off-the-shelf computer graphics hardware is causing a stir in the computer security community.

Elcomsoft, a software company based in Moscow, Russia, has filed a US patent for the technique. It takes advantage of the "massively parallel processing" capabilities of a graphics processing unit (GPU) - the processor normally used to produce realistic graphics for video games.

Using an $800 graphics card from nVidia called the GeForce 8800 Ultra, Elcomsoft increased the speed of its password cracking by a factor of 25, according to the company's CEO, Vladimir Katalov.

The toughest passwords, including those used to log in to a Windows Vista computer, would normally take months of continuous computer processing time to crack using a computer's central processing unit (CPU). By harnessing a $150 GPU - less powerful than the nVidia 8800 card - Elcomsoft says they can cracked in just three to five days. Less complex passwords can be retrieved in minutes, rather than hours or days.

It is the way a GPU processes data that provides the speed increase. NVidia spokesman Andrew Humber describes the process using the analogy of searching for words in a book. "A [normal computer processor] would read the book, starting at page 1 and finishing at page 500," he says. "A GPU would take the book, tear it into a 100,000 pieces, and read all of those pieces at the same time."

Benjamin Jun, of Cryptography Research based in San Francisco, US, says massively parallel processing is ideally suited to the task of breaking passwords. And, while concerned about the development, Jun also pays tribute to the achievement: "A number of us have been following advances in those platforms, and there's a lot of elegant, intelligent design."

Password cracking can be used to unlock data on a computer, but will not usually work on a banking or commercial website. This is because is takes too long to run through multiple passwords, and because a site will normally block a user after several failed attempts.

Jun adds that the trend towards encrypting whole hard drives with increasingly long cryptographic keys still means it is becoming more difficult to access sensitive data. "Should I throw away my web server and run for the hills?" he says. "I don't think so."

NVidia released a software development kit for its graphics hardware in February 2007. Known as CUDA, the kit lets programmers access the computing power of the GPU directly. It has gained a following among those with a need for high-performance computing, particularly in fields such as science and engineering.

"[CUDA] is a huge thing for the oil and gas industry, for the financial sector, and for scientists," Humber says. He adds that CUDA is also be being used by a company called Evolved Machines to simulate the way the human brain wires itself.

Elcomsoft says it took three months to develop code to take advantage of a GPU, and the company plans to introduce the feature into some of its password cracking products over time.

News source: New Scientist

Report a problem with article
Previous Story

Legal loophole allows Manhunt 2 to be sold in UK

Next Story

Microsoft update brings PCs to a standstill

38 Comments

Commenting is disabled on this article.

Please forgive my ignorance here, but I think the fact that it has taken so long for 64Bit computing to get off the ground, means that such a huge change in architecture i.e. CPU to GPU, shows that it will not be happening any time soon, in personal computing.

I personally use serial numbers or UPC codes, anything of that nature. While that stuff is available online, I think it is random enough. No one knows if it is the serial code of my electric toothbrush, toaster, jet ski, AV receiver, computer, charger...etc

SHADOW-XIII said,
...
I do not think anyone is going to remember 12 random character password
...

I just happen to remember a 12 random character password

Exactly. It is not that hard to remember a 12 character random password. Hell I alternate between six 14 random character and two 11 random character passwords.

Would like it more if I can use a password that is around 40 characters long. 12 characters long is just too short of a password.

As each digit of a password could be one of 95 alphanumeric characters, a password twelve digits long would have 95^12 permutations.

That's over 540 sextillion (540,360,088,000,000,000,000,000) combinations of characters - assuming you already know the password's length...

At its current max. speed of 280.6 trillion (280,600,000,000,000) operations per second, it would take up to 61 years for the world's fastest supercomputer Blue Gene /L to crack this. However, if supercomputers double in speed every two years, then in ten years 2017, the world's fastest supercomputer should be able to crack a true random twelve digit password in under two years.

So I'm not worried... yet.

That's not how cryptanalysis work. What you're talking about is a very, and I mean very, basic brute force attack. You need to read more about cryptography and everything related.

By 'true random' I mean a password generated "randomly" by methods such as DiceWare.

I think the type of password-cracking discussed in this article relates only to brute force attacks, not exploiting weaknesses in encryption algorithms/methods?

As each digit of a password could be one of 95 alphanumeric ASCII characters, a password twelve digits long would have 95^12 permutations.

That's over 540 sextillion (540,360,088,000,000,000,000,000) combinations of characters - assuming you already know the password's length...

At its current max. speed of 280.6 trillion (280,600,000,000,000) operations per second, it would take up to 61 years for the world's fastest supercomputer Blue Gene /L to crack this. However, if supercomputers double in speed every two years, then in ten years 2017, the world's fastest supercomputer should be able to crack a true random twelve digit password in under two years.

So I'm not worried... yet.

ok, but what about 99% users of computers & internet that use words, names, dates as a passwords
cracking pass through dictionary, dates could be hell easy, matter of seconds

so, hacker try dictionaries, dates and then goes to brute force hacking.
ok so it will take up to 2019 to crack pass by brute force but 90%+ passwords will be cracked in less that couple minutes ?

I do not think anyone is going to remember 12 random character password

That means only one: Dawn of passwords era, it's too vulnerable

far2ez said,
If this article does not scare you... then this will....

http://ophcrack.sourceforge.net/

The only new thing about this article is using GPU's to do the cracking. Passwords can be cracked using rainbow tables MUCH quicker than described here.


They can crack a password much faster, IF you have the rainbow table. You still have to generate it if you don't have one, and generating one with the GPU vs the CPU will take much less time.

SHADOW-XIII said,
I do not think anyone is going to remember 12 random character password

Just for the record, my password is 16 characters long completely random letters and digits, and I remember it more than I remember my name

Tantawi said,
Just for the record, my password is 16 characters long completely random letters and digits, and I remember it more than I remember my name :happy:

How often do you change it?

(The password, not your name)

Joe USer said,

How often do you change it?

(The password, not your name)


Well see err in my country i illegal yas understand ? so i errr change name nick errrr 5 month ? yar, yar, very good

"A [normal computer processor] would read the book, starting at page 1 and finishing at page 500," he says. "A GPU would take the book, tear it into a 100,000 pieces, and read all of those pieces at the same time."

that made me laugh