Cheap GPUs Rendering Strong Passwords Useless

StrongGlad writes with a story at ZDNet describing how it's getting easier to use GPU processing against passwords once considered quite strong. "Take a cheap GPU (like the Radeon HD 5770) and the free GPU-powered password busting tool called 'ighashgpu' and you have yourself a lean, mean password busting machine. How lean and mean? Working against NTLM login passwords, a password of 'fjR8n' can be broken on the CPU in 24 seconds, at a rate of 9.8 million password guesses per second. On the GPU, it takes less than a second at a rate of 3.3 billion passwords per second. Increase the password to 6 characters (pYDbL6), and the CPU takes 1 hour 30 minutes versus only four seconds on the GPU. Go further to 7 characters (fh0GH5h), and the CPU would grind along for 4 days, versus a frankly worrying 17 minutes 30 seconds for the GPU."

And?

[ledow]

And any system worth its salt (crypto-hashing joke) won't allow that many attempts against any external or internal authenticator and will NEVER expose its password hashes.

Seriously, if someone has your password hash, it's game over anyway and it doesn't matter if it takes 2 weeks or 2 months to guess the passwords. And if they don't, then you shouldn't be letting them try several BILLION attempts at guessing a password anyway.

increase the time lag between password tries...

[Anonymous Coward]

...to 1min/try and it will take up to 3.3billion minutes to guess...

If someone gets your hashed password, you're done

[homesnatch]

It is well known that if someone gets your hashed password, it is as good as cracked. 17 minutes vs 4 minutes is irrelevant.

On a live system, it is quite another story. You can't just remotely try 3.3 Billion passwords per second.. You'll be locked out after 10 attempts or so.

Who cares?

[IICV]

Hooray, you can crack an NTLM [wikipedia.org] password in like five seconds! Too bad Windows has preferentially used Kerberos since Win2K, which means that pretty much any in-practice Windows network you'd like to hack in to is using a real security scheme.

I mean, really. This article isn't about how much faster a GPU is than a CPU for hash cracking (after all, four days to reverse a hash is still unacceptable, and that's brute forcing it and not using one of the widely available NTLM rainbow tables), it's about how much NTLM sucks and Microsoft should have never contravened the first rule of cryptography and tried to roll their own.

Faulty Assumtions

[imsabbel]

A 6-7 letter password only using letters and numbers is NOT strong.

It would be trivial to cover it with rainbow tables and have near realtime cracking even without GPUs.

_Not weak_ would be 10 letter+, with a salt. Would make brute forcing not really that easy anymore...

Password Plus CAPTCHA helps

[billstewart]

8-character passwords were strong enough for Unix thirty years ago, but that was a long time ago in Moore's Law cycles; I've got wristwatches faster than that PDP-11. It's annoying how many systems still seem to use them.

For systems that do passwords interactively, you're not going to get the same brute force speed, but you're still exposed to automated attacks - using a CAPTCHA in addition to the password can help prevent them.

Re:And?

[Anonymous Coward]

Whenever a company "loses" a database with passwords, we scorch them for storing plaintext passwords. If hashing is supposed to help, then it has to create a significant barrier. As the processing power required for brute forcing password hashes makes longer and longer passwords insufficient, it should become clear that the age of passwords as the sole authentication is coming to an end.

NTLM? Please be serious...

[pedantic bore]

The title of the article is extremely misleading.

I don't really care that someone can break short passwords generated via MD4. MD4 is very broken. NTLM is essentially 1992-era technology that was later picked up by Microsoft, who now deprecates its use.

When a GPU can break 15-character AES256 keys, then I'll start to worry about the security of my 24-character key.

Re:Ha Ha, mine goes to 11

[node 3]

But the number of potential attackers is significantly diminished. And he did mention deliberate character substitution, which helps against that (as well as helping against dictionary attacks).

Re:1Password FTW

[cbiltcliffe]

Your shameless plug is correct, but for one problem:

When you use a fingerprint sensor, the traditional attack methods (brute forcing, social engineering, etc) still work. But you also add a new attack method, by generating a fake fingerprint from that coffee cup you threw into the trash that morning.

Needless to say, increasing the possible attack vectors decreases security, rather than increasing it.

Re:And?

[Anonymous Coward]

Like this article shows, they're basically equivalent given enough processing power. The end result is the same; the "hidden" information becomes known, with relatively little ease. Sure, salting may currently help make the brute-force "decryption" of a hashed password more difficult, but hardware is always getting faster and more powerful.

Re:Password Plus CAPTCHA helps

[bmo]

The quicker CAPTCHA dies the better.

Not only does it discriminate against machines (like it should) it discriminates against humans, too.

I long for the day when the Americans with Disabilities Act gets amended for the interbutt. You are an institution or you do commerce on the Web? You can no longer discriminate against the sight impaired ever again.

People see CAPTCHA as a magic wand for dealing with brute-force attacks and spam. It's not. If it was a pill for erectile dysfunction, the side effects would give you projectile diarrhea.

--
BMO

Re:Ha Ha, mine goes to 11

[plsuh]

What you're missing is that the percentage of the general population that can consistently (a) remember a long password and (b) type it without a failure at least 50% of the time, is in the single digits. Remember, general population, not geeks.

I've expressed the opinion for several years now that password authentication is broken, and that we need to move to two-factor authentication schemes ASAP.

--Paul

Re:So What?

[NoNonAlphaCharsHere]

Parent is a case-study in What's Wrong With The New Slashdot. In a proper world (or, if you prefer, in the Elder Days) the AC parent would have AT LEAST cruised up to +3 Informative in as many heartbeats. As it is, this nifty site/tool he's pointed us to will languish in obscurity.

And in case you're wondering at my 'get off my lawn', my REAL Slashdot UID is in the low 800Ks, but contains a special character, so I haven't been able to log in to this Brave New Slashdot for over a month.

Re:Password Plus CAPTCHA helps

[cloudmaster]

Let's look at some alternative alternative math: that 3.3 billion passwords/sec were at http://www.golubev.com/files/ighashgpu/readme.htm [golubev.com]. Note that this is the speed for cracking MD5 passwords, which were deemed "almost ready to crack" a few years ago. Modern Linux systems all support sha256 and sha512 hashing; given that this tool is 1/3 slower for sha1 (aka "sha160"), one can guess that current sha2 (sha256/sha512) algorithms will be slower. It's also worth nothing that the algorithms supported by the tool mentioned in the article are *all* not supposed to be used as of 2009: http://csrc.nist.gov/groups/ST/hash/policy.html [nist.gov]; the tool doesn't currently even support the sha2 algorithms. The common algorithms which are currently supported (ie, md5) have been breakable in fractions of a second through rainbow tables for years anyway - which was NIST's point, IIRC.

I suppose I'll also note that the Ubuntu 11.04 system I'm typing this upon right now is configured out of the box to use sha512 hashing in /etc/shadow (check /etc/login.defs on most Linux systems, look for password strings which start with $6$). Assuming the use of PAM for anything important and passwords stored either in root-only shadow file or in an LDAP directory which does compare-only access or server-side hashing, and a secure transport such as current TLS, then this is a non-issue on a Unix system which hasn't already been compromised. It'd be easier and probably more effective, as usual, to socially engineer a password (or otherwise gain access through the human interface weak point) than to get password hashes and break them.

Re:So What?

[Nighttime]

Doesn't matter how strong a password is, xkcd [xkcd.com] have it covered.

Re:If someone gets your hashed password, you're do

[letsief]

It's not that simple. Cryptography is an asymmetric game: you always have to assume the attacker has orders of magnitude more computing resources than the target. Cryptography works because we can (usually) find problems that get exponentially harder and harder to crack. For instance, let's say you just want to encrypt something. A block cipher with a 64-bit key is just on the edge of being brute-forcible today. But, as a general rule, you could use a block cipher with a 128-bit key and it should only be half as fast as the 64-bit cipher (note I said this is a general rule, there are number of factors that influence speed). A 128-bit block cipher is 2^64 times more difficult to crack than a 64-bit block cipher. So, the target can make something 2^64 times more difficult to crack by just doing twice the work.

Your proposed solution just grows linearly, not exponentially. If you iterate SHA-1 10,000 times instead of just 5,000 you're also doing twice the work, but this time you've only made your password twice as difficult to crack. If you can suddenly start doing twice the work you did before, you have to assume the attackers can as well.

Yes, iterating hash functions buys us more time, but this is a game that targets can't win. Plus, you're ignoring all of the problems associated with moving to higher iteration counts. Probably first and foremost is interoperability. There's a massive application base out there that just uses MD5 or SHA1 with little to no iteration. It's not easy for software like Windows to change. I think it wasn't until Vista that Microsoft stopped storing a LAN Manager hash of users' passwords, which made then trivial to break. That's been known to be bad for a long, long time. Plus, in most web-based applications its not the client that does the hash operation, its the server. While your new Core i5 processor could probably easily handle bumping up the iteration count by an order of magnitude or so, Google's Gmail servers probably can't.

Longer, more complicated passwords would be more effective than increasing iteration counts, but people are bad at generating and remembering long passwords. So, the only long term solution seems to be moving to stronger forms of authentication, like smart cards or using devices like smart phones as one-time password devices.