Forgot your password?
typodupeerror
Encryption Security IT

New 25-GPU Monster Devours Strong Passwords In Minutes 330

Posted by Soulskill
from the om-nom-nom dept.
chicksdaddy writes "A presentation at the Passwords^12 Conference in Oslo, Norway (slides), has moved the goalposts on password cracking yet again. Speaking on Monday, researcher Jeremi Gosney (a.k.a epixoip) demonstrated a rig that leveraged the Open Computing Language (OpenCL) framework and a technology known as Virtual Open Cluster (VCL) to run the HashCat password cracking program across a cluster of five, 4U servers equipped with 25 AMD Radeon GPUs communicating at 10 Gbps and 20 Gbps over Infiniband switched fabric. Gosney's system elevates password cracking to the next level, and effectively renders even the strongest passwords protected with weaker encryption algorithms, like Microsoft's LM and NTLM, obsolete. In a test, the researcher's system was able to generate 348 billion NTLM password hash checks per second. That renders even the most secure password vulnerable to compute-intensive brute force and wordlist (or dictionary) attacks. A 14 character Windows XP password hashed using LM for example, would fall in just six minutes, said Per Thorsheim, organizer of the Passwords^12 Conference. For some context: In June, Poul-Henning Kamp, creator of the md5crypt() function used by FreeBSD and other, Linux-based operating systems, was forced to acknowledge that the hashing function is no longer suitable for production use — a victim of GPU-powered systems that could perform 'close to 1 million checks per second on COTS (commercial off the shelf) GPU hardware,' he wrote. Gosney's cluster cranks out more than 77 million brute force attempts per second against MD5crypt."
This discussion has been archived. No new comments can be posted.

New 25-GPU Monster Devours Strong Passwords In Minutes

Comments Filter:
  • my password (Score:5, Funny)

    by Anonymous Coward on Wednesday December 05, 2012 @06:27AM (#42189817)

    So it doesn't matter anymore I'm using 000000 as password ....

    • by jones_supa (887896) on Wednesday December 05, 2012 @06:48AM (#42189917)
      Hey, that's the combination of my luggage!
    • Re:my password (Score:5, Insightful)

      by Technician (215283) on Wednesday December 05, 2012 @12:16PM (#42192517)

      My door lock is even more secure with a 4 digit pin. 3 failed attempts lock it out for several minutes. More failed attempts lock it for an hour. It doen't bother to tell you it is ignoring you during that period. A penalty instead of millions of free retries should stop that without physical access.

  • by TheLink (130905) on Wednesday December 05, 2012 @06:29AM (#42189839) Journal
    My conclusion is to use different passwords for different things. They don't have to be that strong.

    As long as the passwords are strong enough to prevent brute forcing over the _NETWORK_ they are strong enough. If you don't pick an overly stupid password then either you or the site is going to be pwned before the hackers brute-force/guess your password over the network.

    If someone has hacked into the site to obtain the hashes, it's likely they can do other stuff anyway (make transactions, get your info, maybe even get the plaintext of your password), so don't waste your time making and using super long passwords.
    • by bmo (77928) on Wednesday December 05, 2012 @06:45AM (#42189905)

      Pretty much this. Brute forcing passwords over the Internet is silly and non-productive.

      >it's likely they can do other stuff anyway

      What, you mean like the Youporn chat registration list that had the usernames and passwords *and* verification email addresses in plaintext? Or like when Yahoo was compromised? Or like dozens of other companies were compromised? Or like when EMC was spear-phished out of RSA tokens?

      My concern isn't someone with a hundred Tesla cards cracking passwords. My concern is dumb admins and people falling for social-engineering.

      --
      BMO

      • by nazsco (695026)

        Yahoo properly hashes

      • by Catskul (323619) on Wednesday December 05, 2012 @10:54AM (#42191631) Homepage

        > My concern is dumb admins and people falling for social-engineering.

        It's as soon as we stop claiming that it's just stupid people who fall for social-engineering that we'll finally get better at avoiding it.

    • by Sique (173459) on Wednesday December 05, 2012 @06:59AM (#42189967) Homepage
      You are missing situations where for instance config files are stored separately. I have the situation where I are going on a customer site to replace defective network gear, and I get the config files to upload them into the gear before replacing them. For security reasons, I don't get the configured console password, if I made an error, I would have to empty the config via recovery and start anew. I just replace the gear, phone the network guy of the customer and he then checks connectivity. It wouldn't help to modify the config before uploading to an empty password, because part of the configuration is the connection to an AAA server which kicks in as soon as the network connectivity is there, and then it closes all open consoles and locking me out. But if I could brute force the shared keys whose hashes are in the config files, I might still get in.
    • by DrXym (126579) on Wednesday December 05, 2012 @07:30AM (#42190079)
      Different passwords for different things is a good idea.

      But the issue is not brute forcing over the network. The issue is hackers stealing a database of passwords, then bruteforcing the lot of them locally. Some sites don't even bother to hash the password at all and some don't salt them or use a weak hash. So if the database is lifted, the hackers could potentially recover some or all of the passwords with little or no effort. So if you use the same email and password for an insecure site as a strong site, you are trouble.

      Therefore it would be wise to arrange sites into tiers of importance. Tax / health / social security on the top. Then banks. Then cloud / email services. Then stores. Then sites with personally identifying info. Then forums and other throwaway crap. For each tier take appropriate measures to ensure uniqueness of the password and login id and use password safe to manage this mess. On the bottom tier, you could probably use the same throwaway password for every site, or a variant of it (e.g. tack on the first 4 letters of the domain host) since a compromise is a nuisance rather than as a threat.

      And use something like Password Safe so you don't have to remember all this crap.

      • But the issue is not brute forcing over the network. The issue is hackers stealing a database of passwords, then bruteforcing the lot of them locally.

        If anyone with motivations beyond that of a script kiddie is doing this, then you are already totally screwed - they can already steal all your transaction information or make their own transactions or transfer funds or do whatever they want to do as ANY UID in that system - WHY would they ruin that and post them on the web?

        And if it *IS* a script kiddie,

      • by Dins (2538550)

        I've often thought about trying something like Password Safe, but I commonly use 4 different computers that I might need my passwords on. And 3 of those are at home where I might be accessing a bank. So unless there's some way around that problem I'm not thinking of, I'll stick to my main 6 or 8 long random ones.

        Ha, what I really need is some sort of cloud password service. Wait...

        • by Rich0 (548339) on Wednesday December 05, 2012 @08:45AM (#42190451) Homepage

          I'd echo the other suggestion to use lastpass. I was struggling with the same issues. In theory the passwords are encrypted/decrypted locally and they do not have access to them. Of course, I'm sure they could be bruteforced as with any of the other sites. That said, I am a bit more inclined to trust one site whose sole purpose is storing passwords than every web forum on the internet. These days most of my passwords are randomly generated thanks to lastpass.

          The real pain has been with smartphone apps, which don't integrate well with lastpass. I can access my passwords on the phone, but I have to do copy/paste to get the password into the app, and some apps are brain-dead and reset when context-switching which means I need to at least manually enter the username (which is a pita if it is a long email address).

          People also point out keepass, but it doesn't support every OS I use. Lastpass always has the browser as a fallback if nothing else.

          • by Dins (2538550) on Wednesday December 05, 2012 @08:57AM (#42190539)

            Thanks for the idea, and I hadn't heard of Lastpass, so I looked them up and found this [wikipedia.org]. Stuff like that, while probably never likely to affect me personally, still scares the hell out of me.

            Yes, that's just one site. But if one site I use has their PW file stolen and broken I lose out on one site (and potentially any others I've used that specific PW for). If I trusted something like lastpass with my entire life and then they were successfully hacked...

            • by Rich0 (548339) on Wednesday December 05, 2012 @09:36AM (#42190811) Homepage

              That episode is the main reason why I've stuck with them - I was a customer at that time.

              When that breach occurred nobody knew about it but them, but they immediately broke the news and generally treated the situation in the most conservative manner possible. Their treat assessments as communicated out seemed accurate to me.

              So, sure, you're more secure if you never put your passwords out in the cloud to begin with - nobody can question that (assuming you still use strong unique passwords for each site and just carry them around with you on a PDA or USB drive or something). However, if you are going to use a cloud service then would you rather use one that has an episode like this and does full disclosure, or one that puts the marketers in charge and covers the whole thing up? The only reason you can cite that example is because Lastpass did the right thing.

              If the alternative is to just pick a few memorable passwords and use them on many websites each, I'm not convinced you're better off.

        • by somersault (912633) on Wednesday December 05, 2012 @08:51AM (#42190499) Homepage Journal

          I keep my Keypass database in Dropbox. That way it's synched to all my machines, or I can download it to my phone, or access it via a web browser.

      • And every password should use a different salt. Sure you can try 77 million combinations a second, but you can't check those results across the entire password file. You have to repeat the entire cracking process for each user.
      • Therefore it would be wise to arrange sites into tiers of importance.

        That seems overly complicated - trying to accurately assign risk levels to different websites is beyond most people, and can potentially change out from under them if a website decides to increase its scope.

        Here's what I do -- create a "base" password that is uber-secure, random line-noise sort of thing. Then I use a really simple algorithm where I take something from each website's name and prepend it to the base password (prepending is important since some websites silently truncate passwords).

        So, for e

        • by oobayly (1056050)

          I use a very similar setup, however one issue with the example you've given is that by using the first two letters of the domain means that even a bot could be written to compare the first N charaters of each password to the domain, and can make an assumption on what another domain's password could be. I know, it's a stretch.

          A slightly better method is [for example] to prepend the first 2 vowels and append the last 2 consonants to the password. Sure, you have to remember slightly more complicated rules, and

      • by Anonymous Coward on Wednesday December 05, 2012 @09:27AM (#42190717)

        i think email should be on the top list of priority - because "reset your password" on every other system tends to use your email address. lose control of your email and you've lost control of everything else.

    • If someone has hacked into the site to obtain the hashes, it's likely they can do other stuff anyway (make transactions, get your info, maybe even get the plaintext of your password), so don't waste your time making and using super long passwords.

      This is not always true tbh. Stealing hashes can require as little as an unsanitized SQL query in a web application that allows an attacker to dump the hash table(s) using nothing more than a browser. It may or may not allow for user impersonation in order to do the stuff you listed, but the point is stealing hashes does not have to require complete hacking. In such a scenario strong passwords are still quite useful.

    • by Bengie (1121981)
      The most common way to acquire your password hash is via SQL injection, the web server is rarely compromised. Short of breaking the password storage, the hacker won't gain access to your password unless it's weak enough to generate.

      A strong 12 char password has 612,709,757,329,767,363,772,416 possibilities, which even at quadrillion(10^15) guesses per second, it would take over 7,000 years to exhaust the entire space.
  • by ghostdoc (1235612) on Wednesday December 05, 2012 @06:32AM (#42189847)

    So now that passwords as a system is officially broken, can we please move on to something better? Something that wasn't invented to allow soldiers standing watch in the middle of the night to tell their mates from their enemies, but is actually designed for computers?

    And no, of course I don't have any better ideas... this is /. and I'm here to pointlessly criticise!

    • by Xenna (37238) on Wednesday December 05, 2012 @07:13AM (#42190025)

      This system cracks password hashes. But there's one thing missing: You need to get your hands on the password hashes first!

      Therefore you require access to a system. If you already have access to that system it's fairly trivial to install password capturing code. That way you don't even need to crack any hashes.

      The problem remains that a hacker who gains access to a badly secured system can do almost anything he likes. Secure hashes or not.

      • by Architect_sasyr (938685) on Wednesday December 05, 2012 @07:38AM (#42190107)

        If you already have access to that system it's fairly trivial to install password capturing code.

        The whole point is to engage in defence in depth - FreeBSD offers kern.securelevel to prevent you from being able to write to the file system, or change firewall rules. We have anti rootkit checking programs (do most people make regular use of rkhunter or anything similar?) Further, you need to encrypt and safely store backups. No password logging program is going to lift them from the hashes you got from the borrowed backup drives. Probably 60% of engagements I have been involved in managed to lift a backup drive from the environment, permitting only the tiniest changes to be made to live servers, thus minimising our risk of breaking things, and a (potential) black-hat's chance of being caught.

        Making the hashes harder to crack makes it harder to crack into the server, live or from backups. You'd be surprised how many people forget backups.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Already have. Public/private key pairs, one of the modes of SSH. (And by far the preferred mode.)

      Yes, we are rapidly approaching the point where the only way to secure a system is something you have, not something you know. Or at least, not solely something you know. That's all right. We're used to that. How do you start your car? Or open the door to your house? Something you have. And for any expensive car made in the past decade, that something you have isn't just the physical shape of the key.

      • by unix_core (943019)
        Wohooo I am a ghost from the future who come flying in here at night to give you a peek at how the world could be if your idea gets realized, have a look at these future wikipedia articles, whohooooowooowow.

        http://en.wikipedia.org/wiki/Contactless_smart_card [wikipedia.org]
        http://en.wikipedia.org/wiki/Octopus_card [wikipedia.org]
      • by Splab (574204)

        Because house keys and car keys are known to be secure devices.... (And before you get started on the new electronic keys, go ask BMW M3 owners how that's working out for them)

        The nice thing about a key chain is it makes it possible to lose all your keys in one go.

      • by Rich0 (548339)

        Agreed, but what we're likely to first see is every Bank and significant e-commerce site making you pay $5 for a dedicated keyfob, so that you now have to carry around a huge collection of them. It will turn out that half of them have other security problems, but that's OK since you're the one who had to pay for them.

        What we really need is something like a strong two-factor openid system, or something like that. OpenID can already support this, but the problem is that few sites actually support OpenID. I

    • by KiloByte (825081)

      It's only weak passwords when you have access to the hash database what's broken. You can always throw in more characters to make brute-forcing take exponentially longer. And since some hashes have been proven to be NP-hard, there's nothing you can do better than brute-force them. No useful hash can be harder than NP, but I'd say that's good enough for me.

      Also, in a majority of cases, if you can obtain password hashes, you may just take whatever was protected by that hash. Not always:for an encrypted fi

    • by Chewbacon (797801)
      Passwords aren't broken. Many systems will lock an account for a set length of time or until an administrator intervenes. This would render this method useless.
    • No it means that if someone can steal the password hashes then your passwords are known ....

      Why is the database of passwords on a machine that is capable of being stolen in the first place, this is like the soldier having a list of challenges and responses written down where anyone he challenges could potentially see the entire list ...

      The solution is for the user facing machine not to contain the hashes just an API to check individual passwords as needed

  • by slb (72208) * on Wednesday December 05, 2012 @06:43AM (#42189893) Homepage
    This is well known and no sane people uses NTLM auth anymore, even Microsoft recommend to deactivate this authentication method. The idiots at Microsoft used a DES ECB implementation instead of CBC that anyone with two ounce of crypto knowledge would choose. The practical impact of this very bad design choice is that a 14 character password has as much complexity as two independant 7 characters passwords ! So when the authors brag about cracking a 14 character password in 6 minutes, what they're really doing is cracking two 7 character passwords in 6 minutes, this is entirely different and not impressive at all.
    • by nazsco (695026)

      That's why the article say it's million times easier to crack than even md5crypt

  • by Rogerborg (306625) on Wednesday December 05, 2012 @06:51AM (#42189937) Homepage

    A customer asked us recently if we could recover some of their passwords stored (hashed) on our system.

    "Sure we can, if you used really poor passwords."

  • XP Passwords (Score:4, Insightful)

    by jonbryce (703250) on Wednesday December 05, 2012 @06:59AM (#42189961) Homepage

    I was under the impression that a 14 character NTLM password was basically two 7 character passwords, and the fact you can crack them easily is not news. Rainbow tables will crack them in a matter of seconds on a standard PC setup.

    • Re:XP Passwords (Score:4, Insightful)

      by bloodhawk (813939) on Wednesday December 05, 2012 @07:16AM (#42190033)
      This article only talks about very old deprecated algorithms which to be quite honest if you are reliant on those for your security you have far more trouble then just weak passwords or someone brute forcing. NTLMv2 has been in available for use in windows since the NT 4 days and LM/NTLM were off by default from vista onwards.
      • Re: (Score:2, Funny)

        by Anonymous Coward

        Soon, they will be able to build a time machine entirely out of GPUs to go back in the 90s and crack those passwords!

    • by thoromyr (673646)

      You are describing LanMan (LM) hashing, not NTLM. And it is even worse than being limited to two runs of 7 characters, they are upcased before hashing so mixing case has no impact. NTLM still sucks (and there are rainbow tables due to the lack of salting), but it is a major improvement over LM.

      Just as a note: using a rainbow table will crack the password very quickly, but that is because you (or someone else) expended a lot of computing time to generate those tables. And those tables take up space. Not much

  • Let N be the number of bits of real entropy in an item of human memory. N is somewhere between 50 and 70. (Proof: you can remember RWOLZEKBYT or "correct horse battery staple" [xkcd.com] if you have to, but you've got no prayer of remembering RWOLZEKBYTDUQLZPEJNB or Rw3L$E5Kÿ(t. )

    Let 2^R be the instruction rate of the largest computer affordable by a large nation or corporation. R is about 56 at the moment.

    2^(N - R) is the number of seconds before we're all completely fucked.

    • by Terrasque (796014)

      (Proof: you can remember RWOLZEKBYT or "correct horse battery staple" if you have to, but you've got no prayer of remembering RWOLZEKBYTDUQLZPEJNB or Rw3L$E5KÃ(t. )

      But I can easily remember "correct horse battery staple waterslide fishnet the queen bleach" - how much entropy is that?

  • by AbRASiON (589899) * on Wednesday December 05, 2012 @07:28AM (#42190071) Journal

    I'm really low on porn at the moment and hit my monthly internet quota!

  • Not seeing anything about WPA.

    You can pull those truly out of thin air and since they are rehashed 4000 times brute forcing those is slow even on most modern hardware. Generally in the range of a 1000 to 5000 keys per second.
    More than a thousand years for a 8 character password. And you can't even use a shorter password on WPA.

    GPUs do change the picture a bit.

  • by Phoenix (2762) on Wednesday December 05, 2012 @08:20AM (#42190303)

    If passwords are getting cracked so quickly these days, what then is the answer? Authenticators are all well and good, but I don't have room on my keychain for one for Blizzard (I know about and have the one for my iPhone), one for Amazon, one for PayPal and eBay, one for Gmail, etc and so forth.

    What would be a viable solution then?

    • LastPass. Separate, strong passwords for every site; one YubiKey for the master login if you want it. KeePass is good too; store part of your key on a dongle for extra security.

  • So it seems all server side code should be storing:

    algo_name, hash(salt + password) ...that way, if your algorithm of choice proves to be a bit feeble, you can gradually upgrade to a better one by getting your users to change their passwords. If anyone's account has a really old algo still on it, then the account gets disabled. Whilst this doesn't "solve" the problem, it means you don't have to throw everything away because someone found a quick way to compute hashes using your chosen algorithm.

    Either way,

  • Time to move on to fingerprint scanners for security, but with a twist: they *only* recognize 'dead fingers'.


    Don't know about you, but I'm already set.
  • Crack the code to open President Skroob's luggage?

  • by Bengie (1121981) on Wednesday December 05, 2012 @09:16AM (#42190635)
    "A 14 character Windows XP password hashed using LM for example, would fall in just six minutes"

    Which is nothing impressive. NTLM has a 14 char password max and pads sub-14char passwords with null. It then breaks the password into two 7 byte pieces, hashes both pieces, then concatenates the two hashes together. Using NTLM, a 14 char password at worst 2*96^7 instead of 96^14, which is a factor of 37,572,373,905,408 difference. If NTLM was properly designed, that same 14 char password would have taken 37,572,373,905,408*6min to break or 428,908,378 years.

    14 char passwords are still safe assuming there isn't a huge flaw in the password storage.
  • So, can this also bust DRM schemes like the system in bd+?
  • Passwords^12?
    Passwords carrot twelve? WTF kind of a name is that?

No amount of careful planning will ever replace dumb luck.

Working...