UPDATED 15:21 EDT / DECEMBER 05 2012

NEWS

25 GPU System Unveiled at Passwords^12 Conference Eats Password Hashes for Breakfast

At the Passwords^12 Conference in Oslo, Norway researcher Jeremi Gosney presented an extremely powerful password cracking rig that wields a spectacularly heavy 25 GPUs in order to quickly chew through cryptographic hashes and extract the passwords that they hide. The slides are available online [PDF] and in his demo he showed how the rig could use OpenCL and VCL to run Hashcat—a password cracking program—across a cluster to burn down Windows XP passwords in less than six minutes.

The Security Ledger broke the story and it was picked up by Slashdot and reddit to much controversy about the application of such a rig and how it might be used.

To be pointed, the 25 GPU rig is designed as a highly parallel cluster for hash cracking:

In a test, the researcher’s system was able to churn through 348 billion NTLM password hashes per second. That renders even the most secure password vulnerable to compute-intensive brute force and wordlist (or dictionary) attacks. A 14 character Windows XP password hashed using LM NTLM (NT Lan Manager), for example, would fall in just six minutes, said Per Thorsheim, organizer of the Passwords^12 Conference.

It’s exactly this sort of set up that people might expect to be used by hackers who have successfully penetrated a website and stolen the user credentials; but it would not be useful for cracking the passwords of users on an online service. This device would be used to attack a pile of cryptographically hashed passwords captured from a website in order to get the passwords stored within. I have discussed hashes and why they’re important in previous articles about leaks.

In security terms, cryptographic hashing of passwords isn’t a panacea to make users’ passwords uncrackable, it exists to slow down the bad guys so that once the password loss is discovered that it gives IT processionals (and users) time to change their passwords and do damage control.

However, with the advances with rigs such as Gosney’s GPU cluster that time is shortening.

As a result, popular and consumer level cryptographic hash algorithms need to keep up with the computing power capable of cracking them. In fact, recently Poul-Henning Kamp, creator of the md5crypt() function used by FreeBSD, acknowledged that the production level hashing function wouldn’t be long for this world as it could be quickly cracked by something like the Gosney GPU rig.

“As the author of md5crypt, I implore everybody to migrate to a stronger password scrambler without undue delay,” Kamp wrote in June. At the same time, he bowed out of the Red Queen race and urged people to use stronger (and if they could, unique-to-them) algorithms to help protect their users.

To this day, cryptographic hashing is still the industry standard for increasing the damage control time in the case of password leaks. As this is indeed a Red Queen race with cracking technology, it’s necessary to move into bigger and badder complexity in order to lengthen that time once again as governments and criminal enterprises also upgrade their equipment to lengthen their own window of opportunity.


A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU