GPU Password cracking

Raqia · Aug 22, 2012

A fascinating article:

http://arstechnica.com/security/2012/08/passwords-under-assault/

I especially like the depth they went into the algorithms and the rig they built on the first page w/ the 8 7970's. There were several lessons from that article:

- As much as possible, don't use the same password across multiple sites
- Salt your hashed entries
- Use an appropriate hash function

The accessibility of multi-teraflop hardware to the masses seems like a tilt back to computation from space usage.

itsmydamnation · Aug 22, 2012

its an ok article, no new revelations or anything.

headlines like:

No, SHA1 is not a secure hashing algorithm

annoy me, last time i checked (yesterday actually) SHA1 is a mathematically secure hashing algorithm( with one or two possible but not yet demonstrable issues) . On top of that SHA-1, MD5 etc can be salted fine.

What people dont understand is a salt only protects the hash from a table based attack, because if you have all the hash data chances are you have the salt as well. Then the brute forcing can begin.

So yet again we come back to XKCD
http://xkcd.com/936/

silent_guy · Aug 22, 2012

Never mind...

Alexko · Aug 22, 2012

itsmydamnation said:
its an ok article, no new revelations or anything.

headlines like:

annoy me, last time i checked (yesterday actually) SHA1 is a mathematically secure hashing algorithm( with one or two possible but not yet demonstrable issues) . On top of that SHA-1, MD5 etc can be salted fine.

What people dont understand is a salt only protects the hash from a table based attack, because if you have all the hash data chances are you have the salt as well. Then the brute forcing can begin.

So yet again we come back to XKCD
http://xkcd.com/936/

The problem is that 1000 guesses/sec is now much lower than what the hardware can actually do; by a factor of one million, apparently.

Gubbi · Aug 22, 2012

Alexko said:
The problem is that 1000 guesses/sec is now much lower than what the hardware can actually do; by a factor of one million, apparently.

You can do 1,000,000,000 login request to hotmail.com per second?

If you have the hashed passwords, know the hash function and the salt, then you can do a billion per second.

Cheers

Albuquerque · Aug 22, 2012

Not only that, but those guesses are only feasible for passwords of ~10 characters or less.

A few years ago, I started using sentences as passwords -- much like that XKCD article suggests. Of course, websites that require an upper case, lower case, numeric and symbolic character will dork up your wording a bit, but brute forcing a 30-character password really isn't happening right now.

Rodéric · Aug 22, 2012

They get the encrypted password then try many combination until they match the encoded value, that only works if they know the algorithm used though...

Many websites don't accept spaces, punctuation and such

Alexko · Aug 22, 2012

Gubbi said:
You can do 1,000,000,000 login request to hotmail.com per second?

If you have the hashed passwords, know the hash function and the salt, then you can do a billion per second.

Cheers

Fair point, but is it even possible to brute force Hotmail at all? I mean isn't there some kind of protection mechanism against numerous and obviously artificial connection attempts?

LunchBox · Aug 22, 2012

A few years ago my friend told me to put a verse (or so) of a song that I liked as a password because it was better than putting numbers or symbols to remember because it would be longer. I took his advise and needless to say, my password (before) consisted of the phrase "I like big butts and I cannot lie... You other brothers can't deny" So yeah... thanks for the password sir mix-a-lot.

I.S.T. · Aug 22, 2012

I use a word as my password, but it's about...

nine letters for the standard one, and I variate it up to 15 or 16 characters depending on the site.

Raqia · Aug 22, 2012

itsmydamnation said:
its an ok article, no new revelations or anything.

headlines like:

annoy me, last time i checked (yesterday actually) SHA1 is a mathematically secure hashing algorithm( with one or two possible but not yet demonstrable issues) . On top of that SHA-1, MD5 etc can be salted fine.

What people dont understand is a salt only protects the hash from a table based attack, because if you have all the hash data chances are you have the salt as well. Then the brute forcing can begin.

So yet again we come back to XKCD
...

It sounds like ArsTechnica's objection to SHA1 is that it's computationally cheap making it especially vulnerable to being brute-forced (rather than collision insecure through a different style of attack), and other algorithms force more computation into each brute-force attempt. Correct me if I'm wrong.

I like XKCD's idea, it's is very nice; but it's harder for me to remember those types of passwords than he claimed when the words don't fit into a mental image or story. I imagine user validation of the future will rely on a combination of a password and multiple biometric verifications (e.g. fingerprint + passively collected dna sample + some measure of a user's keyboard use profile that cuts off a user if his keyboard usage strongly deviates from historical trends).

CarstenS · Aug 22, 2012

1st rule of passwords: Don't tell your password rules (except rule #1).

fllwr · Aug 23, 2012

Gubbi said:
You can do 1,000,000,000 login request to hotmail.com per second?

If you have the hashed passwords, know the hash function and the salt, then you can do a billion per second.

Cheers

It's all about extracting the passwords text and using them elsewhere.
So it starts with a fully comprised passwords DB.

GPU Password cracking

Raqia

itsmydamnation

silent_guy

Alexko

Gubbi

Albuquerque

Red-headed step child

Rodéric

a.k.a. Ingenu

Alexko

LunchBox

I.S.T.

Raqia

CarstenS

Moderator

fllwr