GPU Server Guesses Over 345B Passwords - Every SecondRecent advances in computing horsepower have given new meaning to brute-force attacks on passwords.
A demonstration at the Passwords^12 Conference in Oslo, Norway, revealed that relatively complex passwords consisting of eight characters could be found in a few hours, while simple passwords were exposed in a few minutes.
Security researcher Jeremi Gosney showed a password cracking HPC system consisting of five 4U servers with 25 AMD Radeon GPUs, a 4x SDR Infiniband interconnect and a total power consumption of 7 kW. The maximum performance of the system is 348 billion NTLM hashes per second, which means that the hardware can examine every possible 8-character password in 5.5 hours. In simpler environments, such as Windows XP, which uses LM that converts all lower case characters to upper case, the system will speed through all LM versions of a maximum of 2 x 7 characters in 6 minutes at a maximum LM performance of 20 billion hashes per second.
SHA1 passwords are attacked with a maximum of 63 billion hashes per second, and MD5 with 180 billion hashes per second.
While Gosney chose an elaborate setup, the cost of the hardware is not exactly astronomical, and it should be common sense to evolve passwords along with these technical advances.
Wolfgang GruenerWolfgang Gruener is a contributor to Tom's IT Pro. He is currently principal analyst at Ndicio Research, a market analysis firm that focuses on cloud computing and disruptive technologies, and maintains the conceivablytech.com blog. An 18-year veteran in IT journalism and market research, he previously published TG Daily and was managing editor of Tom's Hardware news, which he grew from a link collection in the early 2000s into one of the most comprehensive and trusted technology news sources.
See here for all of Wolfgang's Tom's IT Pro articles.
Check Out These IT Videos