Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New 25 GPU Monster Devours Strong Passwords in Minutes

chicksdaddy (814965) writes | about 2 years ago

Encryption 1

chicksdaddy writes "A presentation at the Passwords^12 Conference in Oslo, Norway (slides:, has moved the goalposts on password cracking yet again. Speaking on Monday, researcher Jeremi Gosney (a.k.a epixoip) demonstrated a rig that leveraged the Open Computing Language (OpenCL) framework and a technology known as Virtual Open Cluster (VCL) to run the HashCat password cracking program across a cluster of five, 4U servers equipped with 25 AMD Radeon GPUs communicating at 10 Gbps and 20 Gbps over Infiniband switched fabric.

Gosney’s system elevates password cracking to the next level, and effectively renders even the strongest passwords protected with weaker encryption algorithms, like Microsoft’s LM and NTLM, obsolete.

In a test, the researcher’s system was able to generate 348 billion NTLM password hash checks per second. That renders even the most secure password vulnerable to compute-intensive brute force and wordlist (or dictionary) attacks. A 14 character Windows XP password hashed using LM for example, would fall in just six minutes, said Per Thorsheim, organizer of the Passwords^12 Conference.

For some context: In June, Poul-Henning Kamp, creator of the md5crypt() function used by FreeBSD and other Linux-based operating systems was forced to acknowledge that the hashing function is no longer suitable for production use — a victim of GPU powered systems that could perform “close to 1 million checks per second on COTS (commercial off the shelf) GPU hardware,” he wrote. Gosney’s cluster cranks out more than 77 million brute force attempts per second against MD5crypt."

Link to Original Source

Sorry! There are no comments related to the filter you selected.

Note the difference (1)

HuguesT (84078) | about 2 years ago | (#42188347)

On this system:

400 billion NTLM passwords per second
77 million md5cryp passwords per second.

Should we be that worried for Linux ? A 12-char long password encrypted with md5 would still require in the order of 10^7 seconds to crack, i.e. about 110 days or almost 4 months. Another way to look at it is to say that it is 400.10^9 / 77.10^6 = 5000 times slower to crack linux passwords than windows ones. The quoted 6 minutes extend to 21 days, which is a little short.

The take-home message would be that we need a slow encrypting method?

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?