Harden Up: Can We Break Your Password With Our GPUs?

Status
Not open for further replies.

jeff77789

Distinguished
Jun 24, 2009
198
0
18,690
"While it would take a longer time to find a password made up of nine or 10 passwords, it's definitely doable between a few gaming buddies. "


9 or 10 characters?
 

ryandsouza

Distinguished
Aug 16, 2009
141
0
18,690
"Think of this as generating every single combination of numbers that can be used to solve that same Sodoku puzzle, starting from an all zeros all the way through all nines. "

Sudoku puzzles have numbers from 1 through 9!
 

rpmrush

Distinguished
May 22, 2009
175
0
18,690
This reminds me of Bitcoin GPU crunching. 6990s are favored right now. I wonder how many were sold specifically to Bitcoin miners? I tried it with my dual 6850s but the heat was rediculous. I didn't like the stress on my hardware so I gave up mining. I'm sure it's the same with password software. Maxing out your GPUs. Great for Winter, not Summer!
 

mediv42

Distinguished
Jul 25, 2008
69
0
18,630
I've always wondered about this: why don't they just code a delay into the decryption program, so you can't check a billion passwords a second?
 

joshyboy82

Distinguished
Nov 8, 2010
739
0
19,160
I like the scale, but in your small example (a,b,c) you were right and wrong at the same time. Based on your configuration 6 possibilities are correct, but because you tell someone that they can use A or B or C in the password doesn't stop them from choosing aaa, therefor the combination is 9, not 6. Otherwise, interesting article.
 

acku

Distinguished
Sep 6, 2010
559
0
18,980


Fixed! Sorry. I usually play Sudoku variants. :)




I could understand that, but I left out that since I was trying to show a simple example of how permutations differ from combinations. As you pointed out, repetitions are allowed in passwords. I actually mention that in the sentence that follows in the next paragraph.
 

acku

Distinguished
Sep 6, 2010
559
0
18,980


It wouldn't be easy from a design standpoint, cause now you're talking about fiddling with the design of the program.

The easiest way to slow down the verification portion of the password authentication process is increasing the number of transformation invocations for key generation. The problem is that this slows down the performance of your machine, even if you have the correct password.

[citation][nom]jj463rd[/nom]How about adding some extended ASCII codes to a password.[/citation]

That assumes WinZip and WinRAR supports them. To be honest, I haven't looked into that. Though, I'm inclined to believe that neither program supports them.
 

Mark Heath

Distinguished
Apr 28, 2010
837
0
19,010
Cracking a password? There's an app for that.

Saw something on this elsewhere recently (http://www.zdnet.com/blog/hardware/cheap-gpus-are-rendering-strong-passwords-useless/13125)

I've changed the password for important (tangible value) passwords such as that for my steam account to a password that now uses a few special characters, and some mixed up numbers, lower and upper case letters, totalling 18 characters. (lol)

Now I have a few different tiers of passwords, a now replaced 8 string of letters and numbers for unimportant things a couple of years ago, a now replaced string of 15 characters for semi-important things a couple years ago (have real world information or usefulness for a potential bad guy), their 8 and 15 respectively replacements and my new 18 character string for things that have definite tangible real world value to potential nasties.

And being only 15 I think I'm on the right track :)

The only thing that *really* worries me are the choice of security questions sometimes. If you're not allowed to pick your own, the answer would be easy to find on my Facebook page or similar (if I had one ;)) Mother's maiden name? There's a Facebook page for that.
 

acku

Distinguished
Sep 6, 2010
559
0
18,980
[citation][nom]Mark Heath[/nom]Cracking a password? There's an app for that.Saw something on this elsewhere recently (http://www.zdnet.com/blog/hardware/cheap-gpus-are-rendering-strong-passwords-useless/13125)I've changed the password for important (tangible value) passwords such as that for my steam account to a password that now uses a few special characters, and some mixed up numbers, lower and upper case letters, totalling 18 characters. (lol)Now I have a few different tiers of passwords, a now replaced 8 string of letters and numbers for unimportant things a couple of years ago, a now replaced string of 15 characters for semi-important things a couple years ago (have real world information or usefulness for a potential bad guy), their 8 and 15 respectively replacements and my new 18 character string for things that have definite tangible real world value to potential nasties.And being only 15 I think I'm on the right track The only thing that *really* worries me are the choice of security questions sometimes. If you're not allowed to pick your own, the answer would be easy to find on my Facebook page or similar (if I had one ) Mother's maiden name? There's a Facebook page for that.[/citation]

Actually, AccentZIP and AccentRAR are real world derivatives of the ighashgpu program that Zdnet wrote about. Ivan Golubev actually wrote the code for all three programs and we had the pleasure of working with him to write this article. The difference is that with ighashgpu, you're mainly looking at hash cracking.
 

acku

Distinguished
Sep 6, 2010
559
0
18,980


Interesting. According to the article, it seems that the password recovery speed is limited by the internet connection.

I seem to recall seeing someone mention that a pair of 590s was faster than 30000 passwords per second with Elcomsoft's GPGPU document cracker.

Heck, assuming only 2002 SHA-1 transformations, a single GTX 460 would be faster.
 

compton

Distinguished
Aug 30, 2010
197
0
18,680
How much of a jem is this article? This is way better than trying to save 3 cents a year on your power bill. I for one would like to see the process expanded into a benchmark if possible. For one thing, it could be an excellent for CPUs where it seems like it's more optimized -- GPUs are basically limited to nVidia's CUDA, but I still think the brain trust at Toms could find a way to make an informative benchmark out password cracking.
 
G

Guest

Guest
Interesting article. I personally use a fairly simple way to use one different password for each website / service following an easy to remember pattern. The method is described here:

http://passwordadvisor.com/TipsUsers.aspx

Would also be interesting to see if Sandy Bridge AES instructions helps on brute force.
 

srgess

Distinguished
Jan 13, 2007
556
0
18,990
Im surprise they haven't tested Elcom solution, they are faster for recovery password with any competition with some process. You can put make a network resource. So lets say you have a lots of money and put 10-20 4 SLI GTX 590 computer or Tesla computer available resource to get a super computer , password cracking will pass from days to second. Imagine Top supercomputer in the world and its just a beginning. Soon we gonna have to have password with 20 + alpha numeric and special character. Or data crash after 10 attempt.
 

tomfreak

Distinguished
May 18, 2011
1,334
0
19,280
The credit card pin number for online transaction are still 3 numeric digit & it cannot be change LOL, then the ATM machine are still 6 numeric digit, thats how simple our banking system these days. Even my Wifi key is already 63 characters consist of upper/lower case alphabet, numeric and symbols.
 

orwells

Distinguished
Jun 20, 2011
1
0
18,510
Why has Amazon EC2 been ignored?

Why are there so many tables for ZIP 2.0 and almost none for AES? It was said zip was unsafe at the beginning, a table or two should be enough. Yet, I learned very little of AES, the standard nowadays.
 

TheViper

Distinguished
Kkiddu, I was hoping someone would bring that up. 3 million parallel processors cracking at it at once. Full ASCII 64 bit keys in ~ 4 minutes. So long as the cooling holds up.
 
Status
Not open for further replies.