Think that your eight-character password consisting of lowercase characters, uppercase characters and a sprinkling of numbers is strong enough to protect you from a brute force attack?
Jon Honeyball writing for PC Pro has a sobering piece on how the modern GPU can be leveraged as a powerful tool against passwords once considered safe from bruteforce attack.
[...]The results are startling. Working against NTLM login passwords, a password of “fjR8n” can be broken on the CPU in 24 seconds, at a rate of 9.8 million password guesses per second. On the GPU, it takes less than a second at a rate of 3.3 billion passwords per second.
Increase the password to 6 characters (pYDbL6), and the CPU takes 1 hour 30 minutes versus only four seconds on the GPU. Go further to 7 characters (fh0GH5h), and the CPU would grind along for 4 days, versus a frankly worrying 17 minutes 30 seconds for the GPU.
It gets worse. Throw in a nine-character, mixed-case random password, and while a CPU would take a mind-numbing 43 years to crack this, the GPU would be done in 48 days.
So how does this work?
9.8 million guesses per second.
How do you get a system to say “no that’s not it” 9.8 million times per second?
Seriously, I don’t get it.
#21 – it’s easy to copy the password file on a machine you have access to.
Since it’s encrypted there’s no need to keep it secret! So you copy the file to your own machine and try every possible passwd in turn and compare to the encrypted value.
The breakthrough is that it is complicated to encrypt the new guess before comparing it – so it would take too long to try all of them. But with a GPU you can encrypt a billion guesses/second – at least with a weak algorithm like NTLM or MD5
@#21
Think of it as comparing two values. The “Brute Force” algorythm looks at what combinations of characters it takes to come up with the same encrypted value. As others have pointed out, you need access to the encrypted passwords.
These calculations are for a single search across the entire search space. In real lief you will use multiple GPU brute force attacks working on different parts of the search space. Dividing up the work across multiple GPUs greatly decreases the time to discover the match to an encryption key or to a cryptographic hash value.
#22, #23
thanks.
I saw “NTLM login passwords” in the article and #3′s observation that this method was applied to a local file (not a network login), so I was confused. Your explanations make total sense.
All you need is enough disk space. (That should make you look twice at all those cheap terabyte drives [and who's buying them exactly?])
You can reduce cracking to capturing encrypted passwords as they stream by and doing single seeks on a hard drive.
Its called using a ‘sparse matrix’ space to reverse encode.
The reverse encoding is a computable process that can have taken days and days generating all of the keys off-line. The use of a GPU just speeds up the encryption key generation.
The cracking process then becomes a simple seek, point to the key that generated it, retrieve that key and you’re in. Encrypted text has become clear text.
No key-fob, no complex time based encryption algorithm, nothing can stand up to it.
It uses the encryption process against itself.
#26 Creating a table of all possible key values? Not very practical for modern password solutions. For example, with SHA-256, you have 2**256 possible 32-byte hash values, but there are only 10**12 bytes on a 1TB HDD. In this case, building a complete table for seeking is not a practical solution.
Longer passwords are vital but something as basic as QWERTYasdf!@#$%^&*()123456789?0 pretty much means they aren’t going to get the answer in your lifetime.
If the soft ware requires a two second growing to six or more second delay between guesses then the brute force attack can get seriously bogged down on that as well.
#27
Is isn’t nearly that many combinations. You are only looking at it from the perspective of the hash instead of the input. If you use a five character password with upper case, lower case and numbers, that’s only 550 million combinations (56^5). Far less than 2^256. Six characters expands the combinations to 30 billion but that is still far lower than 2^256.
One element not mentioned in all of this is the effect of salting. If the passwords use salts and pepper (an additional padding value relative to the system as opposed to salts which are different for each user), it makes cracking the passwords substantially tougher. I’ll bet the brute force crack times assume you have access to the salts and pepper if there is any.
The best technique is to use a lengthy passphrase such as the following:
the best technique is to use a lengthy passphrase such as the following
This problem only matters if the thief steals the whole hard drive, and then runs a prolonged attack program against it for a month.
In other words the FBI and the police have taken your hard drive in a raid. Raids are common now that officers can sniff and indicate just like their dogs.
In that case you better be using more than NTLM for encryption of data or you are asking to be raped by the govt.
#30 – Have to agree with Dallas
Assumption: one hundred trillion guesses per second
Dallas Password: the best technique is to use a lengthy passphrase such as the following
According to Steve Gibson’s brute force calculator, this lower case character password could be guessed in:
1.74 million trillion trillion trillion trillion trillion trillion trillion trillion centuries
#31
Sadly, not universally true. Imagine a website that captures credentials like Facebook, Google, Sony or your bank. One SQL injection attack could give the attack the entire username, password hash and salt list.
Rainbow table attacks are noticed.
Ebonics pass phrase.
Just use a pass phrase. Easy to remember, especially if the phrase is funny and non sequitur.
Look at bitcon mining network.
Now it already operates at terahash/second values.
If it will grow at current level to 2013 it will be able perform at such speeds that it will take only 10 minutes to brute force RSA-1024!!!
http://habrahabr.ru/blogs/crypto/120257/ (article in russian)
You just need to pay those miners better than bitcoin generation does.
Why not have the option to assign different colors to random characters? Might take a bit longer to brute force that, I’m thinking.
Here’s an interesting look at cracking using downloadable software. Think you’re safe? Ahhahahaha.
Let’s face it. The computers and their operating software. None of it was ever engineered with any really tough security in mind. Everything that come along afterward, has merely been tacked onto these weaker systems. And whatever has been tacked on, can be bypassed or hacked. In order for truly hard PC and internet security to exist. The computer and OS makers, have to start over almost from scratch. Not taking anything for granted, that was created long ago, in the “stone age” of computers. And the industry, in general, should take a sabbatical from boosting sales by delivering the latest bells and whistle, they say the consumers want. It’s these new toy features, that’s where the next security flaws will be found. And the resources being devoted to their develop, is what could be used to strengthening system security.