Think that your eight-character password consisting of lowercase characters, uppercase characters and a sprinkling of numbers is strong enough to protect you from a brute force attack?

Think again!

Jon Honeyball writing for PC Pro has a sobering piece on how the modern GPU can be leveraged as a powerful tool against passwords once considered safe from bruteforce attack.

The results are startling. Working against NTLM login passwords, a password of “fjR8n” can be broken on the CPU in 24 seconds, at a rate of 9.8 million password guesses per second. On the GPU, it takes less than a second at a rate of 3.3 billion passwords per second.

Increase the password to 6 characters (pYDbL6), and the CPU takes 1 hour 30 minutes versus only four seconds on the GPU. Go further to 7 characters (fh0GH5h), and the CPU would grind along for 4 days, versus a frankly worrying 17 minutes 30 seconds for the GPU.

It gets worse. Throw in a nine-character, mixed-case random password, and while a CPU would take a mind-numbing 43 years to crack this, the GPU would be done in 48 days.

  1. jbenson2 says:

    #30 – Have to agree with Dallas

    Assumption: one hundred trillion guesses per second

    Dallas Password: the best technique is to use a lengthy passphrase such as the following

    According to Steve Gibson’s brute force calculator, this lower case character password could be guessed in:

    1.74 million trillion trillion trillion trillion trillion trillion trillion trillion centuries

  2. Thomas says:

    Sadly, not universally true. Imagine a website that captures credentials like Facebook, Google, Sony or your bank. One SQL injection attack could give the attack the entire username, password hash and salt list.

  3. sargasso_c says:

    Rainbow table attacks are noticed.

  4. Rick Cain says:

    Just use a pass phrase. Easy to remember, especially if the phrase is funny and non sequitur.

  5. colored says:

    Why not have the option to assign different colors to random characters? Might take a bit longer to brute force that, I’m thinking.

  6. Mr. Crypto says:

    Here’s an interesting look at cracking using downloadable software. Think you’re safe? Ahhahahaha.

  7. Glenn E. says:

    Let’s face it. The computers and their operating software. None of it was ever engineered with any really tough security in mind. Everything that come along afterward, has merely been tacked onto these weaker systems. And whatever has been tacked on, can be bypassed or hacked. In order for truly hard PC and internet security to exist. The computer and OS makers, have to start over almost from scratch. Not taking anything for granted, that was created long ago, in the “stone age” of computers. And the industry, in general, should take a sabbatical from boosting sales by delivering the latest bells and whistle, they say the consumers want. It’s these new toy features, that’s where the next security flaws will be found. And the resources being devoted to their develop, is what could be used to strengthening system security.

  8. Glenn E. says:

    When the only thing PCs did, was play games and run small business software, all was fine. As soon as someone suggested hooking them up to each other, by some means other than cassette tape. Even they could have carried a virus. But the likelihood is extremely small. Home PCs and even business main frames, were never designed NOT to share things they shouldn’t, with each other. For the longest time, it was a chore just to get them to work at sharing what they should. So naturally, making things harder, or next to impossible, to get at, by those who shouldn’t. Wasn’t even a remote consideration, for quite some time. And so it’s been a slow wake up call for everyone, just how vulnerable the whole thing is. And slow, because the emphasis hasn’t been on adapting safer communication practices. But on how easy and fun it is to put one’s whole live on the internet. Trust the Cloud with it all. The Cloud is good. Never mind that its security is the weakest that can be gotten away with.

  9. pwuk says:

    “the cat sat on the mat and crapped” makes a good password, trillions of centuries to crack apparently

  10. Thomas says:

    Not an accurate accessment in my opinion. First, the issues here are not related to operating systems but to the hashing algorithms being used and the design of the Internet. I would agree that the Internet (IPv4 certainly) was not designed with security in mind. However, the issue here is that even if you do use the industry standard algorithms you could be vulnerable. The computing power via grid computing and the storage power are progressing faster than the mathematical algorithms. Unix and Windows have both evolved to the point where they can be configured to provide quite good security. The primary problem isn’t with the operating systems.

  11. Max128 says:

    #21, I agree it doesn’t make any sense. Does TrueCrypt (or any authentication system) allow someone to try 3 billion password attempts in 1 second? Couldn’t TrueCrypt and other systems thwart these brute-strength attacks by simply gradually slowing down after each successively incorrect password?

  12. Thomas says:

    Couldn’t TrueCrypt and other systems thwart these brute-strength attacks by simply gradually slowing down after each successively incorrect password?

    No because a hacker doesn’t need the TrueCrypt application to crack your data. In any attack, you assume the attacker has the cypher (your encrypted data) and the algorithm. Thus, if a hacker copies your TrueCrypt partition, they can write a routine that will go through billions of combinations to crack it without ever launching TrueCrypt.

  13. Gr says:

    The bigger issue, is that with enough machines cranking, all the hash values can be computed and stored in a database in a fixed amount of time. Once that is done, then a simple database query returns the text for the hash, and you have constant time password lookup.

    Once the hash is exposed, nothing is safe, no matter what the algorithm for computing the hash is.


Bad Behavior has blocked 5864 access attempts in the last 7 days.