14-character passwords hacked in 6 minutes with 25 GPUs

Posted on Wednesday, December 05 2012 @ 17:11 CET by Thomas De Maesschalck
With the rise in computing power it's increasingly hard to guarantee computer security. Slashdot for instance reports today that Jeremi Gosney (aka epixoip) showed off a GPGPU computing powerhouse at the Passwords^12 Conference in Oslo, Norway that can crack a 14 character Windows XP password (hashed using LM) in just six minutes. To achieve this, he uses a cluster of five 4U servers with a total of 25 AMD Radeon GPUs (10x 7970, 4x 5970, 3x 6990, 1x 5870) communicating at 10Gbps over Infiniband switched fabric.
Gosney’s system elevates password cracking to the next level, and effectively renders even the strongest passwords protected with weaker encryption algorithms, like Microsoft’s LM and NTLM, obsolete.

In a test, the researcher’s system was able to churn through 348 billion NTLM password hashes per second. That renders even the most secure password vulnerable to compute-intensive brute force and wordlist (or dictionary) attacks. A 14 character Windows XP password hashed using LM, for example, would fall in just six minutes, said Per Thorsheim, organizer of the Passwords^12 Conference.

[Note of clarification from Jeremi: "LM Is what is used on Win XP, and LM converts all lowercase chars to uppercase, is at most 14 chars long, and splits the password into two 7 char strings before hashing -- so we only have to crack 69^7 combinations at most for LM. At 20 G/s we can get through that in about 6 minutes. With 348 billion NTLM per second, this means we could rip through any 8 character password (95^8 combinations) in 5.5 hours." ]
Full details at Security Ledger.

Loading Comments