How a cheap graphics card could crack your password in under a second

[Tom172]

I was pointed in the direction of a blog posting talking about the use of GPU processors to launch brute-force attacks on passwords. GPUs are extremely good at this sort of workload, and the price/performance ratio has changed dramatically over the past few years. What might have seemed impossible even 36 months ago is now perfectly do-able on your desktop computer.

In this report, the author takes a fairly standard Radeon 5770 graphics card (you’ll find it on our A-List under Value Graphics Card), and uses a free tool called ighashgpu to run the brute-force password cracking tools on the GPU. To provide a comparison point with the capabilities of a standard desktop CPU, he uses a tool called “Cain & Abel”.

Read more: How a cheap graphics card could crack your password in under a second | PC Pro blog http://www.pcpro.co.uk/blogs/2011/06/01/how-a-cheap-graphics-card-could-crack-your-password-in-under-a-second/#ixzz1O3CCPTeS

Read more

 

[bogdan]

Good article, although the idea of using the GPU for computing and cracking passwords is not new. One small mention: this works great if you have direct access to the computer (or the file containing the hashed password). Over the Internet there are considerable slowdowns due to network latency so using complex passwords for your online accounts is still recommended.

 

[bogdan]

Recently, Steve Gibson (grc.com) made an interesting statement. What matters most in a password is the length, so if you have a good (but not great) password all you need to do is pad it with a memorable set of characters to make it longer. For example if your password is "/12Z-StH" all you need to do to make it great is convert it to "<><><><>/12Z-StH<><><><>". This works because when an attacker tries to brute-force your password he:

• doesn't know its length and assumes it is a short password (simply because most passwords are short and he doesn't want to waste his time trying 30 char long passwords on a 6 char password).
• he can't guess the first character and then proceed to the next one, he has to guess all characters at the same time.

More info: https://www.grc.com/haystack.htm

 

[jelson]

Recently, Steve Gibson (grc.com) made an interesting statement. What matters most in a password is the length, so if you have a good (but not great) password all you need to do is pad it with a memorable set of characters to make it longer. ....

More info: https://www.grc.com/haystack.htm

That's an interesting idea. Thanks for the tip.

I recently encountered a posting about a phrase containing using 3 or more word as a password. I'd be interested in knowing what anyone thinks about this idea.

Here's the original 2007 article by Thomas Baekdal: http://www.baekdal.com/tips/password-security-usability

and it's follow-up article written in Jan of this year: http://www.baekdal.com/tips/the-usability-of-passwords-faq

Additionally, in April of this year, in response to a critique of his article by Steve Gibson, he wrote this: http://www.baekdal.com/tips/usable-security-reply-to-security-now/

Personally, I use KeePass and get it to generate long complex passwords for me (with upper case and special characters) but then I have to rely on it to manage them for me. But there's little chance of getting my friends who aren't computer-savvy to do this sort of thing.

Cheers.

 

[Deleted member 178]

my old password was a combination of 3 words using Dungeons and Dragons monster's name written in "hacker language" with a special character between each one

 

[bogdan]

@jelson First of all he only talks about hacking remote systems (like a password protecting your g-mail account). Web latency and the fact that most web sites introduce a delay after a certain number of tries make passwords that lack complexity more secure than in the case where an attacker tries to brake a password on his machine. I wouldn't use "this is fun" as the password for an encrypted archive, for example and I am sure the author of the article wouldn't use it either. Also I have absolutely no assurance that the Web server will not be hacked and someone steals their database containing the hashes of my password (and it happened recently). So we can't use "this is fun" as the only password, on every site. Anyway his entire point is that we don't need to force ourselves to remember complex passwords for websites, and I agree with him but for a different reason: we have password managers. As long as it is easy for me to use complex passwords I see no reason why not to do it.

So we don't need to remember all our passwords but for the few we need to remember, I still think you need some complexity. Simply because statistically most people use common words written in lowercase as passwords, this is what hackers will try first. So you need to stay away from what most people would use. "this is fun" would be safer than "J4fS<2" but only because it is longer and only if we ignore the fact that it uses dictionary words. If people would start using passwords like these (lowercase dictionary words separated by spaces) than it most certainly wouldn't be that safe because there is a limited number of words people can use, and they will most likely use common words. "this is fun" is certainly not safer than "J4fS<2....." (both 11 chars long but the second password uses all types of characters and no dictionary words).