14 
We often write about how you need a secure password, or the ingenious new tricks developed by hackers to penetrate security systems, but rarely do we see how they go about their work. Here’s the kit they use to crack your password.
At a recent security conference, called Passwords^12, researcher Jeremi Gosney showed off the kind of rig that hackers use to crack passwords. It’s shown in the photograph above.
You’re looking at a cluster of five 4U rack servers equipped with 25 AMD Radeon graphics cards, capable of communicating at up to 20 Gbps. On that is run a password cracking program which can churn through 348 billion password hashes per second.
In other words, plenty of secure passwords can be brute force attacked given a little time. For some perspective, that means a 14 character Windows XP password will fall within six minutes. There’s plenty more technical detail over at Security Ledger if you’re interested.
In the meantime, though, this should make you think twice about the kind of passwords you use: if you don’t have long, random strings in use, hackers will be able to nail you. As Boing Boing puts it, yesterday’s “password that would take millions of years to break” is this year’s “password broken in an afternoon”. Set ‘em long and strong, people. [Security Ledger]
HDCP Cracked by Professor with €200 Hardware Mod
Hackers Got Into Honan's iCloud Account With Deception, No Password Required
The Not-so-L33T Hackers of the World Fail to Crack Google's Chrome OS
That is quite impressive.
This is why the world’s most powerful super computer uses GFX cards to do the processing, and CPUs to schedule the jobs to each card.
But does it run quake?
Not only does it run quake, it will simultaneously run every copy of every quake game ever made. Except Quake Wars, that sucked!
quake wars was a great little game, as was Brink.
the problem was the majority of brainless FPS players couldnt handle this ‘teamwork’ thing.
not saying thats why you dont like it, its the reason many dont though.
quake wars was great before they fucked it up by making it perfect for noob play. Hey im in range of a turret lets bleeep at them a million times so they dont get shot…
i quite liked brink as it reminded me of Enemy territory.
I was always taught “security through obscurity”, which is why I always stay as obscure as possible so no-one will want to try and back my life.
“which is why I always stay as obscure as possible”
I’d suggest learning how to use Facebook’s privacy settings then!
Thats a nice rig, my cheap £120 cracker can only do 300 million hashes per second. So this rig is an order of magnitude higher then mine.
Only capable of communicating up to 10gbps.
the problem is that massively long random passwords are bloody hard to remember. people end up writing them down to aid their memory.
of course if you only use 1 machine its quite simple but i use a few so i have my own algorithm that i can remember.
Random passwords are stupidly easy to crack, I can’t be bothered to explain so ill get xkcd to do it for me:
http://xkcd.com/936/
by random i was thinking of something like:
waj4dkhs&7kjfdhS3jkD#hksja5hdjkAsh@4dkjwrg2. i.e. the stuff you get in those password locker sites and software.
not just 1337/h@x0r style dyslexic bollocks
“waj4dkhs&7kjfdhS3jkD#hksja5hdjkAsh@4dkjwrg”
Doesn’t everyone use random passwords like that?
Someone please explain this one. Password cracking is a myth. No password has ever been brute-forced. That’s what I thought anyway.
Thats wrong, passwords get brute forced all the time.
Why not freeze an account after 3, 10, 100 or 1000 failed login attempts in the last 30 secs. To brute force an attack you will need to come up with a new password combination and try it. The system can come up with infinite combinations till the end of time but is likely only getting a finite number of attempts at using those passes before it is flagged.
An easier way is nick most normal peoples laptops/smartphones, no logon needed and then auto login to all of their user accounts in the browser. Or look for that hidden file that has all their passwords and pins logged in it. Not as cool, but safer, simple with better results.
Local hashes.
If you walk up to a windows machine you can get it to give you the password hashes, thats the way the log on system works. You enter a password, it hashes it and see if it matches the passwords hash, if it does then you are free to enter, or you just take the password hash and being hashing passwords until they match then enter the password.
Surely you must need a second bit of information – namely the algorithm by which the OS generates the hash?
This must be slightly different on each machine or it would be possible to create a huge rainbow table with every possible hash for passwords of a particular length (which is probably faster than generating them each time).
The algorithms are the same, but unix systems add a small random string to the end of passwords before hashing them.
http://en.wikipedia.org/wiki/Salt_(cryptography)
But all that does is stop rainbow tables, brute force or dictionary hacks still works.
On windows rainbow tables work fine most times, I know somebody with a 20TB rainbow table and he can get into most windows machines in a few minutes.
If you want to keep data safe then use AES 256bit encryptions on a hard drive.
Ah neat (and more than slightly worrying!), thanks for such an informative reply
That’s pretty impressive. It all comes down to the software you are trying to hack though. The moment an exponentially growing time gap between false entries is enforced a password only needs to be a few characters (even if it is a real word) to protect something.
In most cases a quick look at the top 10 most used passwords help clear things up.
Correct me if I’m wrong, but most websites time-out after 3 or so incorrect tries, and make you wait a few minutes. Given this, how is brute forcing effective on any decent website?
Patience?
Its for offline attacks only, if you tried pumping that much data through a web connection you would be limited by so many things, your web connection (you’ll basically DoS yourself), ISP data restrictions and the server hosting the website your brute forcing all that data would most likely take the server down.
You would only use this if you had the password hash, so for instance if you went onto someone’s MacBook and stole the SHA512 hash that relates to their password is stored as, once you have the hash you would then begin to bruteforce it offline meaning the only thing limiting your attempts is the software your using and the hardware.
He he Dos yourself – like scoring an own goal – or trying to download LOTRO on their own client!
Exactly. So I needn’t worry at all about my online passwords (aside from some basic do’s and dont’s) unless my PC is stolen, when I’d simply change them. So nothing to see here, then…….
Hi,
I apologize for irrelevant post. but I have one question.
I’ve been gizmodo reader for over 1 year now, and it has been all good until about few weeks ago.
What is happening with all the adverts that you are putting?
It starts to look horrible.
I read gizmodo a lot on my iphone, and it became impossible to do it recently, because on every page, every time you refresh, or click on a story, you get the stupid samsung advert on top of the screen.
and when you access it on the PC/ipad, the top bar is gone, you remember where there were pinned stories? well I used that a lot!
(((
Now Samsung advert again?
Thanks,
Unhappy reader,
pffft my bitcoin mining rig has more power than that
Sigh. Kinda puts my new PC to shame…
not really. Anything you are likely to want to run will perform as well on your PC. What he has is dedicated to running a specific type of program. It probably wouldn’t run office any quicker whatever Dell are sticking out this week.
That’s not strictly true. In order to crack it they would need the hashed passwords stored locally. No home internet connection would be able to handle enough connection attempts per second for bruteforce to work in anything like the timescale you’re suggesting.
The ONLY way this system can crack passwords is to have the encrypted file stored locally. For that they would either have had to break in to a home users machine via other means, (making a password crack pretty pointless) or they could grab a websites user database with passwords, which is no small feat in itself when proper security steps are taken.