Fwd: [Infowarrior] - How a cheap graphics card could crack your password in under a second

[Paul Ferguson <fergdawgster () gmail com>]

FYI,

- ferg


---------- Forwarded message ----------
From: Richard Forno <rforno () infowarrior org>
Date: Sun, Jun 5, 2011 at 7:09 PM
Subject: [Infowarrior] - How a cheap graphics card could crack your
password in under a second
To:


How a cheap graphics card could crack your password in under a second

http://www.pcpro.co.uk/blogs/2011/06/01/how-a-cheap-graphics-card-could-crack-your-password-in-under-a-second/

I was pointed in the direction of a blog posting talking about the use
of GPU processors to launch brute-force attacks on passwords. GPUs are
extremely good at this sort of workload, and the price/performance
ratio has changed dramatically over the past few years. What might
have seemed impossible even 36 months ago is now perfectly do-able on
your desktop computer.

In this report, the author takes a fairly standard Radeon 5770
graphics card (you’ll find it on our A-List under Value Graphics
Card), and uses a free tool called ighashgpu to run the brute-force
password cracking tools on the GPU. To provide a comparison point with
the capabilities of a standard desktop CPU, he uses a tool called
“Cain & Abel”.

The results are startling. Working against NTLM login passwords, a
password of “fjR8n” can be broken on the CPU in 24 seconds, at a rate
of 9.8 million password guesses per second. On the GPU, it takes less
than a second at a rate of 3.3 billion passwords per second.

Increase the password to 6 characters (pYDbL6), and the CPU takes 1
hour 30 minutes versus only four seconds on the GPU. Go further to 7
characters (fh0GH5h), and the CPU would grind along for 4 days, versus
a frankly worrying 17 minutes 30 seconds for the GPU.

Is an IT manager really going to manage to get the CFO to log in using
“fR4; $sYu 29 @QwmQz” without the combination ending up on a Post-it
note in his wallet?

Now, I cannot imagine anyone managing to mandate a nine-character,
mixed-case, random-character password on an organisation. But if you
did, and you weren’t hanging from a tree by the end of the first
working day, the CPU would take 43 years versus 48 days for the GPU.

He then went on to add in mixed symbols to create “F6&B is” (there is
a space in there). CPU will take 75 days, GPU will take 7 hours.

What does this tell us? well, the stark reality is that even long and
complex passwords are now toast. If you think you were being wise by
forcing users to have randomisation in their passwords, then think
again. It is utterly futile.

Yes, you can force your users to have a 15-character password
consisting of random numbers and letters, and throw in punctuation as
well. This is great as an idea, but we know that most users think that
a password like “Barry1943Manilow” where 1943 was the year he was
born, is complex and hard to remember. Is an IT manager really going
to manage to get the CFO to log in using “fR4; $sYu 29 @QwmQz” without
the combination ending up on a Post-it note in his wallet? Or stuck to
the side of the screen? Because anything much less than this is going
to be open to attack over the next few years.

A GPU of the type used by this chap is not unusual or high end. It is
standard-issue stuff. Indeed, I have just sat through the AMD
presentation here at Computex in Taiwan, and they made a big deal
about putting GPU power into netbooks offering 500Gflops, without
denting its 12-hour battery life. And that’s shipping within months.

All I can say is this: you have been warned. It is time to think long
and hard about password security, and how you do your authentication.
This has crept up on us in the background, and we really haven’t been
paying attention. Nor has Microsoft, frankly, who should be having a
whole raft of alternative, hardened solutions in place ready for its
business customers to roll out.

What are the solutions? To be honest, I’m not sure. A combination of
TPM, biometrics, passwords and maybe something else entirely new will
be needed. But it’s clear that a complex password that users will
actually accept for day-to-day authentication, and keep secret, might
be history.
_______________________________________________
Infowarrior mailing list
Infowarrior () attrition org
https://attrition.org/mailman/listinfo/infowarrior



-- 
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawgster(at)gmail.com
 ferg's tech blog: http://fergdawg.blogspot.com/

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.