The Hardware Hackers Use To Crack Your Passwords

We often write about how you need a secure password, or the ingenious new tricks developed by hackers to penetrate security systems, but rarely do we see how they go about their work. Here's the kit they use to crack your password.

At a recent security conference, called Passwords^12, researcher Jeremi Gosney showed off the kind of rig that hackers use to crack passwords. It's shown in the photograph above.

You're looking at a cluster of five 4U rack servers equipped with 25 AMD Radeon GPUs, capable of communicating at 10Gbps and 20Gbps. On that is run a HashCat password cracking program which can churn through 348 billion password hashes per second.

In other words, plenty of secure passwords can be brute-force attacked given a little time. For some perspective, that means a 14-character Windows XP password will fall within six minutes. There's plenty more technical detail over at Security Ledger if you're interested.

In the meantime, however, this should make you think twice about the kind of passwords you use: if you don't have long, random strings in use, hackers will be able to nail you. In minutes. [Security Ledger]



    OK, so where is the next generation of password replacement. We're supposed to be able to use our eyes, finger prints, palm prints, blood vein imagery, what is going to replace the simple password. From what I can see, we are desperately in need of an alternative now!!

      ^^ This is true.

      What kind of software ALLOWS "348 billion password hashes per second"?

      Surely with a 2 second wait between password attempts the problem is solved ... or is it not as simple as that?

        Gleno, these are for cracking acquired password databases, not for attacking live systems. So yes, if you keep your password database safe, then standard "disable after x incorrect attempts" kind of techniques help.

          ^ This,
          combined with the fact that most people have 1 password for everything.
          So once there is a leak, all of their accounts are compromised.

          To defeat this, you need:
          1) a different password for every site
          1a) a password manager to remember them all
          2) long randomised passwords
          3) 2 factor authentication turned on (where available)

            Surely it is time for a better system than remembering passwords anyway. What about signed certificates or some other personal metric?

              million times more dangerous, fingerprint ids and stuff still need to be hashed and stored, but you can't go and change your fingerprint if a companies password database is leaked.

              plus look at any heaist movie ever made, they will just kill the person and still their finger.

      Biometrics brings up a separate set of issues.

      When our fingerprints, retinal patterns etc. are digitised for the purposes of verification, what happens when this info gets unhashed and falls into malicious hands? The situation ends up being a LOT worse than just losing a password because it's a part of you that you can't change.

    "You’re looking at a cluster of five 4U rack servers"

    Looks like just one to me.

      ...and with 8 GFX cards each rack - wouldn't that be 40 GPUs?

    I have seen a lot of alarmist stuff about the need to have super elaborate passwords these days and I just want to point a few things out.

    1. This type of cracking only works against off-line lists of password hashes. Someone has to get hold of that list, and be able to associate it with a user id before it is of any use. That only happens if the password holder has poor security practices and it doesn't happen every day regardless. You cannot directly crack a password on a device or website with this technique.

    2. Protecting online passwords is trivially easy for a website - simply institute a delay for every attempt. User IDs and passwords should be stored separately so both need to leak.

    3. This attack is only feasible at this scale and speed against passwords hashed with weak encryption. Once again this is the fault of the organisation storing the password. Use a decent cryptographic hash algorithym and salt it and you will make life very difficult for password crackers.

    4. This particular result of for XP passwords. Why are you still using XP out there?

    So the takeaways for users reading this is, moderately complex passwords are still OK (provided they aren't in a dictionary), but you should change them regularly in case some f*wit has cocked up at the other end. Don't share passwords across sites, and reconsider sharing usernames. Use two factor identification if it is available.You are far, far more likely to get hacked by someone social engineering a password reset on your account or guessing your standard reset question answers than you are by having your password cracked.

    The math is that is so fucking off. 348b per second is no where near the limit of combinations 14 digits provides. At that speed it would still take 100's of years to go through all the combinations.

      The problem is you don't need to go through all combinations as you stop when you reach the right one so if you go really unlucky it *could* be the first password it tries or it could be the last one.

Join the discussion!

Trending Stories Right Now