Harden Up: Can We Break Your Password With Our GPUs?

Final Words

My weekend of attempting to recover an old WinZip password left me slightly surprised. We live in a world where secure data isn't so secure (*cough* Sony's PSN *cough*), so it's hard not to be afraid of what general purpose computing means for the future as our graphics processors become even more powerful.

In the past, there was no way you could expect to bring down an ASCII password with a length of 10 characters in any reasonable period. This was only possible with custom hardware. That's what the Electronic Frontier Foundation did in 1998 with its Deep Crack. At a final cost of nearly $250 000, a group of security experts built a machine that could scan about 90 billion passwords per second, thanks to more than 1800 AWT-4500s working in tandem.

I can’t manage that level of performance with my office workstation, but two GeForce GTX 570s in SLI achieve about 1.5 billion passwords per second against Zip 2.0 encryption. That’s 1/60th of the performance at less than 1/100th of the cost. Obviously, I'm comparing apples against oranges. After all, Zip 2.0 encryption is old. But it's clear that massively parallel graphics architectures will continue enabling increased performance density at more commodity-like prices, so at some point we will be able to get 90 billion passwords per second from a desktop-sized box.

So, what have we learned? First off, steer clear of Zip 2.0. It’s an older encryption scheme supported for legacy purposes, and even WinZip suggests that you use AES to ward off brute-force attacks.

Targeted attempts are another story. Most people use passwords that include words, and as such, those passwords are vulnerable to dictionary-based attacks no matter what encryption scheme you use. The number of words in the English language is less than 1 million. However, a GeForce GTX 460 can manage at least 150 000 passwords per second against AES encryption. Even if you add a few variations, you really only need to spend a day crunching passwords to break the proverbial lock. Why? Because an entire word is functionally the same as a single letter, like "a."

Ideally you should avoid the following if you are trying to make your files more secure:

  • Avoid words from the dictionary. The Oxford English dictionary contains fewer than 300 000 entries if you count words currently in use, obsolete words and derivative words. That's nothing for a GeForce GTX 460.
  • Avoid words with numbers appended at the end. Adding 1 to the end of password doesn't make it a more secure. I can still crunch the entire English dictionary and numbers in half a day with a pair of GeForce GTX 570s.
  • Avoid double words or simple letter substitution. PasswordPassword only doubles the number of words that we have to search. That's still fairly easy considering how fast I can scan files. Also, p@55w0rd isn't a secure password. Password crackers know all the usual shortcuts. So don't take that route. 
  • Avoid common sequences from your keyboard. Adding qwerty to the dictionary of tested passwords isn’t hard work. That's another shortcut to avoid.
  • Avoid common numerical sequences. 314159 may be easy to remember. It's Pi, after all, but it's also something that's easy to test for.
  • Avoid anything personally related, such as your license plate, social security number, past telephone number, birthday, and so on. We live in a world where a lot of information is public domain. If you have a public Facebook or Twitter account, the amount of information available keeps growing.


An encryption scheme is only as good as the password that protects it. That's the weakness in a symmetric password, where the encryption key is the same as the decryption key. If you are stubbornly paranoid, the ultimate in security probably lies in PGP or certificate-based encryption. On an everyday basis, this isn't a practical option unless you and your company are willing to migrate to PKZIP. That's why password length should be your primary concern.

Fortunately, math is our friend (seriously, it is). If you use the full ASCII character set, then your password strength is 94(password length), because every additional character makes a password 94 times more secure. By adding a few extra characters to your password, you're making it "computationally infeasible" for hackers to attempt a brute-force attack. If 7 298 831 534 994 528 possible combinations (in a one- to nine-character password) isn’t enough to make you comfortable, use a 10-character password, and give any hacker 699 823 827 359 474 784 combinations to try.

Based on our testing, you probably could hit a little over 3 million passwords per second against AES encryption using a pair of Radeon HD 6990s. That means it'd take 7397 years to perform a search of passwords from one to 10 characters long using AMD's Stream acceleration. Even if you could double your speed from there, it wouldn't be much help. To get under one year, you'd have to scale your efforts to 7397 machines working full-time.

In the future, it might be possible for the average user to access that class of parallel compute power. Distributed computing is the next step, and Parallel Password Recovery is already working on a way to enable GPU-accelerated processing across multiple clients.

For the time being, this shouldn't keep you up at night. As the old adage goes, "if there is a will, there is a way." Ever since there were locks, there were lock picks. If you want to keep something secure, you need to understand how easy (or difficult) it is to pick the lock. That's what password recovery tools do. Surprisingly, WinZip agrees with us on this. As Tom Vaughan, VP at WinZip states, "I view the makers of password recovery tools as white hats, not black hats. It’s the software that you don’t know about that should scare you (software developed by black hats that is faster or more capable of cracking security than you could have predicted)."

It might sound like we're selling up some bogeyman or disseminating information that shouldn't be "out there," but we hope you come away from this story with a reminder that you can’t buy the truly impressive software. Custom cryptography stuff always advances faster than what’s commercially available. So if you are bent out of shape on security, your password should follow these basic guidelines.

  • At least nine characters in length.
  • Contain at least one upper-case letter
  • Contain at least one lower-case letter
  • Contain at least one special character, such as @ or !
  • Contain at least one number


These rules will give you a fighting chance against password hackers. Hackers have an unlimited number of attempts to crack a password. So breaking encryption is really only a matter of time. That's why the security experts understand that the real goal is to deter access to relevant data. If it takes you 50 years to break into a WinZip archive that contains information about my stock trades last week, that information is no longer relevant. Create longer random passwords, and you can also enjoy that level of security and peace of mind.

Create a new thread in the US Reviews comments forum about this subject
This thread is closed for comments
92 comments
    Your comment
    Top Comments
  • "Think of this as generating every single combination of numbers that can be used to solve that same Sodoku puzzle, starting from an all zeros all the way through all nines. "

    Sudoku puzzles have numbers from 1 through 9!
    10
  • Other Comments
  • "While it would take a longer time to find a password made up of nine or 10 passwords, it's definitely doable between a few gaming buddies. "


    9 or 10 characters?
    1
  • How about adding some extended ASCII codes to a password.
    2
  • "Think of this as generating every single combination of numbers that can be used to solve that same Sodoku puzzle, starting from an all zeros all the way through all nines. "

    Sudoku puzzles have numbers from 1 through 9!
    10
  • This reminds me of Bitcoin GPU crunching. 6990s are favored right now. I wonder how many were sold specifically to Bitcoin miners? I tried it with my dual 6850s but the heat was rediculous. I didn't like the stress on my hardware so I gave up mining. I'm sure it's the same with password software. Maxing out your GPUs. Great for Winter, not Summer!
    3
  • I've always wondered about this: why don't they just code a delay into the decryption program, so you can't check a billion passwords a second?
    -7
  • I like the scale, but in your small example (a,b,c) you were right and wrong at the same time. Based on your configuration 6 possibilities are correct, but because you tell someone that they can use A or B or C in the password doesn't stop them from choosing aaa, therefor the combination is 9, not 6. Otherwise, interesting article.
    2
  • 276101 said:
    "Think of this as generating every single combination of numbers that can be used to solve that same Sodoku puzzle, starting from an all zeros all the way through all nines. " Sudoku puzzles have numbers from 1 through 9!


    Fixed! Sorry. I usually play Sudoku variants. :)


    424793 said:
    I like the scale, but in your small example (a,b,c) you were right and wrong at the same time. Based on your configuration 6 possibilities are correct, but because you tell someone that they can use A or B or C in the password doesn't stop them from choosing aaa, therefor the combination is 9, not 6. Otherwise, interesting article.


    I could understand that, but I left out that since I was trying to show a simple example of how permutations differ from combinations. As you pointed out, repetitions are allowed in passwords. I actually mention that in the sentence that follows in the next paragraph.
    4
  • Password Haystacks Yes Steve Gibson has already covered something like this. Passphrases with upper lower number and speical are the way to go. Yes, please avoid shortcuts.
    1
  • 179702 said:
    I've always wondered about this: why don't they just code a delay into the decryption program, so you can't check a billion passwords a second?


    It wouldn't be easy from a design standpoint, cause now you're talking about fiddling with the design of the program.

    The easiest way to slow down the verification portion of the password authentication process is increasing the number of transformation invocations for key generation. The problem is that this slows down the performance of your machine, even if you have the correct password.

    jj463rdHow about adding some extended ASCII codes to a password.


    That assumes WinZip and WinRAR supports them. To be honest, I haven't looked into that. Though, I'm inclined to believe that neither program supports them.
    5
  • the tables in this review are horrible... they go from lengths of time to number of passwords and theres no discernible notation when they do.
    4
  • Cracking a password? There's an app for that.

    Saw something on this elsewhere recently (http://www.zdnet.com/blog/hardware/cheap-gpus-are-rendering-strong-passwords-useless/13125)

    I've changed the password for important (tangible value) passwords such as that for my steam account to a password that now uses a few special characters, and some mixed up numbers, lower and upper case letters, totalling 18 characters. (lol)

    Now I have a few different tiers of passwords, a now replaced 8 string of letters and numbers for unimportant things a couple of years ago, a now replaced string of 15 characters for semi-important things a couple years ago (have real world information or usefulness for a potential bad guy), their 8 and 15 respectively replacements and my new 18 character string for things that have definite tangible real world value to potential nasties.

    And being only 15 I think I'm on the right track :)

    The only thing that *really* worries me are the choice of security questions sometimes. If you're not allowed to pick your own, the answer would be easy to find on my Facebook page or similar (if I had one ;)) Mother's maiden name? There's a Facebook page for that.
    8
  • Mark HeathCracking a password? There's an app for that.Saw something on this elsewhere recently (http://www.zdnet.com/blog/hardware/cheap-gpus-are-rendering-strong-passwords-useless/13125)I've changed the password for important (tangible value) passwords such as that for my steam account to a password that now uses a few special characters, and some mixed up numbers, lower and upper case letters, totalling 18 characters. (lol)Now I have a few different tiers of passwords, a now replaced 8 string of letters and numbers for unimportant things a couple of years ago, a now replaced string of 15 characters for semi-important things a couple years ago (have real world information or usefulness for a potential bad guy), their 8 and 15 respectively replacements and my new 18 character string for things that have definite tangible real world value to potential nasties.And being only 15 I think I'm on the right track The only thing that *really* worries me are the choice of security questions sometimes. If you're not allowed to pick your own, the answer would be easy to find on my Facebook page or similar (if I had one ) Mother's maiden name? There's a Facebook page for that.


    Actually, AccentZIP and AccentRAR are real world derivatives of the ighashgpu program that Zdnet wrote about. Ivan Golubev actually wrote the code for all three programs and we had the pleasure of working with him to write this article. The difference is that with ighashgpu, you're mainly looking at hash cracking.
    3
  • You could buy multiple GPU's for a hefty price, or you could just use Amazon's cloud computing to do it for you....

    http://www.securityweek.com/commercial-software-harnesses-amazon-cloud-crack-passwords-faster
    2
  • Oops, link didn't show up, here it is:

    Linky Linky
    2
  • 413287 said:
    Oops, link didn't show up, here it is: Linky Linky


    Interesting. According to the article, it seems that the password recovery speed is limited by the internet connection.

    I seem to recall seeing someone mention that a pair of 590s was faster than 30000 passwords per second with Elcomsoft's GPGPU document cracker.

    Heck, assuming only 2002 SHA-1 transformations, a single GTX 460 would be faster.
    2
  • How much of a jem is this article? This is way better than trying to save 3 cents a year on your power bill. I for one would like to see the process expanded into a benchmark if possible. For one thing, it could be an excellent for CPUs where it seems like it's more optimized -- GPUs are basically limited to nVidia's CUDA, but I still think the brain trust at Toms could find a way to make an informative benchmark out password cracking.
    1
  • What if you have TRANSLTR?
    2
  • A next good article would be a search for the best decryption software. Let the decryption roundup begins!
    2
  • Interesting article. I personally use a fairly simple way to use one different password for each website / service following an easy to remember pattern. The method is described here:

    http://passwordadvisor.com/TipsUsers.aspx

    Would also be interesting to see if Sandy Bridge AES instructions helps on brute force.
    1
  • Im surprise they haven't tested Elcom solution, they are faster for recovery password with any competition with some process. You can put make a network resource. So lets say you have a lots of money and put 10-20 4 SLI GTX 590 computer or Tesla computer available resource to get a super computer , password cracking will pass from days to second. Imagine Top supercomputer in the world and its just a beginning. Soon we gonna have to have password with 20 + alpha numeric and special character. Or data crash after 10 attempt.
    -3