Harden Up: Can We Break Your Password With Our GPUs?

by Andrew Ku June 20, 2011 at 2:00 AM

Do you think your passwords are keeping your data nice and safe? Do you have archived files you don't want anyone to see? Let's see how fast we can crack your lock using our graphics cards. If anything, this is a wake-up call to lock down your valuables!

Locking your keys in the car is never fun. The last time that happened, I spent the better part of my day waiting for a locksmith. Happily, I can say that's one of those mistakes that I only made once; I haven't lost sight of my keys since.

The funny thing is that, for all of my deliberate effort, I simply cannot keep track of my digital keys (passwords) when I sit down at a computer. There are just so many of them, and we're trained to not use the same one on every site. Physical keys are just easier to keep track of. Even when you lose them, they're still somewhere. It's all a matter of retracing your steps. Besides, at least there are specialists (like locksmiths) to help lower that security barrier, if you really need them.

That's also true when it comes to passwords, at least to a certain extent. Whether it's your email or bank account, online password recovery is generally a painless process. There's usually some sort of a "Forgot Your Password?" link that allows you to reclaim access. However, the prospects for digital files are usually more forlorn. I recently discovered this while I was trying to access an old encrypted WinZip archive.

Before we dive too deep into password recovery, we should point out that there are many ways to protect your data. If you're looking for a more comprehensive solution, we would suggest something like TrueCrypt (check out Protect Your Data! TrueCrypt 7.0a's Performance, Analyzed), which is even more attractive now that it supports AES-NI instructions. Yet, archive encryption remains the most ubiquitous way to secure data. Whether you're someone in HR emailing the weekly payroll or Blake Lively trying to keep those personal iPhone photos a little more personal, encrypting an archive is fast and easy.

There is, however, a bit of a misunderstanding on just how secure your data can really be. If you're paranoid about security, you're naturally going to favor the strongest encryption scheme possible. The presumption is that a stronger encryption scheme is more difficult to break, suggesting that AES-256 is better than AES-128. That's not the whole truth. Think of encryption like a big vault. The thicker the armor, the harder it is to penetrate the safe. However, the security of a vault is only as good as the lock that secures it. That is what a password does. It's the vault's key. The longer your password, the more complicated the lock and the more secure your data is.

Most people assume that an eight-character-long password is good enough to keep hackers at bay. That's not exactly true either, and we're about to show you why.

Summary

About the author

Andrew Ku

Ask a Category Expert

Create a new thread in the US Reviews comments forum about this subject

Title
Title
Subject

This thread is closed for comments

92 comments

Your comment

Top Comments

ryandsouza Jun 20, 2011, 8:51 AM

"Think of this as generating every single combination of numbers that can be used to solve that same Sodoku puzzle, starting from an all zeros all the way through all nines. "

Sudoku puzzles have numbers from 1 through 9!
10

Other Comments

jeff77789 Jun 20, 2011, 7:33 AM

"While it would take a longer time to find a password made up of nine or 10 passwords, it's definitely doable between a few gaming buddies. "

9 or 10 characters?
1
jj463rd Jun 20, 2011, 8:04 AM

How about adding some extended ASCII codes to a password.
2
ryandsouza Jun 20, 2011, 8:51 AM

"Think of this as generating every single combination of numbers that can be used to solve that same Sodoku puzzle, starting from an all zeros all the way through all nines. "

Sudoku puzzles have numbers from 1 through 9!
10
rpmrush Jun 20, 2011, 8:59 AM

This reminds me of Bitcoin GPU crunching. 6990s are favored right now. I wonder how many were sold specifically to Bitcoin miners? I tried it with my dual 6850s but the heat was rediculous. I didn't like the stress on my hardware so I gave up mining. I'm sure it's the same with password software. Maxing out your GPUs. Great for Winter, not Summer!
3
mediv42 Jun 20, 2011, 9:01 AM

I've always wondered about this: why don't they just code a delay into the decryption program, so you can't check a billion passwords a second?
-7
joshyboy82 Jun 20, 2011, 9:03 AM

I like the scale, but in your small example (a,b,c) you were right and wrong at the same time. Based on your configuration 6 possibilities are correct, but because you tell someone that they can use A or B or C in the password doesn't stop them from choosing aaa, therefor the combination is 9, not 6. Otherwise, interesting article.
2
acku Jun 20, 2011, 9:07 AM

276101 said:

"Think of this as generating every single combination of numbers that can be used to solve that same Sodoku puzzle, starting from an all zeros all the way through all nines. " Sudoku puzzles have numbers from 1 through 9!

Fixed! Sorry. I usually play Sudoku variants.

424793 said:

I like the scale, but in your small example (a,b,c) you were right and wrong at the same time. Based on your configuration 6 possibilities are correct, but because you tell someone that they can use A or B or C in the password doesn't stop them from choosing aaa, therefor the combination is 9, not 6. Otherwise, interesting article.

I could understand that, but I left out that since I was trying to show a simple example of how permutations differ from combinations. As you pointed out, repetitions are allowed in passwords. I actually mention that in the sentence that follows in the next paragraph.
4
webdev511 Jun 20, 2011, 9:12 AM

Password Haystacks Yes Steve Gibson has already covered something like this. Passphrases with upper lower number and speical are the way to go. Yes, please avoid shortcuts.
1
acku Jun 20, 2011, 9:15 AM

179702 said:

I've always wondered about this: why don't they just code a delay into the decryption program, so you can't check a billion passwords a second?

It wouldn't be easy from a design standpoint, cause now you're talking about fiddling with the design of the program.

The easiest way to slow down the verification portion of the password authentication process is increasing the number of transformation invocations for key generation. The problem is that this slows down the performance of your machine, even if you have the correct password.

jj463rdHow about adding some extended ASCII codes to a password.

That assumes WinZip and WinRAR supports them. To be honest, I haven't looked into that. Though, I'm inclined to believe that neither program supports them.
5
shin0bi272 Jun 20, 2011, 9:59 AM

the tables in this review are horrible... they go from lengths of time to number of passwords and theres no discernible notation when they do.
4
Mark Heath Jun 20, 2011, 10:26 AM

Cracking a password? There's an app for that.

Saw something on this elsewhere recently (http://www.zdnet.com/blog/hardware/cheap-gpus-are-rendering-strong-passwords-useless/13125)

I've changed the password for important (tangible value) passwords such as that for my steam account to a password that now uses a few special characters, and some mixed up numbers, lower and upper case letters, totalling 18 characters. (lol)

Now I have a few different tiers of passwords, a now replaced 8 string of letters and numbers for unimportant things a couple of years ago, a now replaced string of 15 characters for semi-important things a couple years ago (have real world information or usefulness for a potential bad guy), their 8 and 15 respectively replacements and my new 18 character string for things that have definite tangible real world value to potential nasties.

And being only 15 I think I'm on the right track

The only thing that *really* worries me are the choice of security questions sometimes. If you're not allowed to pick your own, the answer would be easy to find on my Facebook page or similar (if I had one ) Mother's maiden name? There's a Facebook page for that.
8
acku Jun 20, 2011, 10:37 AM

Mark HeathCracking a password? There's an app for that.Saw something on this elsewhere recently (http://www.zdnet.com/blog/hardware/cheap-gpus-are-rendering-strong-passwords-useless/13125)I've changed the password for important (tangible value) passwords such as that for my steam account to a password that now uses a few special characters, and some mixed up numbers, lower and upper case letters, totalling 18 characters. (lol)Now I have a few different tiers of passwords, a now replaced 8 string of letters and numbers for unimportant things a couple of years ago, a now replaced string of 15 characters for semi-important things a couple years ago (have real world information or usefulness for a potential bad guy), their 8 and 15 respectively replacements and my new 18 character string for things that have definite tangible real world value to potential nasties.And being only 15 I think I'm on the right track The only thing that *really* worries me are the choice of security questions sometimes. If you're not allowed to pick your own, the answer would be easy to find on my Facebook page or similar (if I had one ) Mother's maiden name? There's a Facebook page for that.

Actually, AccentZIP and AccentRAR are real world derivatives of the ighashgpu program that Zdnet wrote about. Ivan Golubev actually wrote the code for all three programs and we had the pleasure of working with him to write this article. The difference is that with ighashgpu, you're mainly looking at hash cracking.
3
aaron88_7 Jun 20, 2011, 10:40 AM

You could buy multiple GPU's for a hefty price, or you could just use Amazon's cloud computing to do it for you....

http://www.securityweek.com/commercial-software-harnesses-amazon-cloud-crack-passwords-faster
2
aaron88_7 Jun 20, 2011, 10:41 AM

Oops, link didn't show up, here it is:

Linky Linky
2
acku Jun 20, 2011, 10:54 AM

413287 said:

Oops, link didn't show up, here it is: Linky Linky

Interesting. According to the article, it seems that the password recovery speed is limited by the internet connection.

I seem to recall seeing someone mention that a pair of 590s was faster than 30000 passwords per second with Elcomsoft's GPGPU document cracker.

Heck, assuming only 2002 SHA-1 transformations, a single GTX 460 would be faster.
2
compton Jun 20, 2011, 11:16 AM

How much of a jem is this article? This is way better than trying to save 3 cents a year on your power bill. I for one would like to see the process expanded into a benchmark if possible. For one thing, it could be an excellent for CPUs where it seems like it's more optimized -- GPUs are basically limited to nVidia's CUDA, but I still think the brain trust at Toms could find a way to make an informative benchmark out password cracking.
1
kkiddu Jun 20, 2011, 11:51 AM

What if you have TRANSLTR?
2
Hupiscratch Jun 20, 2011, 12:07 PM

A next good article would be a search for the best decryption software. Let the decryption roundup begins!
2
Anonymous Jun 20, 2011, 12:32 PM

Interesting article. I personally use a fairly simple way to use one different password for each website / service following an easy to remember pattern. The method is described here:

http://passwordadvisor.com/TipsUsers.aspx

Would also be interesting to see if Sandy Bridge AES instructions helps on brute force.
1
srgess Jun 20, 2011, 1:06 PM

Im surprise they haven't tested Elcom solution, they are faster for recovery password with any competition with some process. You can put make a network resource. So lets say you have a lots of money and put 10-20 4 SLI GTX 590 computer or Tesla computer available resource to get a super computer , password cracking will pass from days to second. Imagine Top supercomputer in the world and its just a beginning. Soon we gonna have to have password with 20 + alpha numeric and special character. Or data crash after 10 attempt.
-3