Nvidia Versus AMD: Brute-Force Attack Performance
This little exercise is all about scaling. You want a lot of cores, and you want them operating quickly. Even though it has a slight effect on our results, let's put architecture aside a moment. While two GeForce GTX 570s only have 2.8x the number of CUDA cores as a single GTX 460, we realize three times the performance because all of the higher-end card's cores also operate 8% faster.
Dropping in a GeForce GTX 590 yields similar results as our SLI configuration. The 590 has more cores, but they operate slightly slower. If you're shooting for the star, Nvidia's flagship is pretty much the top of the line with its 1024 CUDA cores. Then again, if you're willing to tolerate lots of heat and a big price tag, two GeForce GTX 590s in SLI should be able to double the performance of our twin GTX 570s.
In comparison, there are 3072 Stream processors running at 830 MHz on AMD's flagship Radeon HD 6990. Bear in mind that an AMD core is not equivalent to an Nvidia core, so you can't compare them 1:1.
I only had time to run a pair of Radeon HD 5850s in CrossFire, but the results are still impressive. With 2880 stream processors, I'm pushing about 1.1 million passwords per second while attempting to break an AES-128 encrypted WinZip file. Two Radeon HD 6990s are probably the way to go if you want to go full-speed in AES password recovery. But even optimistically, you're only going to hit slightly over 3 million passwords per second. That's still insufficient to crack an eight-character password in less than a year.
|Graphics Card||CUDA/Stream cores||Shader Core Speed|
|GeForce GTX 460 1GB||336||1350 MHz|
|GeForce GTX 570||480||1464 MHz|
|GeForce GTX 590||1024||1214 MHz|
|Radeon HD 5850||1440||725 MHz|
|Radeon HD 5970||1600||725 MHz|
|Radeon HD 6990||3072||830 MHz|
A pair of GeForce GTX 570s in SLI is a reasonable setup to expect in a gaming machine. While you probably shouldn't expect great times breaking past passwords more than seven characters long, remember that we're also looking at the worst-case scenario. It's as if we're searching for a password between 00 and 99, and the right answer ends up being 99. Usually, that's not the case, and a password right in the middle would arrive in half the time.
Password recovery programs like these don't do a fully-sequential search, so that's not even a good strategy for password security. Realistically, a successful recovery will probably fall somewhere in the middle of a search. However, given the time frames which we're we're dealing, that doesn't really change our conclusion. Zip 2.0 isn't safe at all in our opinion. While it would take a longer time to find a password made up of nine or 10 characters, it's definitely doable between a few gaming buddies.
|2 x GeForce GTX 570 SLI|
|Brute-Force AttackTotal Time for Search||Password Length Between 1-6 Characters||Password Length Between 1-8 Characters|
|500 000 Passwords Per Second||18 days, 7 hours||462 years, 116 days|
|45 Million Passwords Per Second||4 hours, 52 minutes||5 years, 49 days|
|1.5 Billion Passwords Per Second||8 minutes||56 days, 5 hours|
9 or 10 characters?
Sudoku puzzles have numbers from 1 through 9!
Fixed! Sorry. I usually play Sudoku variants. :)
I could understand that, but I left out that since I was trying to show a simple example of how permutations differ from combinations. As you pointed out, repetitions are allowed in passwords. I actually mention that in the sentence that follows in the next paragraph.
It wouldn't be easy from a design standpoint, cause now you're talking about fiddling with the design of the program.
The easiest way to slow down the verification portion of the password authentication process is increasing the number of transformation invocations for key generation. The problem is that this slows down the performance of your machine, even if you have the correct password.
jj463rdHow about adding some extended ASCII codes to a password.
That assumes WinZip and WinRAR supports them. To be honest, I haven't looked into that. Though, I'm inclined to believe that neither program supports them.