Or does it mean that NTLM encryption is toast and needs to be replaced? On Monday, 6 June 2011, Paul Ferguson <[email protected]> wrote: > FYI, > > - ferg > > > ---------- Forwarded message ---------- > From: Richard Forno <[email protected]> > Date: Sun, Jun 5, 2011 at 7:09 PM > Subject: [Infowarrior] - How a cheap graphics card could crack your > password in under a second > To: > > > How a cheap graphics card could crack your password in under a second > > http://www.pcpro.co.uk/blogs/2011/06/01/how-a-cheap-graphics-card-could-crack-your-password-in-under-a-second/ > > I was pointed in the direction of a blog posting talking about the use > of GPU processors to launch brute-force attacks on passwords. GPUs are > extremely good at this sort of workload, and the price/performance > ratio has changed dramatically over the past few years. What might > have seemed impossible even 36 months ago is now perfectly do-able on > your desktop computer. > > In this report, the author takes a fairly standard Radeon 5770 > graphics card (you’ll find it on our A-List under Value Graphics > Card), and uses a free tool called ighashgpu to run the brute-force > password cracking tools on the GPU. To provide a comparison point with > the capabilities of a standard desktop CPU, he uses a tool called > “Cain & Abel”. > > The results are startling. Working against NTLM login passwords, a > password of “fjR8n” can be broken on the CPU in 24 seconds, at a rate > of 9.8 million password guesses per second. On the GPU, it takes less > than a second at a rate of 3.3 billion passwords per second. > > Increase the password to 6 characters (pYDbL6), and the CPU takes 1 > hour 30 minutes versus only four seconds on the GPU. Go further to 7 > characters (fh0GH5h), and the CPU would grind along for 4 days, versus > a frankly worrying 17 minutes 30 seconds for the GPU. > > Is an IT manager really going to manage to get the CFO to log in using > “fR4; $sYu 29 @QwmQz” without the combination ending up on a Post-it > note in his wallet? > > Now, I cannot imagine anyone managing to mandate a nine-character, > mixed-case, random-character password on an organisation. But if you > did, and you weren’t hanging from a tree by the end of the first > working day, the CPU would take 43 years versus 48 days for the GPU. > > He then went on to add in mixed symbols to create “F6&B is” (there is > a space in there). CPU will take 75 days, GPU will take 7 hours. > > What does this tell us? well, the stark reality is that even long and > complex passwords are now toast. If you think you were being wise by > forcing users to have randomisation in their passwords, then think > again. It is utterly futile. > > Yes, you can force your users to have a 15-character password > consisting of random numbers and letters, and throw in punctuation as > well. This is great as an idea, but we know that most users think that > a password like “Barry1943Manilow” where 1943 was the year he was > born, is complex and hard to remember. Is an IT manager really going > to manage to get the CFO to log in using “fR4; $sYu 29 @QwmQz” without > the combination ending up on a Post-it note in his wallet? Or stuck to > the side of the screen? Because anything much less than this is going > to be open to attack over the next few years. > > A GPU of the type used by this chap is not unusual or high end. It is > standard-issue stuff. Indeed, I have just sat through the AMD > presentation here at Computex in Taiwan, and they made a big deal > about putting GPU power into netbooks offering 500Gflops, without > denting its 12-hour battery life. And that’s shipping within months. > > All I can say is this: you have been warned. It is time to think long > and hard about password security, and how you do your authentication. > This has crept up on us in the background, and we really haven’t been > paying attention. Nor has Microsoft, frankly, who should be having a > whole raft of alternative, hardened solutions in place ready for its > business customers to roll out. > > What are the solutions? To be honest, I’m not sure. A combination of > TPM, biometrics, passwords and maybe something else entirely new will > be needed. But it’s clear that a complex password that users will > actually accept for day-to-day authentication, and keep secret, might > be history. > _______________________________________________ > Infowarrior mailing list > [email protected] > https://attrition.org/mailman/listinfo/infowarrior > > > > -- > "Fergie", a.k.a. Paul Ferguson > Engineering Architecture for the Internet > fergdawgster(at)gmail.com > ferg's tech blog: http://fergdawg.blogspot.com/ > > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. >
-- -- Martin Hepworth Oxford, UK _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
