
25-GPU cluster cracks every standard Windows password in less than 6 hours - rayval
http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/
======
peteretep
Less good against non-NTLM passwords ... from my comment last time:

Taking SHA-1 (which YOU MUST NOT USE for password hashing blah), it only
manages 63 billion a second. To try all the passwords for that in the
alphanumeric space:

\- 10 chars: 35 weeks

\- 11 chars: 44 years

\- 12 chars: 2,800 years

\- 16 chars: 11 times the age of the sun

10 chars for bcrypt: 600,000 years...

[http://www.wolframalpha.com/input/?i=%2865**16+%2F+63+billio...](http://www.wolframalpha.com/input/?i=%2865**16+%2F+63+billion%29+seconds)

~~~
joshmaker
\- 8 chars: 84 minutes

\- 6 chars: 1.2 seconds

All of which demonstrates the importance of requiring longer passwords. Also,
keep in mind that these are maximum times required to crack a password and not
the average times.

~~~
mikeash
The average time to crack will just be half of the maximum, so it's not a big
difference (compared to order of magnitude errors, anyway). Still good to
point out, though.

~~~
nodata
Sure? Wouldn't you optimise the attack to try words or wordlike c0mb1n4t1ons
first?

~~~
stephengillie
That's a good idea if the password was human-generated. With computer-
generated random passwords, like gH8r;2CpyyK!a, you might want to optimize
differently.

------
jwilliams
This was discussed 3-4 days ago: <http://news.ycombinator.com/item?id=4875206>

Upshot - it's impressive, but NTLM already known as an vulnerable target.

------
16s
NTLM hashes are stored in Active Directory servers as one round of unsalted
MD4. It's plain MD4. Not many people know this and I only point it out as it's
important to understand that when talking about how many cracks per second
they are getting.

------
cynwoody
Impressive as the numbers are, it's worth remembering that this is an "offline
crack", going against a stolen list of encrypted passwords. If they can steal
your database of encrypted passwords, you've got a problem no matter how
strong the passwords are.

How many guesses per second do you get in a typical online crack? E.g., a
script kiddie trying to guess your cloud server's SSH password?

~~~
ramidarigaz
On my webserver, you get 3 chances and then a 24 hour ip ban. I think that
comes out to 0.00003 passwords per second :)

The particularly persistent IPs get a special iptables rule.

~~~
cgag
I suppose it's a bit different from a user facing login, but does anyone know
why these limits tend to be set so low? I've locked myself out of plenty of
things, and so have plenty of people I know. It seems like setting the limit
to 20 would be just as effective in blocking brute force attacks without being
user unfriendly.

Is it that with user facing services the common user/passwords are so common
it's reasonable to just try just the top x most common passwords?

~~~
trb
Intuition, most of the time. Here are some quite common ones:

<http://www.splashdata.com/press/PR121023.htm>

There's no reason why you would have a three attempts limit, or five, or ten,
and so on. If I get three per account, I'll just use the top three and try
again different accounts. If I get three attempts per IP, I'll use many
different IPs and do the same.

To remain user friendly, delays are the way to go. E.g. you could have three
different delays that add to each other: Account-level, IP-level and global.
Increase each with every failed attempt up to 30 seconds of wait time, and add
them together. This will slow down brute force attempts to the point where
they're useless, while still allowing legitimate users to login (just with a
little inconvenience).

As a result, if I failed three attempts with one account, and three one next,
etc., my IP-level limit will prohibit me from moving on to other accounts. If
I try a lot of passwords on one account, the account-level and IP-level ones
will slow me down. And if there's a distributed attack with many IPs, the
global delay will reduce the damage the attack can do. All the while
legitimate users can still use the service.

------
madao
I remember back when I was doing a network engineering course the guys could
crack a windows password in minutes offline, simple matter of grabbing the
database from the machine. I think once you have the machine offline unless
you encrypt the data your pretty screwed regardless..

~~~
Blara
When was this? I know older windows versions stored passwords in plain text...
I can't remember when they switched to hashed passwords but I think it was
around XP or Vista

~~~
muyuu
Windows never stored system passwords in plain text.

It did use the LM hash function to store passwords, which was rather weak,
making rainbow table attacks easy.

<http://en.wikipedia.org/wiki/LM_hash>

For backwards compatible this hash function was commonly in use up to Windows
7 (it was disabled by default in Vista though). There are decent workarounds
since NT.

NTLMv1 is also rather easy to crack. NTLMv2 is better but took a long time to
be in wide use. Kerberos is strong too and can be used

Long story short, Windows OS prior to Vista maintain weaker hash support for
backwards compatibility by default (although you can work around it since NT
4, almost nobody did this). Windows Vista still has support for them if you
want to turn it on, but by default it's off. From Windows 7 there is no
support for weak system hashes. For Active Directories, MIT's Kerberos (used
typically in Unix networked environments since the 80s) replaced NTLM from
Windows 2000 on.

------
ChrisNorstrom
Guess what? Back in 2009, I started using a method to remember long passwords
with a huge # of letters, numbers, & special characters.

Gw?Bi2009Isuamtrlpwah#ol,n,&sc. (31 characters)

Create memorable sentences and create a password using the first letter of
each word & all the numbers and punctuation. After entering it 10 or so times
you'll get used to it pretty quickly.

~~~
phpnode
or you can literally write the whole sentence, which is even more secure and
you don't have to remember any special rules, just the sentence itself. Of
course it's more typing:

    
    
        Guess what? Back in 2009 I saw a uniquely attired man traipsing round local places with a high number of legs, necks and shirt collars.
    

136 characters or 14 Gigayears to crack. Wow today I learnt that there's such
a thing as a Gigayear.

~~~
sunraa
I just went through the process of changing passwords to sentences. You'd be
surprised at how many sites do not allow sentences.

~~~
SageRaven
I use a password manager, and I have a unique password per site. I generally
try to use an MD5 hash resulting from a "ps waux | md5" at the time of
registration. I've encountered sites that rejected this due to lack of upper
characters (oracle.com, which then allowed me to use "Abc123"), having no
special characters, being too long (often forcing me to down-size to 16 or 8
chars). The worst are sites that silently truncate long passwords (I'm
guessing due to code errors), so your password is invalid the second you
register and must immediately proceed with a password reset.

Big sites are generally good about allowing long/strong passwords. Many mom-n-
pop sites are often hit-or-miss.

------
rjempson
I'm not sure there is much significance to this article.

It points out "The technique doesn't apply to online attacks, because, among
other reasons, most websites limit the number of guesses that can be made for
a given account."

Same applies to Windows.

~~~
ramblerman
I think what they're referring to is having access to the physicial harddisk.
In linux terms it would equate to having a copy of the /etc/passwd file.

For example the FBI seizes someones computer. This would allow them to brute
force without said restriction.

So yes, from an online, or standard entry viewpoint this is a moot point. Also
a properly encrypted hard drive using something like truecrypt is still pretty
impenetrable regardless.

~~~
halviti
I've grabbed the SAM file from remote IIS servers in my younger years and
cracked the passwords locally.

Buffer overflow the web service, bind a command shell to a port running as the
system account (by having the system execute shellcode used in the buffer
overflow), netcat to your open port, ftp the SAM (located in the repair
directory) to somewhere you can retrieve it, download the file, delete all of
the logs, crack the file.

Hard drive encryption would have done nothing to prevent this.

~~~
ygra
I doubt law enforcement would go that route if they seized your stuff.

------
rayval
Edited title for length, because original title got truncated in a confusing
fashion.

Original title: "25-GPU cluster cracks every standard Windows password in <6
hours"

~~~
rayval
Looks like that got fixed by sysop gods. Thanks!

------
patrickgzill
If this is done with commodity hardware, now, what were the NSA's capabilities
even 5 years ago?

~~~
SenorWilson
I'm sure they were able to crack the encryption method before Microsoft
started using it.

~~~
bradleyland
Put your tin foil hats away. This doesn't "crack" NTLM, it brute forces at a
very high rate. The NSA has more money to spend, but are similarly limited by
the hardware available at any given point.

~~~
patrickgzill
The NSA has access to their own chip fabrication facilities. I do not know if
they own their own plant, or just have secure fab space at some other
company's plant.

So they could have easily fabbed something like this, or a tuned architecture
specifically designed for the purpose.

~~~
plaguuuuuu
It's very probable that they have and if so, it's almost certain that it would
involve specialized hardware implementations (ASIC, FPGA, whatever) rather
than commodity graphics hardware which is burdened with expensive and useless
stuff like onboard memory and would be power inefficient

considering that the entire purpose of NSA in the first place is to provide
SIGINT and encrypt or decrypt signals, it's almost a given that they're trying
to the best of their ability to crack stuff.

~~~
raverbashing
Not sure

Money buys more commodity hardware faster than the time/money used to develop
a chip

It's not hard to make tens, or maybe even hundreds of GPUs beat a specialized
chip except for very specific things

And even for something specialized it's probably easier to use an FPGA

------
jiggy2011
So , why don't modern versions of Windows just use Bcrypt or similar for
passwords?

------
iamchrisle
Nice. But can it run Crysis?

~~~
rtkwe
Yes. Physically, it's running *nix though so you'd have to get windows to not
freak out with all that power.

------
recoiledsnake
Every standard Windows password less than 8 chars only?

~~~
apawloski
I know for practical purposes this doesn't seem like that big of a deal, but
you have to understand that 8 chars of mixed case, numbers, and symbols is
still a gigantic key space. That this can be done so quickly on commodity
hardware is pretty impressive.

~~~
hayksaakian
Individual char variance is less significant compared to additional chars.

Look at the xkcd password entropy comic

~~~
Caerus
From what I remember of the comic, the point was not the length of the
password. The entropy was calculated based on 4 possible words.

Assuming ~2000 common English words, the number of possible passwords in that
format is 2000^4 ~= 2^44. If the calculation is based on a completely random
string of letters it is far stronger at 26^30 ~= 2^141 but it's safe to assume
people aren't going to memorize a 30 character random password.

It's worth noting that the fairly common 8 character upper/lower case,
numbers, and symbols they cracked in 6 hours is more secure than
"correcthorsebatterystaple" at 72^8 ~= 2^49.

~~~
hayksaakian
Why would that be true?

Wouldn't you have to know in advance that the longer password was only lower
case letters?

~~~
Caerus
I'm not sure which part you're asking about. I'm assuming it's that
"correcthorsebatterystaple" is only lower case.

I was mainly commenting on the format suggested by the comic - 4 all-lower
case words. You could throw in capitilzation, but most people are going to
follow some pattern such as capitilizing all the words or the first and last,
etc. These schemes only add a couple extra bits. Fully random capitilization
would greatly increase the strength but make it nearly impossible to remember.

There are a lot of assumptions in these calculations, chief among them already
knowing the format of the password. It's somewhat reasonable to ignore though,
because not knowing the format of the password is going to add extra
complexity more or less evenly across all formats.

------
namank
How bout SSL?

