Original URL: http://www.theregister.co.uk/2012/12/07/monster_password_cracking_rig/
GPU-stuffed monster cracks Windows passwords in minutes
That's what you get for using a crap hashing algo
Posted in Security, 7th December 2012 09:18 GMT
Watch Now : Virtual Machine Movement with Hyper-V
Security researchers have put together a monster number-crunching rig capable of cracking strong passwords by brute force in minutes.
Jeremi Gosney (aka epixoip) demonstrated a machine [1] running the HashCat password cracking program across a cluster of five servers equipped with 25 AMD Radeon GPUs at the Passwords^12 conference [2] in Oslo, Norway.
Gosney’s system means that even strong passwords protected by weak one-way encryption algorithms, notably the one used in Microsoft's LM and NTLM, are vulnerable.
A 14-character Windows XP password hashed using Lan Manager can be cracked from its hash value in just six minutes. LM splits a 14-character password [3] into two seven-character strings before hashing them, which means it's a good deal less secure than an eight character password hashed with other encryption schemes. Brute forcing an eight-character password would take 5.5 hours, Security Ledger reports [4].
The attack could be run against leaked password hashes but not login methods directly. Since data breaches are by no means rare, this is not much of a barrier against misuse.
Services such as WPACracker and CloudCracker, a cloud-based platform for penetration testers, have already shown that older encryption algorithms and shorter passwords are hopelessly insecure. Gosney's research further underlines the point. ®