At Passwords^12 conference held last week, Jeremi Gosney, the founder and CEO of Stricture Consulting Group unveiled a GPU computer cluster that can try as many as 350 billion guesses per second. Yes, 350 billion guesses per second! As a result, it can guess a 8 digit password containing upper- and lower-case letters, digits, and symbols in just 5.5 hours.
The five-server system uses a relatively new package of virtualization software that harnesses the power of 25 AMD Radeon graphics cards. It achieves the 350 billion-guess-per-second speed when cracking password hashes generated by the NTLM cryptographic algorithm that Microsoft included in every version of Windows since Server 2003. As a result, it can try an astounding 958 combinations in just 5.5 hours, enough to brute force every possible eight-character password containing upper- and lower-case letters, digits, and symbols. Such password policies are common in many enterprise settings. The same passwords protected by Microsoft’s LM algorithm—which many organizations enable for compatibility with older Windows versions—will fall in just six minutes.
Even though most of the enterprises block the account after 3 wrong password attempts, this is a proof of concept that the existing password algorithms are becoming weaker day by day.
Read about it in detail from the source link below.
Source: Ars Technica