New GPU Cluster Can Crack Windows Passwords In Just 5.5 hours


At Passwords^12 conference held last week, Jeremi Gosney, the founder and CEO of Stricture Consulting Group unveiled a GPU computer cluster that can try as many as 350 billion guesses per second. Yes, 350 billion guesses per second! As a result, it can guess a 8 digit password containing upper- and lower-case letters, digits, and symbols in just 5.5 hours.

The five-server system uses a relatively new package of virtualization software that harnesses the power of 25 AMD Radeon graphics cards. It achieves the 350 billion-guess-per-second speed when cracking password hashes generated by the NTLM cryptographic algorithm that Microsoft included in every version of Windows since Server 2003. As a result, it can try an astounding 958 combinations in just 5.5 hours, enough to brute force every possible eight-character password containing upper- and lower-case letters, digits, and symbols. Such password policies are common in many enterprise settings. The same passwords protected by Microsoft’s LM algorithm—which many organizations enable for compatibility with older Windows versions—will fall in just six minutes.

Even though most of the enterprises block the account after 3 wrong password attempts, this is a proof of concept that the existing password algorithms are becoming weaker day by day.

Read about it in detail from the source link below.

Source: Ars Technica

About Author

Pradeep, a Computer Science & Engineering graduate.

  • dingus

    Holy Shit!!!
    *to say the least

  • petr

    What about accout lockout policy which is by default enabled in AD. I dont believe this will work in case account locked out after say 3 unsuccessfull attemps…

    • Martin Spierings

      if you can catch the packet that contains the password, you might be able to crack it somewhere else and then try the result

    • MaxHeadroom

      You capture the PW hash off the wire. Then you run your “guess(es)” through the same hashing algorithm the OS is using. if the hashes match you have the password.

  • MaxHeadroom

    That’s not cracking – it’s brute forcing.
    Cracking would be reversing the encryption, which is virtually impossible with OS passwords (one-way encryption).

  • GGlazer

    Wow now there’s my render farm wet dream!!! That’s a lot of GPU’s!

  • GGlazer

    Wow now there’s my render farm wet dream!!! That’s a lot of GPU’s!