http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/

25-GPU cluster cracks every standard Windows password in <6 hours

A password-cracking expert has unveiled a computer cluster that can cycle through as many as 350 billion guesses per second. It's an almost unprecedented speed that can try every possible Windows passcode in the typical enterprise in less than six hours.
The five-server system uses a relatively new package of virtualization software that harnesses the power of 25 AMD Radeon graphics cards. It achieves the 350 billion-guess-per-second speed when cracking password hashes generated by the NTLM cryptographic algorithm that Microsoft has included in every version of Windows since Server 2003. As a result, it can try an astounding 958 combinations in just 5.5 hours, enough to brute force every possible eight-character password containing upper- and lower-case letters, digits, and symbols. Such password policies are common in many enterprise settings. The same passwords protected by Microsoft's LM algorithm—which many organizations enable for compatibility with older Windows versions—will fall in just six minutes.


I'm just wondering, who will be the first to get their hands on one? Governments or organized crime?

Deleted

What's the difference ?

Bzzzzzzzzt! Cliche. Please try again.

I don't want a wing wong.

What's the difference ?

With Republicans in charge? Nothing.

See? Two can play this game. :roll:

http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/

25-GPU cluster cracks every standard Windows password in <6 hours




I'm just wondering, who will be the first to get their hands on one? Governments or organized crime?

The first to get their hands on one is the one who already has it.

We built one of those four years ago. An 8-character credential - regardless of composition - took about two hours to break. This construct leveraged a combination of brute-force and rainbow tables techniques.

http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/

25-GPU cluster cracks every standard Windows password in <6 hours




I'm just wondering, who will be the first to get their hands on one? Governments or organized crime?

So, is a standard Window$ password limited to only 8 charachters ? At 350 billion brute force guesses per second it comes to about 5.4 hours to generate all possible 8 charachter passwords from a 95 charachter set. Now, if we double the amount of charachters allowed to 16 characters and assume the same guess rate it will take an astounding 3.5 x 1016 hours (think how many years that is) to generate every possible password. Even if we increase the size of the password to just 10 charachters it will take 47518,8 hours or approx 8000x the number of hours required for an 8 charachter password. Even a 12 charachter password would require approximately 428 million hours.

Sooo... it seems like this method is thwarted by using passwords larger than 8 charachters, preferably > 10 charachters.

I tried something like this at a bank I worked at once upon a time, using a piece of software. To crack every employees password took my desktop PC about 2 hours. This was in the days of W95/98.

We have Gmail at work. We now have an option to have a 6 character word sent to us via cellphone text so when we correctly place the password, we have to get the text word correct. So there is a second layer of protection for that email.

Dunno if they can crack that or not.

Use nonsense phrases with number and symbol replacements. Most of my critical ones are over eight characters.

Use nonsense phrases with number and symbol replacements. Most of my critical ones are over eight characters.

You mean like: "Raising Taxes Kills Jobs 4 those MF@#$%^&*ing Liberals" ??? ;)

In your case, that one was cracked by the NSA. Months ago. :omg:

Use nonsense phrases with number and symbol replacements. Most of my critical ones are over eight characters.

BINGO !! See my post above. Unless I am extremely ditzy increasing the length dramatically increases the time required for a brute force attack to the point where it is impractical.