25 GPU Monster

Message boards : Number crunching : 25 GPU Monster

To post messages, you must log in.

1 · 2 · Next

AuthorMessage
contalis

Send message
Joined: 5 Dec 01
Posts: 28
Credit: 8,677,885
RAC: 1,146
United States
Message 1364648 - Posted: 5 May 2013, 0:59:39 UTC

New 25 GPU Monster Devours Passwords In Seconds ...
https://securityledger.com/new-25-gpu-monster-devours-passwords-in-seconds/
.. using spare cycles for bitcoins, not BOINC :(

ID: 1364648 · Report as offensive
Grant (SSSF)
Volunteer tester

Send message
Joined: 19 Aug 99
Posts: 7475
Credit: 90,902,818
RAC: 45,349
Australia
Message 1364649 - Posted: 5 May 2013, 1:07:04 UTC - in response to Message 1364648.

.. using spare cycles for bitcoins, not BOINC :(


"Gosney said he plans to “make a bit of money” off his invention, either by renting out time on it or by offering it as a paid password recovery and domain auditing service. “I have way too much invested in this to not get some kind of return out of it,” he wrote."
No bit coins there.
Grant
Darwin NT

ID: 1364649 · Report as offensive
Darth Beaver
Avatar

Send message
Joined: 20 Aug 99
Posts: 6357
Credit: 15,593,194
RAC: 1,051
Australia
Message 1364651 - Posted: 5 May 2013, 1:16:03 UTC - in response to Message 1364649.

wow he would have to be carefull renting it out to crack passwords some con artist might just come up with a cleaver plan to con him into cracking something he shouldn't

very Risky



ID: 1364651 · Report as offensive
Grant (SSSF)
Volunteer tester

Send message
Joined: 19 Aug 99
Posts: 7475
Credit: 90,902,818
RAC: 45,349
Australia
Message 1364652 - Posted: 5 May 2013, 1:18:27 UTC - in response to Message 1364651.


A smaller and cheaper option.

External Graphics unit


Grant
Darwin NT

ID: 1364652 · Report as offensive
Darth Beaver
Avatar

Send message
Joined: 20 Aug 99
Posts: 6357
Credit: 15,593,194
RAC: 1,051
Australia
Message 1364742 - Posted: 5 May 2013, 11:20:33 UTC - in response to Message 1364652.
Last modified: 5 May 2013, 11:21:19 UTC


A smaller and cheaper option.

External Graphics unit


Not shore if you read the whole thing but at the end he says for non mac users not worth the 2grand price tag but for the silly mac users it's there only option

oh Sorry to the mac users but I hate apple

ID: 1364742 · Report as offensive
Profile Bernie Vine
Volunteer moderator
Volunteer tester
Avatar

Send message
Joined: 26 May 99
Posts: 8580
Credit: 43,056,455
RAC: 21,053
United Kingdom
Message 1364743 - Posted: 5 May 2013, 11:24:47 UTC - in response to Message 1364742.
Last modified: 5 May 2013, 11:25:02 UTC


A smaller and cheaper option.

External Graphics unit


Not shore if you read the whole thing but at the end he says for non mac users not worth the 2grand price tag but for the silly mac users it's there only option

oh Sorry to the mac users but I hate apple

No problem, I hate Microsoft and Linux more!!
"Sometimes it is the people no one imagines anything of who do the things that no one can imagine."

ID: 1364743 · Report as offensive
Darth Beaver
Avatar

Send message
Joined: 20 Aug 99
Posts: 6357
Credit: 15,593,194
RAC: 1,051
Australia
Message 1364745 - Posted: 5 May 2013, 11:27:45 UTC - in response to Message 1364743.


A smaller and cheaper option.

External Graphics unit


Not shore if you read the whole thing but at the end he says for non mac users not worth the 2grand price tag but for the silly mac users it's there only option

oh Sorry to the mac users but I hate apple

No problem, I hate Microsoft and Linux more!!



fair enough lolololo

ID: 1364745 · Report as offensive
Sirius B
Volunteer tester
Avatar

Send message
Joined: 26 Dec 00
Posts: 14907
Credit: 2,127,923
RAC: 818
Ireland
Message 1364848 - Posted: 5 May 2013, 17:30:05 UTC

Interesting article. Gives rise to a serious debate on this. I noted that the article refers to wordlist, dictionary & brute force attacks.

So what if no dictionary or wordlist used to create a password, what would it take to crack?

For example, I use an 18 character alpha numeric one that doesn't use any words as such or any other obvious one like D.O.B etc.


ID: 1364848 · Report as offensive
Grant (SSSF)
Volunteer tester

Send message
Joined: 19 Aug 99
Posts: 7475
Credit: 90,902,818
RAC: 45,349
Australia
Message 1364965 - Posted: 5 May 2013, 21:15:25 UTC - in response to Message 1364848.

So what if no dictionary or wordlist used to create a password, what would it take to crack?

That would require a brute force attack.

Grant
Darwin NT

ID: 1364965 · Report as offensive
Cosmic_Ocean
Avatar

Send message
Joined: 23 Dec 00
Posts: 2871
Credit: 10,620,227
RAC: 301
United States
Message 1364987 - Posted: 5 May 2013, 23:22:08 UTC - in response to Message 1364848.
Last modified: 5 May 2013, 23:25:26 UTC

Interesting article. Gives rise to a serious debate on this. I noted that the article refers to wordlist, dictionary & brute force attacks.

So what if no dictionary or wordlist used to create a password, what would it take to crack?

For example, I use an 18 character alpha numeric one that doesn't use any words as such or any other obvious one like D.O.B etc.

Well.. alpha numeric, 18 characters. If you want to brute force it, then you have a-z, A-Z, 0-9. 26+26+10=62. 62 possibilities for each of the 18 characters, which means 62^18, 1.83e+32 possibilities. If we go conservative and say 10 million attempts/second, you're still looking at 1.83e+25 seconds (581,090,538,308,693,755 years).

Longer passwords take much..much longer to brute force. The addition of each character literally makes it exponentially more difficult, and mixing upper and lower case with digits and special characters increases the complexity immensely, mostly because you don't know what special characters are permitted. You could assume all the ones you see on the keyboard, but what if there were some UTF-16 characters, like the alt+code characters. Then you could quite literally be talking about 16384^[length of password].


Of course you then have alternative methods of cracking some passwords, especially hashed ones, by the use of rainbow tables, which in some cases can significantly reduce the amount of time needed to brute force a password.
Linux laptop:
record uptime: 1511d 20h 19m (ended due to the power brick giving-up)

ID: 1364987 · Report as offensive
Grant (SSSF)
Volunteer tester

Send message
Joined: 19 Aug 99
Posts: 7475
Credit: 90,902,818
RAC: 45,349
Australia
Message 1364994 - Posted: 5 May 2013, 23:43:05 UTC - in response to Message 1364987.
Last modified: 5 May 2013, 23:45:58 UTC

If we go conservative and say 10 million attempts/second, you're still looking at 1.83e+25 seconds (581,090,538,308,693,755 years).


A bit too conservative.
"In a test, the researcher’s system was able to churn through 348 billion NTLM password hashes per second."

"With 348 billion NTLM per second, this means we could rip through any 8 character password (95^8 combinations) in 5.5 hours."


Of course you then have alternative methods of cracking some passwords, especially hashed ones, by the use of rainbow tables, which in some cases can significantly reduce the amount of time needed to brute force a password.

Yep, with GB of RAM & TB of storage available rainbow tables allow huge reductions in cracking times over a pure brute force attack.
Grant
Darwin NT

ID: 1364994 · Report as offensive
Darth Beaver
Avatar

Send message
Joined: 20 Aug 99
Posts: 6357
Credit: 15,593,194
RAC: 1,051
Australia
Message 1364995 - Posted: 5 May 2013, 23:44:09 UTC

When I heard the most common password used today is "password" I thought boy people are so silly .

SO how long would that box take to crack if that box was doing billions of combinations a second ???? and what about if you had a couple of them doing it at the same time ???
my math isn't that good so i'll leave it to others to work out



ID: 1364995 · Report as offensive
Cosmic_Ocean
Avatar

Send message
Joined: 23 Dec 00
Posts: 2871
Credit: 10,620,227
RAC: 301
United States
Message 1365000 - Posted: 6 May 2013, 0:56:58 UTC

Alright, re-adjusting 62^18 for 348 billion/second, 16,698,003,974,387 years. Cuts it down a lot.

As for 'password' being brute-forced.. 26^8 divided by 348B/sec = 0.600077771 seconds. Of course, a simple word like "password" would definitely be in a dictionary, but before even trying any sort of expensive cracking methods.. most smart people would just simply try that manually first. :)

I've dabbled in trying to recover some ZIP archive passwords before, and you always start with all lower-case and a maximum of 8 characters first. On an old P3 machine, I let it run for two weeks and it only made it to 5 or 6 characters, and the high-order character (left-most) was I think a C or a D. Dictionaries are the first thing you should try, and a really good dictionary can still be 10-15GB of possibilities. I actually have a dictionary on a flash drive that is 2.7GB.. and it is just a simple text file.


Linux laptop:
record uptime: 1511d 20h 19m (ended due to the power brick giving-up)

ID: 1365000 · Report as offensive
Cheopis

Send message
Joined: 17 Sep 00
Posts: 150
Credit: 16,553,999
RAC: 2,109
United States
Message 1365091 - Posted: 6 May 2013, 11:19:48 UTC

But what would the bandwidth from the cracker to the crackee have to be to even allow 348 billion password attempts per second on a 18 digit password?

Isn't the limiting factor in this case simply the fact that you can't push data into the pipe fast enough, no matter how fast you try? Or are we assuming that one is trying to crack a file which is small enough to actually maintain in RAM on the GPU's themselves for each GPU to work on?

ID: 1365091 · Report as offensive
Horacio

Send message
Joined: 14 Jan 00
Posts: 536
Credit: 75,967,266
RAC: 0
Argentina
Message 1365114 - Posted: 6 May 2013, 13:03:26 UTC - in response to Message 1365091.

It's not online crack.
It assume the cracker got the encrypted pasword's file and is trying to find which unencrypted text match the ones on the file.
Brute force attacks can't be done online because most of the systems block the accounts after a very few failed attempts...


ID: 1365114 · Report as offensive
Profile ignorance is no excuse
Avatar

Send message
Joined: 4 Oct 00
Posts: 9529
Credit: 44,433,321
RAC: 0
Korea, North
Message 1365171 - Posted: 6 May 2013, 16:45:35 UTC - in response to Message 1365114.

wouldn't the constant repetitive pound of PW's lock a system.

Say someone got ahold of my login for work. If you attempt and fail the PW 3 times it locks the system id and forces one to get an admin reset. Assuming this is a standard practice for accounts and private files it seems slamming out a PW wouldn't be possible unless the system allowed such behavoir.


In a rich man's house there is no place to spit but his face.
Diogenes Of Sinope

End terrorism by building a school

ID: 1365171 · Report as offensive
Profile James SotherdenProject Donor
Avatar

Send message
Joined: 16 May 99
Posts: 10133
Credit: 65,641,792
RAC: 34,989
United States
Message 1365181 - Posted: 6 May 2013, 17:08:32 UTC - in response to Message 1365171.
Last modified: 6 May 2013, 17:09:33 UTC

wouldn't the constant repetitive pound of PW's lock a system.

Say someone got ahold of my login for work. If you attempt and fail the PW 3 times it locks the system id and forces one to get an admin reset. Assuming this is a standard practice for accounts and private files it seems slamming out a PW wouldn't be possible unless the system allowed such behavoir.

Thats how it is where I work 3 tries and then its IT's turn to reset. And they dont work 3rd shift.
Thats aslo how AOL works.
[/quote]

Old James

ID: 1365181 · Report as offensive
Profile ignorance is no excuse
Avatar

Send message
Joined: 4 Oct 00
Posts: 9529
Credit: 44,433,321
RAC: 0
Korea, North
Message 1365206 - Posted: 6 May 2013, 17:55:50 UTC - in response to Message 1365181.

of course this it's not like there are some sloppy IT guys that don't care and possibly allow something like this. However, most decent Workplaces and I assume secure sites wouldn't allow the constant pounding without someone being alerted to the massive attack attempts at gaining access to a persons account


In a rich man's house there is no place to spit but his face.
Diogenes Of Sinope

End terrorism by building a school

ID: 1365206 · Report as offensive
ExchangeMan
Volunteer tester

Send message
Joined: 9 Jan 00
Posts: 115
Credit: 153,105,818
RAC: 3,167
United States
Message 1365216 - Posted: 6 May 2013, 18:15:21 UTC

Even if there was no disabling of an account after so many unsuccessful login attempts, there's the issue of network latency. Even if this GPU monster could check billions of combinations a second, good luck with hitting that remote system at that rate. You'd probably end up with under 100 per second, maybe not even close to that.


ID: 1365216 · Report as offensive
Profile ignorance is no excuse
Avatar

Send message
Joined: 4 Oct 00
Posts: 9529
Credit: 44,433,321
RAC: 0
Korea, North
Message 1365230 - Posted: 6 May 2013, 18:48:46 UTC

It would be ok if the login in question was on a PC or HDD that someone had it on hand and could slam at it while it was connected to the beast.


In a rich man's house there is no place to spit but his face.
Diogenes Of Sinope

End terrorism by building a school

ID: 1365230 · Report as offensive
1 · 2 · Next

Message boards : Number crunching : 25 GPU Monster


 
©2016 University of California
 
SETI@home and Astropulse are funded by grants from the National Science Foundation, NASA, and donations from SETI@home volunteers. AstroPulse is funded in part by the NSF through grant AST-0307956.