25 GPU Monster


log in

Advanced search

Message boards : Number crunching : 25 GPU Monster

1 · 2 · Next
Author Message
contalis
Send message
Joined: 5 Dec 01
Posts: 25
Credit: 4,814,115
RAC: 14
United States
Message 1364648 - Posted: 5 May 2013, 0:59:39 UTC

New 25 GPU Monster Devours Passwords In Seconds ...
https://securityledger.com/new-25-gpu-monster-devours-passwords-in-seconds/
.. using spare cycles for bitcoins, not BOINC :(

Grant (SSSF)
Send message
Joined: 19 Aug 99
Posts: 5918
Credit: 61,707,390
RAC: 20,381
Australia
Message 1364649 - Posted: 5 May 2013, 1:07:04 UTC - in response to Message 1364648.

.. using spare cycles for bitcoins, not BOINC :(


"Gosney said he plans to “make a bit of money” off his invention, either by renting out time on it or by offering it as a paid password recovery and domain auditing service. “I have way too much invested in this to not get some kind of return out of it,” he wrote."
No bit coins there.
____________
Grant
Darwin NT.

Glenn savill
Avatar
Send message
Joined: 20 Aug 99
Posts: 2756
Credit: 4,211,342
RAC: 6,848
Australia
Message 1364651 - Posted: 5 May 2013, 1:16:03 UTC - in response to Message 1364649.

wow he would have to be carefull renting it out to crack passwords some con artist might just come up with a cleaver plan to con him into cracking something he shouldn't

very Risky
____________

Grant (SSSF)
Send message
Joined: 19 Aug 99
Posts: 5918
Credit: 61,707,390
RAC: 20,381
Australia
Message 1364652 - Posted: 5 May 2013, 1:18:27 UTC - in response to Message 1364651.


A smaller and cheaper option.

External Graphics unit
____________
Grant
Darwin NT.

Glenn savill
Avatar
Send message
Joined: 20 Aug 99
Posts: 2756
Credit: 4,211,342
RAC: 6,848
Australia
Message 1364742 - Posted: 5 May 2013, 11:20:33 UTC - in response to Message 1364652.
Last modified: 5 May 2013, 11:21:19 UTC


A smaller and cheaper option.

External Graphics unit


Not shore if you read the whole thing but at the end he says for non mac users not worth the 2grand price tag but for the silly mac users it's there only option

oh Sorry to the mac users but I hate apple
____________

Profile Bernie Vine
Volunteer moderator
Volunteer tester
Avatar
Send message
Joined: 26 May 99
Posts: 7134
Credit: 28,513,652
RAC: 18,895
United Kingdom
Message 1364743 - Posted: 5 May 2013, 11:24:47 UTC - in response to Message 1364742.
Last modified: 5 May 2013, 11:25:02 UTC


A smaller and cheaper option.

External Graphics unit


Not shore if you read the whole thing but at the end he says for non mac users not worth the 2grand price tag but for the silly mac users it's there only option

oh Sorry to the mac users but I hate apple

No problem, I hate Microsoft and Linux more!!
____________


Today is life, the only life we're sure of. Make the most of today.

Glenn savill
Avatar
Send message
Joined: 20 Aug 99
Posts: 2756
Credit: 4,211,342
RAC: 6,848
Australia
Message 1364745 - Posted: 5 May 2013, 11:27:45 UTC - in response to Message 1364743.


A smaller and cheaper option.

External Graphics unit


Not shore if you read the whole thing but at the end he says for non mac users not worth the 2grand price tag but for the silly mac users it's there only option

oh Sorry to the mac users but I hate apple

No problem, I hate Microsoft and Linux more!!



fair enough lolololo
____________

Sirius B
Volunteer tester
Avatar
Send message
Joined: 26 Dec 00
Posts: 11789
Credit: 1,786,922
RAC: 1,768
Syria
Message 1364848 - Posted: 5 May 2013, 17:30:05 UTC

Interesting article. Gives rise to a serious debate on this. I noted that the article refers to wordlist, dictionary & brute force attacks.

So what if no dictionary or wordlist used to create a password, what would it take to crack?

For example, I use an 18 character alpha numeric one that doesn't use any words as such or any other obvious one like D.O.B etc.
____________

Grant (SSSF)
Send message
Joined: 19 Aug 99
Posts: 5918
Credit: 61,707,390
RAC: 20,381
Australia
Message 1364965 - Posted: 5 May 2013, 21:15:25 UTC - in response to Message 1364848.

So what if no dictionary or wordlist used to create a password, what would it take to crack?

That would require a brute force attack.

____________
Grant
Darwin NT.

Cosmic_Ocean
Avatar
Send message
Joined: 23 Dec 00
Posts: 2327
Credit: 8,868,786
RAC: 781
United States
Message 1364987 - Posted: 5 May 2013, 23:22:08 UTC - in response to Message 1364848.
Last modified: 5 May 2013, 23:25:26 UTC

Interesting article. Gives rise to a serious debate on this. I noted that the article refers to wordlist, dictionary & brute force attacks.

So what if no dictionary or wordlist used to create a password, what would it take to crack?

For example, I use an 18 character alpha numeric one that doesn't use any words as such or any other obvious one like D.O.B etc.

Well.. alpha numeric, 18 characters. If you want to brute force it, then you have a-z, A-Z, 0-9. 26+26+10=62. 62 possibilities for each of the 18 characters, which means 62^18, 1.83e+32 possibilities. If we go conservative and say 10 million attempts/second, you're still looking at 1.83e+25 seconds (581,090,538,308,693,755 years).

Longer passwords take much..much longer to brute force. The addition of each character literally makes it exponentially more difficult, and mixing upper and lower case with digits and special characters increases the complexity immensely, mostly because you don't know what special characters are permitted. You could assume all the ones you see on the keyboard, but what if there were some UTF-16 characters, like the alt+code characters. Then you could quite literally be talking about 16384^[length of password].


Of course you then have alternative methods of cracking some passwords, especially hashed ones, by the use of rainbow tables, which in some cases can significantly reduce the amount of time needed to brute force a password.
____________

Linux laptop uptime: 1484d 22h 42m
Ended due to UPS failure, found 14 hours after the fact

Grant (SSSF)
Send message
Joined: 19 Aug 99
Posts: 5918
Credit: 61,707,390
RAC: 20,381
Australia
Message 1364994 - Posted: 5 May 2013, 23:43:05 UTC - in response to Message 1364987.
Last modified: 5 May 2013, 23:45:58 UTC

If we go conservative and say 10 million attempts/second, you're still looking at 1.83e+25 seconds (581,090,538,308,693,755 years).


A bit too conservative.
"In a test, the researcher’s system was able to churn through 348 billion NTLM password hashes per second."

"With 348 billion NTLM per second, this means we could rip through any 8 character password (95^8 combinations) in 5.5 hours."


Of course you then have alternative methods of cracking some passwords, especially hashed ones, by the use of rainbow tables, which in some cases can significantly reduce the amount of time needed to brute force a password.

Yep, with GB of RAM & TB of storage available rainbow tables allow huge reductions in cracking times over a pure brute force attack.
____________
Grant
Darwin NT.

Glenn savill
Avatar
Send message
Joined: 20 Aug 99
Posts: 2756
Credit: 4,211,342
RAC: 6,848
Australia
Message 1364995 - Posted: 5 May 2013, 23:44:09 UTC

When I heard the most common password used today is "password" I thought boy people are so silly .

SO how long would that box take to crack if that box was doing billions of combinations a second ???? and what about if you had a couple of them doing it at the same time ???
my math isn't that good so i'll leave it to others to work out
____________

Cosmic_Ocean
Avatar
Send message
Joined: 23 Dec 00
Posts: 2327
Credit: 8,868,786
RAC: 781
United States
Message 1365000 - Posted: 6 May 2013, 0:56:58 UTC

Alright, re-adjusting 62^18 for 348 billion/second, 16,698,003,974,387 years. Cuts it down a lot.

As for 'password' being brute-forced.. 26^8 divided by 348B/sec = 0.600077771 seconds. Of course, a simple word like "password" would definitely be in a dictionary, but before even trying any sort of expensive cracking methods.. most smart people would just simply try that manually first. :)

I've dabbled in trying to recover some ZIP archive passwords before, and you always start with all lower-case and a maximum of 8 characters first. On an old P3 machine, I let it run for two weeks and it only made it to 5 or 6 characters, and the high-order character (left-most) was I think a C or a D. Dictionaries are the first thing you should try, and a really good dictionary can still be 10-15GB of possibilities. I actually have a dictionary on a flash drive that is 2.7GB.. and it is just a simple text file.
____________

Linux laptop uptime: 1484d 22h 42m
Ended due to UPS failure, found 14 hours after the fact

Cheopis
Send message
Joined: 17 Sep 00
Posts: 139
Credit: 11,564,690
RAC: 3,887
United States
Message 1365091 - Posted: 6 May 2013, 11:19:48 UTC

But what would the bandwidth from the cracker to the crackee have to be to even allow 348 billion password attempts per second on a 18 digit password?

Isn't the limiting factor in this case simply the fact that you can't push data into the pipe fast enough, no matter how fast you try? Or are we assuming that one is trying to crack a file which is small enough to actually maintain in RAM on the GPU's themselves for each GPU to work on?

Horacio
Send message
Joined: 14 Jan 00
Posts: 536
Credit: 75,849,336
RAC: 18,394
Argentina
Message 1365114 - Posted: 6 May 2013, 13:03:26 UTC - in response to Message 1365091.

It's not online crack.
It assume the cracker got the encrypted pasword's file and is trying to find which unencrypted text match the ones on the file.
Brute force attacks can't be done online because most of the systems block the accounts after a very few failed attempts...
____________

Profile ignorance is no excuse
Avatar
Send message
Joined: 4 Oct 00
Posts: 9529
Credit: 44,433,321
RAC: 0
Korea, North
Message 1365171 - Posted: 6 May 2013, 16:45:35 UTC - in response to Message 1365114.

wouldn't the constant repetitive pound of PW's lock a system.

Say someone got ahold of my login for work. If you attempt and fail the PW 3 times it locks the system id and forces one to get an admin reset. Assuming this is a standard practice for accounts and private files it seems slamming out a PW wouldn't be possible unless the system allowed such behavoir.
____________
In a rich man's house there is no place to spit but his face.
Diogenes Of Sinope

End terrorism by building a school

Profile James Sotherden
Avatar
Send message
Joined: 16 May 99
Posts: 9034
Credit: 36,978,189
RAC: 17,122
United States
Message 1365181 - Posted: 6 May 2013, 17:08:32 UTC - in response to Message 1365171.
Last modified: 6 May 2013, 17:09:33 UTC

wouldn't the constant repetitive pound of PW's lock a system.

Say someone got ahold of my login for work. If you attempt and fail the PW 3 times it locks the system id and forces one to get an admin reset. Assuming this is a standard practice for accounts and private files it seems slamming out a PW wouldn't be possible unless the system allowed such behavoir.

Thats how it is where I work 3 tries and then its IT's turn to reset. And they dont work 3rd shift.
Thats aslo how AOL works.
____________

Old James

Profile ignorance is no excuse
Avatar
Send message
Joined: 4 Oct 00
Posts: 9529
Credit: 44,433,321
RAC: 0
Korea, North
Message 1365206 - Posted: 6 May 2013, 17:55:50 UTC - in response to Message 1365181.

of course this it's not like there are some sloppy IT guys that don't care and possibly allow something like this. However, most decent Workplaces and I assume secure sites wouldn't allow the constant pounding without someone being alerted to the massive attack attempts at gaining access to a persons account
____________
In a rich man's house there is no place to spit but his face.
Diogenes Of Sinope

End terrorism by building a school

ExchangeMan
Volunteer tester
Send message
Joined: 9 Jan 00
Posts: 115
Credit: 147,086,129
RAC: 61,126
United States
Message 1365216 - Posted: 6 May 2013, 18:15:21 UTC

Even if there was no disabling of an account after so many unsuccessful login attempts, there's the issue of network latency. Even if this GPU monster could check billions of combinations a second, good luck with hitting that remote system at that rate. You'd probably end up with under 100 per second, maybe not even close to that.

____________

Profile ignorance is no excuse
Avatar
Send message
Joined: 4 Oct 00
Posts: 9529
Credit: 44,433,321
RAC: 0
Korea, North
Message 1365230 - Posted: 6 May 2013, 18:48:46 UTC

It would be ok if the login in question was on a PC or HDD that someone had it on hand and could slam at it while it was connected to the beast.
____________
In a rich man's house there is no place to spit but his face.
Diogenes Of Sinope

End terrorism by building a school

1 · 2 · Next

Message boards : Number crunching : 25 GPU Monster

Copyright © 2014 University of California