25-GPU cluster can brute force Windows password in record timeBy Shawn Knight 61 comments
Jeremi Gosney, the founder and CEO of Stricture Consulting Group, recently showcased a GPU-based computer cluster capable of brute forcing its way through any standard eight-character Windows password (including upper- and lower-case letter, digits and symbols) in less than six hours.
The machine, powered by 25 AMD Radeon graphics cards, runs the Virtual OpenCL cluster platform. This allows all of the machines / GPUs to act as a single computer. With this configuration, Gosney was able to use a password-cracking suite called ocl-Hashcat Plus that is designed specifically for GPU computing.
The cluster uses the NTLM cryptographic algorithm included in all versions of Windows since Server 2003 and is able to generate and test 350 billion password guesses per second. Once the math is factored in, that equates to every different password combination in only five and a half hours. Gosney said they can now attack hashes about four times faster than they previously could.
VCL virtualization is essentially what makes a system like this possible. GPU computing isn't exactly new but hardware and software limitations have thus far prevented most people from running more than eight graphics cards on a single computer.
"Before VCL people were trying lots of different things to varying degrees of success," Gosney told Ars Technica. "VCL put an end to all of this, because now we have a generic solution that works right out of the box, and handles all of that complexity for you automatically. It's also really easy to manage because all of your compute nodes only have to have VCL installed, nothing else. You only have your software installed on the cluster controller."
It's worth pointing out that this method typically only applies to offline attacks due to the fact that most websites limit the number of incorrect password guesses before either locking the account down or enforcing a waiting period.
Either way, experts suggest using a password that is at least nine characters long and doesn't contain names, words or common phrases.