Read more.Graphics hardware able to decimate security in minutes.
Read more.Graphics hardware able to decimate security in minutes.
No actual specifics on how long it took them to break passwords of specific lengths?
Presumably this sort of attack is only useful for encrypted files and the like - with things like online banking/email accounts, Windows logon, etc immune? Being as how all of these will likely block access for minutes or hours, or provide images to verify you're not a machine.
Interesting stuff though.
Any properly thought-out encryption software will do several, even hundreds of rounds of hashing on passwords to counter passphrase bruteforcing. And as above, it's fairly useless against websites because of the time it takes to refresh pages and the fact you will be locked out of most sites for trying a few thousand passwords. Maybe it's useful for opening passworded Word documents or something? Other than that it's a bit of a non-issue really, just a bit of scaremongering thought up by a few GPU programmers...
Edit: I've just found what I think is the original article here, and firstly I lose a lot of respect for anyone who claims to be a computing expert then uses teraflop as the singular version of teraflops, but they also hint towards this cutting down time to break a password from days to hours. TBH, if your security setup takes just days to crack there's something catastrophically wrong with it in the first place. As I said, any good encryption software should do some form of key strengthening so prevent attacks like this.
Last edited by watercooled; 17-08-2010 at 12:52 PM.
Think the article is more about the fact that GPUS are capable of doing such a thing as code breaking. Doesn't really state there is a practicle use for it, other than throwing theories around.![]()
Hmmm, they specifically mention CUDA..
Not that I'm suspiscious like..
I'd hazard a guess from my own GPU experience and just used the GPU as a random number generator, which generated the possible passwords. Then offloaded the 'attempts' section to the CPU, because that cannot be done on the GPU. A 260 will happily generate 2 billion random numbers a second, depending on your algorithm (the 2b/sec was a SOBOL I think).
But you're right, any system which locks you out after x attempts will be useless, or any system which requires a round trip of latency ping will also be useless to brute force.
I don't see random number generation as a big problem, or requirement for that matter here. If you're bruteforcing a human-created passphrase it's unlikely it will consist of random noise so you should ideally use some form of dictionary attack, trying words, phrases, replacing s with $ and so on. If you're going to try using random keys you'd be best off directly attacking the encryption keys as you avoid the extra computation needed for the key strengthening, but give yourself a few billion years anyway.
lets not forget plenty of people leak hashed passwords from their database, via injection attacks et al.
However, most people dumb enough to allow that, also haven't salted the hash, so a simple rainbow table will show it.
As mentioned a plug for CUDA?
throw new ArgumentException (String, String, Exception)
RNG would help determine the random bitshifts required in each segregation of password generation. But you're right - dictionary based attack would help, but that's not GPU possible.
I was trying to suggest a way in which the GPU was used.
Yeah a GPU could be used for RNG but it's not that computationally intensive, not compared to trying the passwords at least. I mean it could offload some of the work from the CPU but its not going to make a huge difference. I'm not entirely sure what CUDA is capable of, maybe it could do some of the cryptographic functions i.e. hashing/decryption? It's all very well them telling you it cracks passwords, but what bit is it doing exactly?
RNG is actually quite computationally intensive - it's making leaps and strides in the finance industry (which essentially runs on RNGs), where they're replacing dual Xeon boxes with a single GTX280 and getting a 10x to 200x increase in output.
CUDA runs on the SIMD principle - if it can apply an operation to lots of multiple data (think matrix multiplication), then CUDA is useful. It can't manipulate anything other than input values and mathematical operations thereof.
Cryptographic functions in terms of decyption (as far as I understand) are inherently serial. I guess hashing is parallel, but CUDA doesn't include any hashing functions, so you have to build your own inside each kernel (which is possible if you require less than 63 floats). If you can do the serial access over 1000s of different data, then NVIDIA GPUs can be used also.
To get the optimum speed out of an NVIDIA GPU, because the memory latency access is so large, you need approx 20x calculations per memory read per thread. Optimising CUDA code to get the speed advantage over CPU logic can be tricky sometimes. I'm currently working with highly parallel systems, so CUDA/GPU is great for what I do.
It depends.
Direct input, that is generating a password then trying it against a live system, isnt very effective because of lockouts etc.
However, if you manage to get a copy of the password hash, and know the algorithm used, youre just trying to brute force offline data, so youre free to try it as many times as it takes.
Given the number of reports about "lost" or "compromised" sites that use passwords, the latter seems ever more plausible, especially if you can brute force them before people have time to change their passwords.
This news doesn't worry me in the slightest. In reality it's only made getting into badly secured systems and the first layer of security in wireless networks quicker. You cannot brute force a properly secured system that you don't have more or less unrestricted physical access to, in which case it's either a stolen laptop or you work for the company you're trying to get in to.
Getting through full HDD encryption is irrelevant as all Full disk encryption software recommends 20 character passwords or better which will still take an army of GPU's millions of years to crack through brute force.
"In a perfect world... spammers would get caught, go to jail, and share a cell with many men who have enlarged their penises, taken Viagra and are looking for a new relationship."
There are currently 1 users browsing this thread. (0 members and 1 guests)