New Password Recovery Technique Uses CPU and GPU Together

BaCa writes to mention that a new hardware/software combination has been created by a company called ElcomSoft that will reportedly allow cryptography professionals to build cheap PCs that work like supercomputers for the specific task of retrieving lost passwords. Utilizing a combination of the CPU and the GPU the task of brute forcing a password may be reduced by as much as a factor of 25. "Until recently, graphic cards' GPUs couldn't be used for applications such as password recovery. Older graphics chips could only perform floating-point calculations, and most cryptography algorithms require fixed-point mathematics. Today's chips can process fixed-point calculations. And with as much as 1.5 Gb of onboard video memory and up to 128 processing units, these powerful GPU chips are much more effective than CPUs in performing many of these calculations."

What's the point?

So what, will hackers be able to use my computer to crack my password 25 times faster now?

Re:What's the point?

If they have access to your video card, they can peek behind the pixels to see what's under the "*******". I think. Or something.

Re:What's the point?

Heh. Little do they know that ********* is my password!

Ob. Bash Quote

Cthon98> hey, if you type in your pw, it will show as stars
Cthon98> ********* see!
AzureDiamond> hunter2
AzureDiamond> doesnt look like stars to me
Cthon98> AzureDiamond> *******
Cthon98> thats what I see
AzureDiamond> oh, really?
Cthon98> Absolutely
AzureDiamond> you can go hunter2 my hunter2-ing hunter2
AzureDiamond> haha, does that look funny to you?
Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
AzureDiamond> thats neat, I didnt know IRC did that
Cthon98> yep, no matter how many times you type hunter2, it will show to us as ******
AzureDiamond> awesome!
AzureDiamond> wait, how do you know my pw?
Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 ause its your pw
AzureDiamond> oh, ok.

Just wonderful

now IT departments will require passwords to be 30 characters long, with at least 2 digits, at least 2 puncuation marks, mixed case, and use Unicode characters from at least 8 different international languages.

Re:Just wonderful

I used to think the same. "Eight characters is enough for now, but it's only a matter of time..."

Then I realized that this doesn't mean IT departments will require longer passwords. Rather, this is the death of the password, in place of other authentication methods (smartcard, biometrics, others, and combinations of everything).

It won't be immediate, or close to it... but a 25x increase in the speed of bruteforcing passwords will certaintly speed up the process by which passwords are obseleted.

Not really: just add 1 letter

Add 1 letter and you've increased the time it takes to hack by 26x (although it's probably closer to 100x with punctuation and the like). So 25x is irrelevant. So is 250x. Only something that makes it non-exponential would really make a difference.

Re:Just wonderful

There is nothing magical about biometrics, at the end of the day it is still a regular old password comprised of 1s and 0s

Except that you can't change the password when it's compromised.

Re:Just wonderful

I guess they are going to have to start making long, rectangular post-it notes now.

Government Motto

If brute force isn't working... you aren't using enough of it.

Re:Government Motto

it is important to realize that any lock can be picked with a big enough hammer.
-Sun System & Network Admin manual

From TFA:

For example, the logon password for Windows Vista might be an eight-character string composed of uppercase and lowercase alphabetic characters. There would about 55 trillion (52 to the eighth power) possible passwords. Windows Vista uses NTLM hashing by default, so using a modern dual-core PC you could test up to 10,000,000 passwords per second, and perform a complete analysis in about two months. With ElcomSoft's new technology, the process would take only three to five days, depending upon the CPU and GPU.

I can't tell if the proper response to this is to recommend longer passwords or advise against using Windows Vista

Oh wait, both.

Re:From TFA:

Or to just stop using passwords. Why can't I login with a USB key that has some piece of information which is signed using my private key on it?

Re:From TFA:

If you are connecting to Linux or a BSD or anything else that runs openssh, then you can have something along these lines now. Setup an openssh DSA key, copy the public key to whatever machines you need to log into and then you can disable password logins in /etc/ssh/sshd_config altogether. If you are running Linux then for extra credit configure pam_ssh to get single sign on with an ssh key agent. If you are running windows as your client then you will have to make do with putty and pagent.

Passwords are so last century.

Re:From TFA:

True, but it you create an easy way for a user to disable their own account this isn't as much of a problem. Create a 1.800 where you put in a (much easier) password that will allow you to disable access to your account. This way, if your key gets stolen, you just go into I.T. in the morning and have them issue you a new one.

Not to mention the fact that when talking about password, your biggest enemy is some phiser sitting in russia....who is NOT very likely to fly to the states to steal your key. If your data actually is important enough to justify a hiring somebody to steal it, then chances are you are using biometrics/bullets to lock people out anyhow. If you're not, then tell you CIO to stop spending money on frosted glass NOCs that are suspended from the ceiling above your data center that is kept at a constant 42 degress and tell him to start spending it on real engineers.

Pricing, What About SLI/CrossFire?

Pricing for these apps is pretty steep [elcomsoft.com] at $1,299 per machine license. Well, maybe not so steep if you consider how valuable it could be for you. It doesn't say if that has the GPU utilization with it yet or not.

Also, I wonder if they've investigated using SLI & CrossFire with these. That seems like something obvious to me but not included in the article. I'm unaware of their implementation but it sounds like it could be parallelized--and accross 2 or even 4 cards, that could get hilariously powerful.

Re:Pricing, What About SLI/CrossFire?

And how much more efficient is this than using http://en.wikipedia.org/wiki/Ophcrack">Rainbow tables [wikipedia.org]. Using rainbow tables, Ophcrack can break passwords in seconds.

Nice euphemism

"Password Recovery" sounds so much more benign than "Cracking Passwords".

Hello, Mr. Orwell. *wave*

Finally,

I can now release the 12,000 monkeys I kidnapped for the task.

How does this qualify for a patent?

What seems to have been missed in the discussion so far is that this company is applying for a patent on their technique, which they claim is "revolutionary." I really hope that this doesn't get granted, as it would open a whole new realm of stupid patents for "X on a graphics card," which is about as stupid a patent as "X on the internet."

Not so new but still neat.

This project has been around for a long time: http://www.gpgpu.org/ [gpgpu.org] Though I agree modern GPU's are even more useful for general purpose computing.

Cool, but a Linux Boot CD would be ALOT cheaper...

Petter Nordahl-Hagen's Offline NT Password & Registry Editor: http://home.eunet.no/~pnordahl/ntpasswd/ [eunet.no]
NOTE: Tested on: NT 3.51, NT 4 (all versions and SPs), Windows 2000 (all versions & SPs), Windows XP (all versions, also SP2), Windows Server 2003 (all SPs), Vindows Vista 32 and 64 bit.

Irony? ("...by a company called ElcomSoft...")

I'm just wondering, should I take the summary as intentionally ironic (i.e. as if it had referred to an operating system "by a company called Microsoft"), or should I assume it was written by someone *fascinatingly* oblivious to the recent history of decryption software and the disputed legalities thereof? An informed, non-ironic summary would simply say, "...by ElcomSoft...", of course.

For any of you who may have been living under a rock (possibly on another planet), ElcomSoft is the company that was employing Dmitry Sklyarov, who was arrested in the US on DMCA charges when he'd come to present at a conference. Wikipedia has more [wikipedia.org].

Poorly written article

And with as much as 1.5 Gb of onboard video memory

Not knowing the difference between a bit and a byte == Fail.

ElcomSoft has discovered and filed for a US patent on a breakthrough technology ... harnessed the combined power of a PC's Central Processing Unit and its video card's Graphics Processing Unit. The resulting hardware/software powerhouse will...

Referring to the (obvious) use of a new library/sdk from NVIDIA to improve performance of an existing application as the "discovery of a breakthrough technology" ==
Fail.

...allow cryptology professionals to build affordable PCs that will work like supercomputers when recovering lost passwords.

Cut and pasted from "How to write with spin for dummies"
Fail.

...will be incorporating this patent-pending technology into their entire family of enterprise password recovery applications.

Corporate press release copy and paste == Fail.

Numerous grammatical errors == Fail.

Re:Something is wrong with computer priorities

Why is the GPU a processor dedicated to nothing but "pretty graphics" so much more powerful than the central multi-purpose processor even at the things like number-crunching?

You need to rephrase your question, because it makes an incorrect assumption. Here:

Why is the GPU a processor dedicated to nothing but "pretty graphics" so much more powerful than the central multi-purpose processor especially at the things like number-crunching?

The answer is obvious if you think about it: those "pretty graphics" are a huge number crunching problem. That's all there is to it. GPU's, however, aren't very good at tasks that don't do exactly the same thing huge numbers of times. This is true of most applications. Including the applications that run on the PC to control what the GPU does in stuff like what the story's talking about.

Is it because the GPU engineers can completely redo the thing from scratch whenever they want to, whereas the CPU-designers are held back by the backwards-compatibility issues?

Partially. Modern GPUs have (I think -- I don't keep up to date) 256 bit wide memory interfaces, running at close to gigahertz speed. This means they can transfer to and from their memory at about 4 times the rate a PC can. This is possible because (1) graphics card manufacturers don't mind the types of memory they use changing on a virtually model-by-model basis and (2) they also don't mind being stuck with non-expandable memory that's soldered directly onto the card right next to the GPU.

It's also because GPU engineers can sacrifice a lot of the flexibility of a PC. So what if the pipeline stalls if all 32 threads aren't doing exactly the same thing at the same time? Most of the time, they will be.

Computer Science teaches, programmers aren't supposed to have to do "tricks" like this -- you code, and the translator (compiler or intepreter) will translate from your programming language to the hardware instructions.

So why did my CS course have a module where we learned how the hardware worked? About memory hierarchies? About SISD, SIMD and MIMD processors? Why does Knuth's The Art of Computer Programming, possibly the most important book ever written on CS, approach problems at an assembly language level? Why, in my CS course, did I learn two different kinds of assembly language (one CISC, one RISC)?

Because CS is concerned with a holistic view of computers. With the fact that they are machines for executing instructions, and what can be done with those instructions. With the fact that it may be more efficient not to specify that much detail, but also the fact that, from time to time, you do need to do that.