25-GPU cluster will crack all 8-character Windows passwords in hours

Tools

Setting a minimum password length of eight characters is no longer an adequate defense against password crackers. A password-cracking expert has assembled a small computer cluster with 25 Radeon graphics cards and other off-the-shelf computer parts. The resulting cluster was apparently capable of 350 billion guesses per second needed to crack the NTLM password hashes used by Windows Server.

This astounding rate meant that it could use brute force to crack every possible eight-character password--including combinations of upper and lower-case letters, numbers and symbols, in 5.5 hours or less.  

As described by Ars Technica, the machine Linux-based GPU cluster runs on the Virtual OpenCL cluster platform to tap into the processing capabilities of the graphics card. A freely available GPU-optimized password-cracking suite called ocl-Hashcat Plus is used to perform the actual password cracking.

To be clear, the attack described above pertains only to "offline" attacks where hackers gain access to the encrypted password file and make off with a copy of it. A successful cracking attempt could conceivably allow them to recover the original password and access other systems that may be using the same password. Of course, a company that has its password database stolen obviously has many other things to worry about too.

Interestingly, I asked TechWatch readers for their opinion on the relevance of enforcing password complexity in my editorial titled "Striking a balance with passwords" just last week. The general consensus was that password complexity doesn't provide a good defense, and readers highlighted that the definition of a sufficiently complex password may vary widely.

For example, Mauricio Prinzlau responded via Google+ to note how an online backup service actually considered "123456" as a strong password. Overall, two-factor authentication was considered as the right direction to take on the authentication front.

For more:
- check out this article at Ars Technica

Related Articles:
Amazon EC2 harnessed for password cracking
Hotmail passwords limited to just 16 characters