A password-cracking expert has unveiled a computer cluster that can cycle through as many as 350 billion guesses per second. It's an almost unprecedented speed that can try every possible Windows passcode in the typical enterprise in less than six hours.

The five-server system uses a relatively new package of virtualization software that harnesses the power of 25 AMD Radeon graphics cards. It achieves the 350 billion-guess-per-second speed when cracking password hashes generated by the NTLM cryptographic algorithm that Microsoft has included in every version of Windows since Server 2003. As a result, it can try an astounding 958 combinations in just 5.5 hours, enough to brute force every possible eight-character password containing upper- and lower-case letters, digits, and symbols. Such password policies are common in many enterprise settings. The same passwords protected by Microsoft's LM algorithm—which many organizations enable for compatibility with older Windows versions—will fall in just six minutes.

The Linux-based GPU cluster runs the Virtual OpenCL cluster platform, which allows the graphics cards to function as if they were running on a single desktop computer. ocl-Hashcat Plus, a freely available password-cracking suite optimized for GPU computing, runs on top, allowing the machine to tackle at least 44 other algorithms at near-unprecedented speeds. In addition to brute-force attacks, the cluster can bring that speed to cracks that use a variety of other techniques, including dictionary attacks containing millions of words.

"What this cluster means is, we can do all the things we normally would with Hashcat, just at a greatly accelerated rate," Jeremi Gosney, the founder and CEO of Stricture Consulting Group, wrote in an e-mail to Ars. "We can attack hashes approximately four times faster than we could previously."

Gosney unveiled the machine last week at the Passwords^12 conference in Oslo, Norway. He previously used a computer equipped with four AMD Radeon HD6990 graphics cards that could make about 88 billion guesses per second against NTLM hashes. As Ars previously reported in a feature headlined "Why passwords have never been weaker—and crackers have never been stronger," Gosney used the machine to crack 90 percent of the 6.5 million password hashes belonging to users of LinkedIn. In addition to the power of his hardware, his attack was aided by a 500 million-strong word list and a variety of advanced programming rules.

Using the new cluster, the same attack would move about four times faster. That's because the machine is able to make about 63 billion guesses against SHA1, the algorithm used to hash the LinkedIn passwords, versus the 15.5 billion guesses his previous hardware was capable of. The cluster can try 180 billion combinations per second against the widely used MD5 algorithm, which is also about a four-fold improvement over his older system.

The speeds apply to so-called offline cracks, in which password lists are retrieved by hackers who exploit vulnerabilities on website or network servers. The passwords are typically stored using one-way cryptographic hash functions, which generate a unique string of characters for each unique string of plaintext. In theory, hashes can't be mathematically reversed. The only way to crack them is to run guesses through the same cryptographic function. When the output of a particular guess matches a hash in a compromised list, the corresponding password has been cracked.

The technique doesn't apply to online attacks, because, among other reasons, most websites limit the number of guesses that can be made for a given account.

The advent of GPU computing over the past decade has contributed to huge boosts in offline password cracking. But until now, limitations imposed by computer motherboards, BIOS systems, and ultimately software drivers limited the number of graphics cards running on a single computer to eight. Gosney's breakthrough is the result of using VCL virtualization, which spreads larger numbers of cards onto a cluster of machines while maintaining the ability for them to function as if they're on a single computer.

"Before VCL people were trying lots of different things to varying degrees of success," Gosney said. "VCL put an end to all of this, because now we have a generic solution that works right out of the box, and handles all of that complexity for you automatically. It's also really easy to manage because all of your compute nodes only have to have VCL installed, nothing else. You only have your software installed on the cluster controller."

The precedent set by the new cluster means it's more important than ever for engineers to design password storage systems that use hash functions specifically suited to the job. Unlike, MD5, SHA1, SHA2, the recently announced SHA3, and a variety of other "fast" algorithms, functions such as Bcrypt, PBKDF2, and SHA512crypt are designed to expend considerably more time and computing resources to convert plaintext input into cryptographic hashes. As a result, the new cluster, even with its four-fold increase in speed, can make only 71,000 guesses against Bcrypt and 364,000 guesses against SHA512crypt.

For the time being, readers should assume that the vast majority of their passwords are hashed with fast algorithms. That means passwords should never be less than nine characters, and using 13 or even 20 characters offers even better security. But long passwords aren't enough. Given the prevalence of cracking lists measured in the hundreds of millions, it's also crucial that passwords not be names, words, or common phrases. One easy way to make sure a passcode isn't contained in such lists is to choose a text string that's randomly generated using Password Safe or another password management program.

Slides of Gosney's Passwords^12 presentation are here.