It doesn't matter what your super-unguessable password is. The arms race between the security and hacker communities has produced a devastating new device capable of tearing through lesser password encryption protocols in as little as six minutes.


In the days before the AES and SHA-256 security protocols, Microsoft systems relied on the LM (LAN Manager) hash and its immediate successor NTLM (NT LAN Manager). These protocols were never particularly secure, relying on the same relatively-ancient RC4 encryption algorithm, which was developed more for speed and ease of installation than airtight security, that SSL employs. While Microsoft has long since dissuaded use of these protocols, they remain in use a a means of backwards compatibility with legacy systems.

However, last Monday, data security researcher Jeremi Gosney unveiled a unique desktop rig designed to eviscerate these older protocols in record time. The system employs an Open Computing Language (OpenCL) framework using Virtual OpenCL Open Cluster (VCL) to run HashCat—a dedicated cracking program. Five, quad-core servers, each running 25 AMD Radeon GPUs provide the necessary processing power and the load is split among the five nodes with a 10 to 20 Gbps transfer rate using an Infiniband switch.


The process of brute forcing an LM secured file open really isn't that hard. As he explained to Security Ledger:

LM Is what is used on Win XP, and LM converts all lowercase chars to uppercase, is at most 14 chars long, and splits the password into two 7 char strings before hashing — so we only have to crack 69^7 combinations at most for LM. At 20 G/s we can get through that in about 6 minutes. With 348 billion NTLM per second, this means we could rip through any 8 character password (95^8 combinations) in 5.5 hours.

The clustered cracking system, luckily, isn't particularly effective for attacks against active systems on the Internet and their limited number of login attempts. Instead, it is employed primarily as a means of making large encrypted data sets give up their secrets. During the recent leak of 6.4 million LinkedIn passwords, for example, Gosney's system unlocked between 90 and 95 percent of the password values. [Security Ledger - Wikipedia 1, 2, 3]