

View of the server cabinet of the Hashcat cluster

Source: Jeremi M. Gosney

At the Passwords^12 conference, Jeremi Gosney presented a GPU cluster that enabled him to check 180 billion MD5 hashes per second. With SHA1, Gosney still managed to check an impressive 63 billion hashes per second. More elaborate hashing algorithms can withstand such (brute force) attacks much better: Bcrypt and Sha512crypt only allowed the researcher to check 71,000 and 364,000 combinations per second.

Gosney achieved peak values with LM and NTLM hashes, which are used for authentication on old Windows versions and are also supported on Windows 8 and Windows Server 2012 systems to maintain backwards compatibility. At 348 billion NTLM combinations per second, a password of 8 characters can be cracked in under 6 hours. With the weaker LM hashes from the days of Windows NT, a rate of 20 billion combinations per second means that a strong 14-character password takes just 6 minutes to crack.



The Hashcat cluster is fully packed with graphics cards

Source: Jeremi M. Gosney

The GPU cluster setup is worth mentioning. In terms of software, Gosney uses Virtual OpenCL for the cluster and Hashcat as his password cracker. Both software products were customised for his demonstration, and their current versions now support up to 128 GPUs. Gosney used five 4U servers with a total of 14 graphics cards and combined them via Infiniband connections. The cluster requires seven kilowatts of power.

Such systems are unsuitable for real-time server attacks, but they can be used to crack previously harvested encrypted passwords. Gosney made a name for himself when about 6.5 million LinkedIn passwords were harvested through a security hole and he was among the first security experts to successfully analyse this data. Together with a partner, Gosney managed to reconstruct more than 90% of the passwords.

Password theft in general is a common problem for online services. Many hashing algorithms are outdated and should no longer be used. Password crackers have increasingly focused on the computing power of GPUs and various cloud services can now be hired for such data analyses.

(fab)