Cracking encrypted passwords is getting increasingly easier as researchers come up with new ways of harnessing CPU, GPU and cloud power to perform the task.


The latest of the improvements in this particular research brach comes from Jeremi Gosney (aka epixoip), who at the Passwords^12 conference held earlier this month in Oslo, Norway, shared with the attendees his latest achievement: a cluster of five 4U servers and 25 graphic cards that go through 180 billion MD5 hashes per second.

The servers, equipped with 25 AMD Radeon GPUs and communicating via the InfiniBand switched fabric communications link, make NTLM and LM hashing practically worthless, as a 8-character long NTLM can be cracked in a little over 5,5 hours (at 348 billion hashes per second), and a 14-character LM hash - because the password is split into two 7 char strings before hashing - can be revealed in less 6 minutes flat.

When testing SHA1 hashes, Gosney's system can check 63 billion of them per second, while it takes it considerable more time to decrypt a password hashed with Sha512crypt and Bcrypt algorithms, for which it will able to test 364,000 and 71,000 hashes per second, respectively.

To make this hardware setup work, Gosney used the Virtual OpenCL (VCL) cluster platform and the HashCat password cracker.

According to him, the software he used would work as it should on a setup that included up to 128 AMD GPU's, and possibly even more, as VLC solves the problem of load balancing across the cluster easily.

The limitation of this configuration is that it cannot be used for attacks against live systems, but could be extremely helpful for decrypting the huge leaks of password hasheds that became normal in the last couple of years.

According to The Security Ledger, Gosney plans to recoup some of the money invested in this project by renting out time on the setup or even setting up a paid password recovery and domain auditing service.