Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

New Password Recovery Technique Uses CPU and GPU Together

ScuttleMonkey posted about 7 years ago | from the brute-force-just-means-get-a-bigger-hammer dept.

Security 264

BaCa writes to mention that a new hardware/software combination has been created by a company called ElcomSoft that will reportedly allow cryptography professionals to build cheap PCs that work like supercomputers for the specific task of retrieving lost passwords. Utilizing a combination of the CPU and the GPU the task of brute forcing a password may be reduced by as much as a factor of 25. "Until recently, graphic cards' GPUs couldn't be used for applications such as password recovery. Older graphics chips could only perform floating-point calculations, and most cryptography algorithms require fixed-point mathematics. Today's chips can process fixed-point calculations. And with as much as 1.5 Gb of onboard video memory and up to 128 processing units, these powerful GPU chips are much more effective than CPUs in performing many of these calculations."

Sorry! There are no comments related to the filter you selected.

What's the point? (4, Funny)

jcicora (949398) | about 7 years ago | (#21076625)

So what, will hackers be able to use my computer to crack my password 25 times faster now?

Re:What's the point? (5, Funny)

halivar (535827) | about 7 years ago | (#21076695)

If they have access to your video card, they can peek behind the pixels to see what's under the "*******". I think. Or something.

Re:What's the point? (2, Funny)

morgan_greywolf (835522) | about 7 years ago | (#21076899)

Oh noes! Then they will know my password!

Wait! There must be some uses of this technology for pr0n.

Re:What's the point? (0, Offtopic)

kitsunewarlock (971818) | about 7 years ago | (#21077011)

Using a video card for porn! Genius! *tips beer*

Re:What's the point? (4, Funny)

FlyByPC (841016) | about 7 years ago | (#21077035)

Heh. Little do they know that ********* is my password!

Re:What's the point? (3, Funny)

Anonymous Coward | about 7 years ago | (#21077167)

All your **** are belong to us!

Re:What's the point? (1)

Constantine XVI (880691) | about 7 years ago | (#21077629)

Wow! I didn't expect my GPU-powered password cracker to be that fast!

Re:What's the point? (1)

Joe The Dragon (967727) | about 7 years ago | (#21077639)

no you just need access to the api that makes the *****

Nothing for you to see here. Please move along. (1)

Cro Magnon (467622) | about 7 years ago | (#21076637)

Looks like the old password recovery system to me. :)

Re:Nothing for you to see here. Please move along. (1)

Tablizer (95088) | about 7 years ago | (#21076709)

Looks like the old password recovery system to me.

But now you can play Doom while you wait.

Just wonderful (5, Funny)

Tablizer (95088) | about 7 years ago | (#21076663)

now IT departments will require passwords to be 30 characters long, with at least 2 digits, at least 2 puncuation marks, mixed case, and use Unicode characters from at least 8 different international languages.

Re:Just wonderful (5, Interesting)

ScytheBlade1 (772156) | about 7 years ago | (#21076737)

I used to think the same. "Eight characters is enough for now, but it's only a matter of time..."

Then I realized that this doesn't mean IT departments will require longer passwords. Rather, this is the death of the password, in place of other authentication methods (smartcard, biometrics, others, and combinations of everything).

It won't be immediate, or close to it... but a 25x increase in the speed of bruteforcing passwords will certaintly speed up the process by which passwords are obseleted.

Re:Just wonderful (1)

Tablizer (95088) | about 7 years ago | (#21076861)

I wonder why a restriction couldn't be put on how many times passwords are tried? Why is somebody able to get the password file to loop on in the first place? Rather than a file, perhaps the password manager needs to be a device and only a device (chip?), not a file, which limits the number of tries per second. Either don't use or don't allow access to passords in declarative (data) form. Make all access have to go thru an interface. And, if the interface is used too many times per minute, it can throttle itself.

Re:Just wonderful (2, Informative)

ScytheBlade1 (772156) | about 7 years ago | (#21076945)

That's not the problem. The problem is primarily people who gain physical access to the hashes, and load them onto much beefier machines to do the processing for them. 100% CPU for days on end will eventually warrant a call to the help desk stating that their computer is "too slow."

While I agree that for this to be a problem, a previous security hole has to exist somewhere, it's more the "what if that happens" that is the problem. If a hash, and just a hash is stolen, it's not exactly going to set off alarms.

Likewise, once unknown person X has your hash, it's over.

Re:Just wonderful (0)

Anonymous Coward | about 7 years ago | (#21077423)

> Likewise, once unknown person X has your hash, it's over.

Only if they also know the salt! []

Besides, I'm sure I met this "unknown person X" character at a party a few months back.

Re:Just wonderful (0)

Anonymous Coward | about 7 years ago | (#21077107)

Well, in general you store the hash somewhere. In combination with other attacks - like say, SQL injection, or some flaw in the chip you mentioned - you might be able to get to the hash. On the other hand it is pretty typical to send some kind of salt to the client and let the client calculate hash(passwd * salt). If you can sniff the result from the network you could try to brute-force it.

Re:Just wonderful (1)

Tablizer (95088) | about 7 years ago | (#21077361)

Well, okay, how about this: use some kind of network service to store and process passwords. The network service would not allow access to the hash file or internal guts, only the interface. The PC with the password must receive the proper response from the proper address. (I know, there's probably a hole there too, like package spoofing, I'm just kicking around ideas.)

Re:Just wonderful (1, Insightful)

Anonymous Coward | about 7 years ago | (#21076889)

I'm not a security expert, but it seems to me that passwords are still useful in a variety of contexts, even if they can in principle be brute-forced. First of all, modern password systems should lock-down after multiple failed attempts (or use exponentially increasing lock-out intervals, or whatever). Furthermore, it should be obvious that the password hash itself should be guarded as much as possible. If done properly, this reduces the chances an attacker has to actually use a brute-force technique. (In which case, reasonably strong 8-character passwords already create an impossibly large parameter space to guess a password.)

I agree that other forms of authentication will become more commonplace, but I think passwords will continue to be used in a variety of circumstances. At a minimum, they will be no doubt continue to be used as part of some two-factor authentication systems.

Re:Just wonderful (1)

brian.gunderson (1012885) | about 7 years ago | (#21077125)

Speaking of biometrics, I once heard someone mispronounce 'Retinal Scan' as 'Rectal Scan'... Now *that* would be interesting...

Re:Just wonderful (1)

morgan_greywolf (835522) | about 7 years ago | (#21077195)

I already don't allow the use of passwords on SSH authentications, which is the only service exposed to the Internet at all on my network. Try brute-forcing a 2048-bit RSA key. Good luck!

Anyway, since a network login can be done with a smartcard, why not an authentication mechanism using a USB stick drive containing the private RSA key? Maybe the USB stick drive could even refuse to work unless first authenticated by a thumbprint? Flash memory's gettin' cheaper all the time, right?

Not really: just add 1 letter (5, Interesting)

Anonymous Coward | about 7 years ago | (#21077409)

Add 1 letter and you've increased the time it takes to hack by 26x (although it's probably closer to 100x with punctuation and the like). So 25x is irrelevant. So is 250x. Only something that makes it non-exponential would really make a difference.

Re:Just wonderful (2, Informative)

sco08y (615665) | about 7 years ago | (#21077481)

It won't be immediate, or close to it... but a 25x increase in the speed of bruteforcing passwords will certaintly speed up the process by which passwords are obseleted.

It means the search space needs to be 25 times as big. That means the password needs one more letter.

Re:Just wonderful (0)

Anonymous Coward | about 7 years ago | (#21076777)

Yes, but when a user forgets their 30 character password we'll now have the firepower to recover it for them!

Re:Just wonderful (1)

Tablizer (95088) | about 7 years ago | (#21076917)

Yes, but when a user forgets their 30 character password we'll now have the firepower to recover it for them!

Not if half of all users have the same problem.

"Hey, since your PC cannot be used because you forgot your password, can I borrow it for a while to help crack lost passwords?"

Re:Just wonderful (5, Funny)

justin12345 (846440) | about 7 years ago | (#21076927)

I guess they are going to have to start making long, rectangular post-it notes now.

they already do (1)

Ungrounded Lightning (62228) | about 7 years ago | (#21077331)

I guess they are going to have to start making long, rectangular post-it notes now.

They already do. 3" x 5" for starters.

(The ones in my desk organizer are from Staples but I think 3M makes "real post-its" in that size, too.)

Re:Just wonderful (1)

legirons (809082) | about 7 years ago | (#21077493)

"now IT departments will require passwords to be 30 characters long, with at least 2 digits, at least 2 puncuation marks, mixed case, and use Unicode characters from at least 8 different international languages." []

Re:Just wonderful (2, Interesting)

slyn (1111419) | about 7 years ago | (#21077577)

I never got why people have so much trouble making up and remembering long passwords. I'm going to assume everyone here understands leetspeak, and enjoys something (i apologize to all the chronically depressed, i'm not trying to be an insensitive clod).

If you like music, use lyrics and translate them into leet. Example: WelcomeToTheJungle becomes W31c0m3707h3Jung13
If you like movies, use famous quotes and translate them into leet. Example: FranklyMyDearIJustDontGiveADamn becomes Fr4nk1yMyD34r1Jus7D0n7G1v34D4mn
If you think your funny, use jokes and translate them into leet. Example: ThisWebServerIsASeriesOfTubes becomes 7h1sW3b53rv3r15453r13s0f6ub3s
If you have need a password for root on /., use the tagline and translate it into leet. Example: NewsForNerdsStuffThatMatters becomes N3w5F0rN3rd557uff7h47m4773r5

All these passwords are extremely easy to remember, and if you have a standard translation method (ie: 1 is always I and never L) you will prevent confusion that could lead to you forgetting your password. For added protection add symbols like Pipe for L or ? for Q.

Re:Just wonderful (1)

NotQuiteInsane (981960) | about 7 years ago | (#21077581)

What's the point?
Everyone's just going to pick a password that meets the requirements, then add "#1" to the end of it. Then they just increment the number every time they're forced to change it...

password recovery (1)

alex_vegas (891476) | about 7 years ago | (#21076689)

is about as bad a euphemism as 'terminate with extreme prejudice'...

Re:password recovery (1)

Phoenixhunter (588958) | about 7 years ago | (#21076801)

Time to start getting alt-key ASCII keys in there... Alt-255 anyone?

Government Motto (4, Funny)

wildsurf (535389) | about 7 years ago | (#21076701)

If brute force isn't working... you aren't using enough of it.

Re:Government Motto (5, Funny)

Bandman (86149) | about 7 years ago | (#21076887)

it is important to realize that any lock can be picked with a big enough hammer.
-Sun System & Network Admin manual

From TFA: (4, Funny)

Anti_Climax (447121) | about 7 years ago | (#21076705)

For example, the logon password for Windows Vista might be an eight-character string composed of uppercase and lowercase alphabetic characters. There would about 55 trillion (52 to the eighth power) possible passwords. Windows Vista uses NTLM hashing by default, so using a modern dual-core PC you could test up to 10,000,000 passwords per second, and perform a complete analysis in about two months. With ElcomSoft's new technology, the process would take only three to five days, depending upon the CPU and GPU.
I can't tell if the proper response to this is to recommend longer passwords or advise against using Windows Vista

Oh wait, both.

Re:From TFA: (4, Interesting)

Otto (17870) | about 7 years ago | (#21076767)

Or to just stop using passwords. Why can't I login with a USB key that has some piece of information which is signed using my private key on it?

Re:From TFA: (1)

dvice_null (981029) | about 7 years ago | (#21077113)

Nowadays the locks in the cars are nearly impossible to open without the key. So what do criminals do? They steal the keys. So USB key is obviously not the perfect solution for this problem.

But what if we would protect the data on the USB key with a password...

Re:From TFA: (4, Interesting)

blhack (921171) | about 7 years ago | (#21077273)

True, but it you create an easy way for a user to disable their own account this isn't as much of a problem. Create a 1.800 where you put in a (much easier) password that will allow you to disable access to your account. This way, if your key gets stolen, you just go into I.T. in the morning and have them issue you a new one.

Not to mention the fact that when talking about password, your biggest enemy is some phiser sitting in russia....who is NOT very likely to fly to the states to steal your key. If your data actually is important enough to justify a hiring somebody to steal it, then chances are you are using biometrics/bullets to lock people out anyhow. If you're not, then tell you CIO to stop spending money on frosted glass NOCs that are suspended from the ceiling above your data center that is kept at a constant 42 degress and tell him to start spending it on real engineers.

Re:From TFA: (1)

Constantine XVI (880691) | about 7 years ago | (#21077515)

Seems like that method would open up a new DoS vector, just brute-force the disable passwords until everyone's locked out

Re:From TFA: (2, Interesting)

blhack (921171) | about 7 years ago | (#21077679)


lUser: 1.800.pas.swrd
Phone Operator: Hello, this is Ryan in the I.T. department, how may I help you?
lUser: Omg! i left my purse on the table in the restaurant, my key was in there....will you disable my account?
Phone Operator: Sure may i have the password?
lUser: The password is bananas
Phone Operator: No, thats not the password, you only get two more tries before I call the number we have on file for this user and ask her what the problem is.
lUser: AHHH AHHA AHHHHHH is the password, uhhh....... *click*

Re:From TFA: (1)

AK Marc (707885) | about 7 years ago | (#21077499)

Nowadays the locks in the cars are nearly impossible to open without the key. So what do criminals do? They steal the keys. So USB key is obviously not the perfect solution for this problem.

It's a great solution to the problem. They have to get physical access to you. That will stop 99.99% of all password cracks. Almost all are done remotely, often through security vulnerabilities (including stupid users). Only the most targeted attacks (someone that doesn't want random computers for bots or to break into the easiest sites he can get into, but wants into your computer and only your computer) will someone try to get the USB key. It may not be 100% effective, but it would stop almost 100% of current attacks.

Re:From TFA: (1)

blindd0t (855876) | about 7 years ago | (#21077213)

Well, I can't be the only one who would run that sort of thing through the washer and dryer... Perhaps that with a backup/secondary USB key would suffice? Furthermore, people would require some training/guidance on physical security with that sort of thing (i.e. telling them to keep it with their house/car keys). People already write their passwords and leave that on their desk, and leaving the physical usb key on the desk would be no better. What could be really cool, however, is if the device doubled as your key-card to get into the office.

Re:From TFA: (3, Informative)

DeadBeef (15) | about 7 years ago | (#21077221)

If you are connecting to Linux or a BSD or anything else that runs openssh, then you can have something along these lines now. Setup an openssh DSA key, copy the public key to whatever machines you need to log into and then you can disable password logins in /etc/ssh/sshd_config altogether. If you are running Linux then for extra credit configure pam_ssh to get single sign on with an ssh key agent. If you are running windows as your client then you will have to make do with putty and pagent.

Passwords are so last century.

Re:From TFA: (1)

Joe Snipe (224958) | about 7 years ago | (#21077287)

Why can't I login with a USB key that has some piece of information which is signed using my private key on it?

because I stole the key from you while you were getting a starbucks?

Re:From TFA: (2, Interesting)

Deadplant (212273) | about 7 years ago | (#21077379)

Because USB is insecure.
(assuming XP) When you plug in your USB key to login to your banking website it reads the signed key/password/whatever and signs you in. Great. Meanwhile... your screen-saver and the 'search bar' you installed also read your key and upload it to Mr. Nasty.

What you would need is a USB key with a processor to do the signing/challenge response internally.

Re:From TFA: (1)

Schraegstrichpunkt (931443) | about 7 years ago | (#21077585)

What you would need is a USB key with a processor to do the signing/challenge response internally.

And a built-in user interface that lets you know what challenge you're providing a response to.

Re:From TFA: (1)

sco08y (615665) | about 7 years ago | (#21077623)

Why can't I login with a USB key that has some piece of information which is signed using my private key on it?

Better: a CAC reader (~ $25) and a smartcard. I can use my military ID to log into my AKO (an awful Army portal web site) account from Safari (on OS X 10.4) without installing any software on the client side. And, of course, if you install lots of crap and have an elaborate set up you can use it to log into Windows. Without much work, I can use it to sign code and emails and what not.

Why not use a USB key? Simple: the smart card takes a PIN. Get it wrong three times, and the card locks up. The USB stick can be brute forced.

Re:From TFA: (1)

moderatorrater (1095745) | about 7 years ago | (#21076933)

And you can't forget to factor in the fact that on average a password will be found in half the time of an exhaustive search, so you're looking at a day and a half to two and a half days per password. When you're hacking the right computer, that's completely and perfectly acceptable.

Re:From TFA: (1)

swimin (828756) | about 7 years ago | (#21077659)

Checking a whole list of passwords adds trivial time to the operation, so it is possible to crack a huge list of passwords in that same amount of time.

Furthermore, if the application is intelligent, password cracking is a highly parallelizable job, so it could easily be split across multiple computers, easily further reducing the time, to the order of hours.

Re:From TFA: (1)

TimothyDavis (1124707) | about 7 years ago | (#21077509)

Wouldn't you have to have access to the password hash to even begin to use this?
Also, a salt would prevent this as well.

Pricing, What About SLI/CrossFire? (4, Interesting)

eldavojohn (898314) | about 7 years ago | (#21076715)

Pricing for these apps is pretty steep [] at $1,299 per machine license. Well, maybe not so steep if you consider how valuable it could be for you. It doesn't say if that has the GPU utilization with it yet or not.

Also, I wonder if they've investigated using SLI & CrossFire with these. That seems like something obvious to me but not included in the article. I'm unaware of their implementation but it sounds like it could be parallelized--and accross 2 or even 4 cards, that could get hilariously powerful.

Re:Pricing, What About SLI/CrossFire? (3, Interesting)

CastrTroy (595695) | about 7 years ago | (#21076791)

And how much more efficient is this than using">Rainbow tables [] . Using rainbow tables, Ophcrack can break passwords in seconds.

Re:Pricing, What About SLI/CrossFire? (1)

silas_moeckel (234313) | about 7 years ago | (#21076989)

Actually this could really speed up generating those tables, really RT's is a clever way of indexing the results of a brute force attack. It still takes piles of disk space to keep the tables around though I can fit a lot of them on cheap disk these days.

Re:Pricing, What About SLI/CrossFire? (1)

caseih (160668) | about 7 years ago | (#21077363)

ophcrack is for cracking LM hashes, not SSHA or even MD5 hashes.

Re:Pricing, What About SLI/CrossFire? (2, Informative)

Nathanbp (599369) | about 7 years ago | (#21076797)

Nvidia's CUDA, which is what they're talking about, supports multiple graphics cards in the same computer. You don't actually use SLI, just run programs on multiple graphics cards. They've demoed systems with 3 8800GTXs (they take up 2 expansion card slots each, so you can't fit more than that in a single normal sized desktop case).

Nice euphemism (3, Insightful)

otmar (32000) | about 7 years ago | (#21076721)

"Password Recovery" sounds so much more benign than "Cracking Passwords".

Hello, Mr. Orwell. *wave*

improper newspeak usage citizen (1)

circletimessquare (444983) | about 7 years ago | (#21077075)

this kind of thing is not considered orwellian, it's considered "forward thinking"

please get your newspeak euphenisms right

Finally, (5, Funny)

Tablizer (95088) | about 7 years ago | (#21076741)

I can now release the 12,000 monkeys I kidnapped for the task.

Re:Finally, (1, Funny)

Anonymous Coward | about 7 years ago | (#21076885)

Give 'em to me. I need to generate some good strong passwords.

Re:Finally, (1)

Tablizer (95088) | about 7 years ago | (#21077175)

Give 'em to me. I need to generate some good strong passwords.

Try the Whitehouse, I hear some escaped to there. (*ducks*)

PS3 (1)

Nom du Keyboard (633989) | about 7 years ago | (#21076799)

I thought this was the task for the PS3. Maybe you can use it's GPU in addition to its Cell.

Re:PS3 (1)

lexarius (560925) | about 7 years ago | (#21077267)

Not if you're using Linux. The GameOS hypervisor currently blocks access to the GPU. All you've got is framebuffer.

Re:PS3 (1)

LordHatrus (763508) | about 7 years ago | (#21077293)

The GPU of the PS3 is greatly disabled in PS3's linux mode via Sony's hypervisor, probably to keep 3rd party games, indie dev, etc out of the picture. So that's a negative. Unless Sony wants you to. :-)

Patentable? (1)

Predius (560344) | about 7 years ago | (#21076805)

I wonder what's patentable about using a cpu thats a better fit to get the job done quicker?

Re:Patentable? (1)

querist (97166) | about 7 years ago | (#21077059)

I am not sure this could be patented. (IANAL, etc.)

This looks like a new spin on the old Commodore 64 trick of pushing computation tasks off to the CPU in the model 1541 floppy drive. It is interesting that someone has done it. I am sure many of us have thought about this, but the folks at ElcomSoft actually did it.

Pretty cool, IMHO. Also, somewhat frightening.

And, just for fun, I need to add the obligatory "...but imagine a Beowulf cluster of these!"

Actually, that would be interesting - sort of a nested cluster effect.

ElomSoft have been marketing this stuff for years (0)

Anonymous Coward | about 7 years ago | (#21076819)

But even paranoid people needn't worry: none of it works very well, if at all.

Just try cracking the password on a RAR file. Unless it's something truly braindead, such as, say, "123", in about two weeks the ElcomSoft password-cracking app will tell you that it couldn't crack it.

what else (1)

CubicleView (910143) | about 7 years ago | (#21076833)

What else would this be useful for. This isn't a rhetorical question, I'm too lazy to look it up. Is this relevant for video encoding, and other regular consumer stuff?

How does this qualify for a patent? (4, Insightful)

Nathanbp (599369) | about 7 years ago | (#21076837)

What seems to have been missed in the discussion so far is that this company is applying for a patent on their technique, which they claim is "revolutionary." I really hope that this doesn't get granted, as it would open a whole new realm of stupid patents for "X on a graphics card," which is about as stupid a patent as "X on the internet."

Re:How does this qualify for a patent? (1)

moderatorrater (1095745) | about 7 years ago | (#21076971)

Using normal standards of prior art, the NVidia dev kit for their GPU and the folding@home application on ATI video cards should be enough to show that "on a video card" is pretty standard nowadays.

Not so new but still neat. (4, Informative)

jshriverWVU (810740) | about 7 years ago | (#21076845)

This project has been around for a long time: [] Though I agree modern GPU's are even more useful for general purpose computing.

Define "lost password" (2, Interesting)

frovingslosh (582462) | about 7 years ago | (#21076855)

I've read the article (such as it is), and it keeps claiming that this is a technique to recover "lost passwords". But I don't really believe that is the purpose of this software, and I have to ask "What is the difference between a 'lost password" and a password that belongs to someone else and not you?". Does anyone else really believe that the actual use of this software will be to assist the majority of users recover their own passwords? I do not. I suspect it might be harder to patent a tool for identity theft than for recovering "lost passwords" though.

Re:Define "lost password" (0)

Anonymous Coward | about 7 years ago | (#21077141)

Well brute-forcing a password from a hash is indeed what you would have to do to recover a lost password. Although, I do have trouble imagining and instance where a sysadmin would have access to the password hash but not have the ability to reset the password itself.

But really, this system is useless for a nefarious hacker unless they have already someone obtained the password hash. Obviously using this system means the hacker will now be able to determine your password in 5 minutes instead of 2 hours, but that's hardly your biggest concern: if a hacker has reached the point where he is examining your password hashes, then you already have a serious breach of your system!

So, really, I don't see how this machine could be a general-purpose cracking tool. No matter what, you still need to steal the password hash, which already requires exploiting some sort of vulnerability.

Re:Define "lost password" (1)

DrSkwid (118965) | about 7 years ago | (#21077439)

Most computer crime is from the inside. Inside people already have elevated access to stuff like your hashed password.

Re:Define "lost password" (1)

querist (97166) | about 7 years ago | (#21077145)

The difference between a "lost password" and "cracking someone else's password" revolves around the legal right to access the information.

"lost password" situations (obviously, not an exhaustive list):

I could forget a password for something. I've done it before, and I'm sure I'll do it again.

I could be hit by a bus and my employer will need access to my encrypted files. (Granted, we have a better system to handle this, but I think you understand.)


trying to access your soon-to-be-ex-wife's files to find evidence that she's having an affair.

trying to access files you "found" or copied that you really should not be reading anyway.

As you can see, the main difference revolves around the legal right to access the information. They are both "password recovery" or "password cracking", but the former has connotations of legitimacy while the latter (in most social circles, at least) bears a connotation of illicit activity.

That said, I agree that it will more likely be used for illicit activity, but this application clearly has legitimate uses as well.

Re:Define "lost password" (1)

copyright and tm law (918397) | about 7 years ago | (#21077425)

I've actually bought two of this company's products to recover, yes, my own lost passwords. One in a WordPerfect document and the other in a .zip archive. Seeing how short a time it took to get both passwords (my fingers had just left the ENTER key), and knowing how little the programs cost, I started saving the important stuff using PGP. That may no longer be sufficient. Seriously, though, if this results in smaller operations than the NSA being able to get passwords through the use of the type of computers available to say your local police department, it may mean that stronger encryption systems may not be the barrier they have been. Watch out bad guys. (One of my favorite PGP crack involved a keylogger. A FBI agent looked at the password they recovered and thought it looked naggingly familiar; and then it hit him: it was the federal prison I.D. number for the suspect's father.)

Elcomsoft (1)

ptrace (1078855) | about 7 years ago | (#21076869)

Isn't this the same Russian company that sells tools to crack Microsoft Office file passwords? Sorry... I mean "recovers" Office passwords.

Re:Elcomsoft (2, Informative)

GiMP (10923) | about 7 years ago | (#21076999)

This is the company with which Dmitry Sklyarov was employed at the time of his arrest by the FBI, back in 2001. Before his arrest, at a conference, Dmitry made a presentation on cracking Adobe's eBook DRM. The method used for this crack was utilized in Elcomsoft's Advanced eBook Processor software.

This was really big news back in 2001-2002, although I guess thats a bit too long ago for most slashdot readers, since I (surprisingly) haven't seen any other comments mentioning this.

What about FPGAs? (2, Insightful)

FlyByPC (841016) | about 7 years ago | (#21076891)

FPGAs (Field-Programmable Gate Arrays) sound like they would be just the ticket for SIMD (single-instruction-multiple-data) calculations such as this. Configure up a bunch of FPGA chips to do the encryption calculations on a zillion combinations in parallel...

Cool, but a Linux Boot CD would be ALOT cheaper... (4, Informative)

Zymergy (803632) | about 7 years ago | (#21076961)

Petter Nordahl-Hagen's Offline NT Password & Registry Editor: []
NOTE: Tested on: NT 3.51, NT 4 (all versions and SPs), Windows 2000 (all versions & SPs), Windows XP (all versions, also SP2), Windows Server 2003 (all SPs), Vindows Vista 32 and 64 bit.

Irony? (" a company called ElcomSoft...") (5, Informative)

ClayJar (126217) | about 7 years ago | (#21077005)

I'm just wondering, should I take the summary as intentionally ironic (i.e. as if it had referred to an operating system "by a company called Microsoft"), or should I assume it was written by someone *fascinatingly* oblivious to the recent history of decryption software and the disputed legalities thereof? An informed, non-ironic summary would simply say, " ElcomSoft...", of course.

For any of you who may have been living under a rock (possibly on another planet), ElcomSoft is the company that was employing Dmitry Sklyarov, who was arrested in the US on DMCA charges when he'd come to present at a conference. Wikipedia has more [] .

Re:Irony? (" a company called ElcomSoft...") (1)

GiMP (10923) | about 7 years ago | (#21077299)

> arrested in the US on DMCA charges when he'd come to present at a conference.

Something particularly notable since at the time, the DMCA was a very new law. It was, I believe, the first notable case putting the DMCA to test in court. Furthermore, the case was a particular rallying point amongst geeks, not only because of the potential consequences it had for US Citizens, but also for visitors to the US; Dmitry had at worst provided a presentation in the US. (he did not develop or design anything on US soil, nor was he a US citizen)

In the end, Elcomsoft was acquitted and fears were subsided. However, comments from the case indicate that foreign nationals developing software to circumvent DRM may not be advised to travel to the US. It appears that Elcomsoft was only acquitted based on their motives, not based on the legality of their actions, which jurors commented that they believed were in fact illegal.

Can the GPU handle more diverse tasks? (1)

Frozen Void (831218) | about 7 years ago | (#21077015)

Like searching chess positions or recognizing text? I was under the impression it very limited and requires specific types of input with restrictions on which operations can be used.

Re:Can the GPU handle more diverse tasks? (1)

compro01 (777531) | about 7 years ago | (#21077399)

modern GPU's have been becoming increasingly general purpose since the introduction of programable shaders.

NVIDIA's CUDA [] and ATI's CTM [] are examples of this.

If the GPU is that fast.... (1, Insightful)

lena_10326 (1100441) | about 7 years ago | (#21077033)

...why not just put the OS on the GPU and use the CPU for mundane things? :)

This is utterly pointless... (1)

geekmux (1040042) | about 7 years ago | (#21077055)

With the advent of rainbow tables, coupled with the fact that 95%+ of the general population uses passwords less than 15 characters in length, there's not much business left for true cracking in Windowsland. Perhaps looking at the core problem (NTLM "encryption") as part of the solution? I could be spitballing here tho... /sarcasm

Pie in the sky hardware (2, Interesting)

dfn_deux (535506) | about 7 years ago | (#21077085)

Anyone car to point me to one of these mythical video cards with 128 processors and 1.5 gig of fast on board memory? Also, at the price point they are asking for this software (1200USD per seat) it seems like this is hardly cost competitive with doing this same sort of thing using commercially available FPGA dev/prototype boards and open source software designed for this EXACT task.

Re:Pie in the sky hardware (0)

Anonymous Coward | about 7 years ago | (#21077315)

You can go into any computer store and buy a nVidia 8800 GTX with 128 stream processors and 768MB memory. You can get more of everything by going for something out of the workstation series of graphics cards. Or using two. Or four.

Re:Pie in the sky hardware (1)

Mr. Sketch (111112) | about 7 years ago | (#21077551)

Video cards don't have 128 processors exactly, but each processor can have 128 separate instruction pipelines (SIMD 'stream' processors) which can run in parallel [] . The programmer just loads a small amount of code into each of these stream processors and lets it crank away at the data. In graphics processing, these stream processors are used for per-pixel and per-vertex shading.

Re:Pie in the sky hardware (1)

Mr. Sketch (111112) | about 7 years ago | (#21077645)

Sorry for replying to my own post, but some more digging turned up this page with details on their HPC products: []
and this is the card with 128 parallel processors and 1.5GB memory: []

Poorly written article (5, Informative)

Deadplant (212273) | about 7 years ago | (#21077153)

And with as much as 1.5 Gb of onboard video memory
Not knowing the difference between a bit and a byte == Fail.

ElcomSoft has discovered and filed for a US patent on a breakthrough technology ... harnessed the combined power of a PC's Central Processing Unit and its video card's Graphics Processing Unit. The resulting hardware/software powerhouse will...
Referring to the (obvious) use of a new library/sdk from NVIDIA to improve performance of an existing application as the "discovery of a breakthrough technology" ==

...allow cryptology professionals to build affordable PCs that will work like supercomputers when recovering lost passwords.
Cut and pasted from "How to write with spin for dummies"

...will be incorporating this patent-pending technology into their entire family of enterprise password recovery applications.
Corporate press release copy and paste == Fail.

Numerous grammatical errors == Fail.

Something is wrong with computer priorities (1)

mi (197448) | about 7 years ago | (#21077197)

Why is the GPU a processor dedicated to nothing but "pretty graphics" so much more powerful than the central multi-purpose processor even at the things like number-crunching?

Is it because the GPU engineers can completely redo the thing from scratch whenever they want to, whereas the CPU-designers are held back by the backwards-compatibility issues?

Computer Science teaches, programmers aren't supposed to have to do "tricks" like this — you code, and the translator (compiler or intepreter) will translate from your programming language to the hardware instructions. It never quite worked this way, but it was much closer — even when the floating-point co-processor (such as x87) was only available in some machines.

What's up?

Re:Something is wrong with computer priorities (0)

Anonymous Coward | about 7 years ago | (#21077437)

Think e.g. memory protection which isn't needed on a GPU and which requires lots of translation to compute the physical address in RAM from the virtual address refered by a running program. This and various other things slows down memory intensive computations. The CPU needs lots of extra stuff to support e.g. a multiuser OS.

Re:Something is wrong with computer priorities (1)

ZorbaTHut (126196) | about 7 years ago | (#21077495)

It's because CPUs are designed to run long streams of sequential instructions very, very quickly, with utterly random access to data, while GPUs are designed to run huge numbers of instructions in parallel very, very quickly, with relatively restricted access to data.

A huge amount of modern CPU design is taken up simply by attempts to predict what will happen next, and attempts to allow blazing through a single long instruction stream as fast as possible. Parallelization gives tremendous speedups, as long as the problem you're working on is actually parallelizable. Password cracking is what's known as an embarrassingly parallel problem, so it's perfectly suited for this sort of processor. An OS, on the other hand, isn't even close to as parallel.

Re:Something is wrong with computer priorities (1)

DrSkwid (118965) | about 7 years ago | (#21077591)

There is nothing wrong except your understanding of the difference between a general purpose CPU and a specialised purpose CPU.

A patent for this... (1)

JimDaGeek (983925) | about 7 years ago | (#21077229)

So someone takes software to brute force crack a password. Throw in a GPU, and wham! A new patent. How is this anything but evolutionary? It certainly is not revolutionary or "innovative".

This is the same damn thing that has been done before, except now a GPU is used to help. That is it. Software patents suck. Real bad.

But does it run Linux? (1)

flyingfsck (986395) | about 7 years ago | (#21077455)

Seriously, it looks like I should boot Linux on the GPU and use the CPU for general I/O. Then my PeeCee will be 25 times faster. See the cool ASCII graphics...

I'll take one of those! (2, Funny)

unix_core (943019) | about 7 years ago | (#21077517)

Hello, I would like to order one of your _cheap_ PCs, specifically the one with 128 GPU:s which I will turn into a supercomputer with this great software. I need it to recover my lost windows password. Thank you. And by the way do you still have those low-energy, standard socket 1.21 gigawatt bulbs?

WTF (1)

GodCandy (1132301) | about 7 years ago | (#21077589)

I have several comments many of which I will refrain from stating here.

1. Its a graphics card. It has a processor. So your trying to get a patent for the ability to use the processor on the graphics card. Needless to say you are using it for an operation other than what was intended but who cares.

2. I already have at least 5 and usually more like 20 brute force attacks aginst a server that host no sites or anything. I guess they just started scanning and found out it was running ssh. Good luck guessing my password. I cant even remember it sometimes. I do think it has 2 languages in it right now, guess I may need to upgrade.

I really don't see the need for a faster way to hack my computer. If you really want in that bad you probably dont need to be there in the first place. Damn script kiddies.


Interesting, but it doesn't matter (2, Interesting)

ZorbaTHut (126196) | about 7 years ago | (#21077643)

unless you're using a crappy password scheme like Vista's, for example.

This is a process that lets you brute-force passwords 25 times faster. That's pretty neat, I'm not arguing that. It's extremely clever. But this speed [i]shouldn't matter[/i], because cracking passwords a mere 25 times faster shouldn't matter either. The problem comes down to how people are designing a lot of password schemes. They're aiming for speed. The article says the new technique can try ten million passwords per second on a single computer. Division tells us that, beforehand, the computer could process 400,000 passwords per second.

When was the last time you had four hundred thousand users logging into a single computer per second?

Checking a password should be slow. Brutally slow. I mean, quite literally, that just checking to see if the user's password hashes correctly should take at least a hundredth of a second. You're not going to have a hundred users logging in per second on a single computer anyway, our modern database-driven sites couldn't handle the load of displaying the login pages, so why are we making our password schemes so flimsy?

If you use a slow password hash generation - and this can be something as simple as iterating MD5 over itself ten thousand times - whoever's trying to brute-force your password scheme is going to have a horrible, horrible time of it. Add a basic salt to the mix and you will not have anything to worry about from this. If your password checker takes a hundredth of a second, then 25 times faster means your adversary is going to spend $1300 on software in order to try 2500 passwords per second. If you have an appropriate salting system that's 2500 passwords for a single user. This is not the death knell for passwords, or anywhere near it. If anything, it's the death knell for crappy password hashes - but it's not even that, since you could trivially foresee things like this years in advance.

Brute-force password cracking, by its very nature, is millions of times more expensive than merely verifying a valid user. From there, it's up to you to determine how safe you want your passwords to be. Personally? I'm fine with wasting a few extra hundredths of a second per user.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?