Windows passwords easily guessed by 25-GPU server

December 9, 2012 – 8:50 PM

Ever wondered how secure the password to your Windows workstation is? Well, as it turns out, it’s pretty insecure when put up against a 25-GPU server cluster running a combination of Linux and freely available password-cracking software suites. Said server, powered by 25 AMD Radeon graphics cards, manages to brute force Windows passwords at a rate of 350 billion guesses-per-second, making short work of eight-character passwords.

In around 5.5 hours the server cluster can try 6.6 quadrillion password combinations, enough to check every possible eight-character password including upper/lower-case letters, digits and symbols. Microsoft’s NTLM cryptographic algorithm, which has been in use since Windows Server 2003, now seems remarkably weak and particularly insecure in some enterprise settings. With access to a hash of a workstation password, this machine will most likely be able to crack it in under a day.

Of course, this machine can only really guess passwords up to eight characters in a reasonable time, as adding just one extra character (to nine characters total) would require 500 hours to crack; 10 characters and you’re looking at 5.4 years of cracking time. However, as many businesses stipulate eight characters as a minimum, there’s a possibility that this machine will make (relatively-speaking) short work of it.

This 25-GPU machine is not limited to just cracking Windows passwords – it also has the power to guess at 44 other algorithms at a blistering pace. It attacks SHA1 at 63 billion guesses per second and MD5 at 180 billion guesses per second, although struggles against some super-tough encryption such as SHA512crypt (just 364,000 guesses per second).


You must be logged in to post a comment.