Pen Testing with Distributed Password Recovery and GPUs

March 19th, 2009 by Katerina Korolkova, Direktur Humas
Category: «Cryptography», «Hardware», «Passwords & Human Factor», «Software»

The German c’t magazine (issue 06/09) has published an article about cracking of NTLM-hashes with graphic cards. In this article pen test experts from SySS GmbH bring up a touchy question of how fast an intruder can break into your system. How long should your Windows logon password be, so that you could keep having your beauty sleep?

Elcomsoft Distributed Password Recovery was run on dual-core AMD Athlon X2 4850e, 2.5 GHz, with Nvidia GeForce 9800 GTX installed. The cost of the test system is worth the effort. One can fetch it for only $1K.

Now, what is the outcome?

6-character passwords consisting of lowercase and uppercase characters and digits were found in less than a minute. Obviously, 6-character passwords are insecure, and it’s not a surprise after all.

Employees within an organization are normally forced to use at least 8 characters, and 8-character passwords do they use because remembering longer passwords is painful enough. When you use 8-character password with all possible combinations of special symbols, uppercase and lowercase letters and digits, the time required for recovery is 82 days. However, authors say, it is reasonable to shrink the number of tested special symbols to 22 (i.e. _@#$&+-=%*”~!?.,:;()<>) that are preferred by the majority of users. Time needed to recover 8-character password consisting of upper/lowercase letters, digits and 22 most common symbols is 33 days.

The question is how much would it cost for an attacker to brute-force NTLM-hashes, find the correct password and break into your system in one day. The authors estimated that in this case an attacker needs to invest at least 50,000 euro for powerful graphic adapters, plus electricity and cooling costs.

So, do not forget to change your Windows password every 30 days. And thank you for your tests, guys.