Password-cracking chip causes security concerns

R.A. Hettinga rah at
Fri Oct 26 15:24:05 PDT 2007


Password-cracking chip causes security concerns

	*	12:27 24 October 2007

	* news service

	*	Andrew Brandt

A technique for cracking computer passwords using inexpensive off-the-shelf
computer graphics hardware is causing a stir in the computer security

Elcomsoft, a software company based in Moscow, Russia, has filed a US
patent for the technique. It takes advantage of the "massively parallel
processing" capabilities of a graphics processing unit (GPU) - the
processor normally used to produce realistic graphics for video games.

Using an $800 graphics card from nVidia called the GeForce 8800 Ultra,
Elcomsoft increased the speed of its password cracking by a factor of 25,
according to the company's CEO, Vladimir Katalov.

The toughest passwords, including those used to log in to a Windows Vista
computer, would normally take months of continuous computer processing time
to crack using a computer's central processing unit (CPU). By harnessing a
$150 GPU - less powerful than the nVidia 8800 card - Elcomsoft says they
can cracked in just three to five days. Less complex passwords can be
retrieved in minutes, rather than hours or days.

It is the way a GPU processes data that provides the speed increase. NVidia
spokesman Andrew Humber describes the process using the analogy of
searching for words in a book. "A [normal computer processor] would read
the book, starting at page 1 and finishing at page 500," he says. "A GPU
would take the book, tear it into a 100,000 pieces, and read all of those
pieces at the same time."

Benjamin Jun, of Cryptography Research based in San Francisco, US, says
massively parallel processing is ideally suited to the task of breaking
passwords. And, while concerned about the development, Jun also pays
tribute to the achievement: "A number of us have been following advances in
those platforms, and there's a lot of elegant, intelligent design."

Password cracking can be used to unlock data on a computer, but will not
usually work on a banking or commercial website. This is because is takes
too long to run through multiple passwords, and because a site will
normally block a user after several failed attempts.

Jun adds that the trend towards encrypting whole hard drives with
increasingly long cryptographic keys still means it is becoming more
difficult to access sensitive data. "Should I throw away my web server and
run for the hills?" he says. "I don't think so."

NVidia released a software development kit for its graphics hardware in
February 2007. Known as CUDA, the kit lets programmers access the computing
power of the GPU directly. It has gained a following among those with a
need for high-performance computing, particularly in fields such as science
and engineering.

"[CUDA] is a huge thing for the oil and gas industry, for the financial
sector, and for scientists," Humber says. He adds that CUDA is also be
being used by a company called Evolved Machines to simulate the way the
human brain wires itself.

Elcomsoft says it took three months to develop code to take advantage of a
GPU, and the company plans to introduce the feature into some of its
password cracking products over time.

R. A. Hettinga <mailto: rah at>
The Internet Bearer Underwriting Corporation <>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

More information about the cypherpunks-legacy mailing list