27 April 2012

The Brute Force Misconception

The Dream

Not long ago I was doing some research on the topic of brute forcing passwords. I was considering setting up a GPU farm to host a password cracking service.  Basically, people would submit password hashes and I would crack them.  For a price obviously. I envisioned making millions and getting government contracts.

Unfortunately I didn't get past the research and planning phase.

The Reality

Turns out that cracking a password takes forever, as in, longer than 10 minutes - and that makes it a poor business venture.  With the assistance of the fine gentleman over at Cryptohaze.com, I did some number crunching:

I wanted to crack NTLM (Windows).
I wanted to crack a full character space password - meaning all ASCII characters - which totals 95.
I wanted to crack a password that was at least 14 characters long.

Using Google Calculator I get: 95^14 = 4.87674979 × 1027 password combinations.  If you attended 8th grade you should know that that is an enormous number.

"Alright fine." I thought. "I'll just get a ton of GPUs to assist me with the cracking."

An Nvidia 580 card can crack ~2B NTLM passwords / sec. What if I had 1024 cards cracking all at once?

Google Calculator tells me: (95^14) / (2,000,000,000 * 1024) = 2.38122548 × 1015 = 75,508,164.8 years.

Yea, that is right about when my dream of striking it rich went out the window.

The Misconception?

Everybody knows that brute forcing passwords takes a long time, so you are probably wondering why I titled this article The Brute Force Misconception. Here's why:  in the last year or so password cracking has made huge leaps and bounds in terms of cracking speed. This can all be credited to the CUDA programming language allowing access to the massively paralleled Nvidia GPU. People have written programs that exponentially reduce the amount of time it takes to crack a password.  However, even a 10 character password would take nearly a year to crack. Doh!  Well, 1 year is less than 10,000, but still 1 year is a long time.

Granted, an 8 character password takes about a minute (with 1024 Nvidia 580's). However, 10 character passwords are becoming more and more common. AND who has a 1024 GPU farm setup?

In Closing

Weak passwords are easy to crack. That's a no brainer. But brute forcing passwords still takes too long. Don't buy expensive GPU password cracking programs:

You'll be dead and gone before your password is spit out in clear text.

Extra Notes

- Use LastPass - it's awesome.
- Check out Cryptohaze.com - it is an incredible GPU password cracker (with networking capabilities).
- Check out AtlasFolding.com if you are thinking of putting together a small GPU farm.