Modern Passwords Now Less Secure

by Brad Garland

By leveraging an older technology that has been revitalized, researcher Jeremi Gosney has managed to significantly reduce the time it takes to crack hashed passwords. By using Virtual OpenCL, Gosney was able to leverage 4U servers equipped with 25 AMD Radeon GPUs as a single brute-forcing monster. The system was able to churn through 348 billion (that's billion with a B) hashes per second. With those kind of numbers virtually any password is vulnerable in an offline scenario. A 14 character NTLM hashed password can be cracked in 5.5 hours. LM hashed passwords can be brute-forced in minutes.This scenario usually isn't going to be helpful in an active attack scenario. The hours long cracking required make it more likely in an offline scenario (where the SAM database has been captured), but still quite feasible.