At a recent conference, Passwords^12, Jeremi M Gosney the Founder & CEO of Stricture Consulting Group, presented his latest password cracking project. Jeremi combined 25 AMD Radeon GPUs, across eighteen cards, and across five servers in a cluster. This beast he created has the ability to make nearly 350 billion (yes, that’s 350 million million!) guesses per second on NTLM secured passwords. It can also make 180 billion guesses per second on MD5 protected passwords and 63 billion guesses per second on SHA-1 protected passwords.

With that said, let’s consider the practicalities of using such a password cracker, the common password storage scenarios and the major changes to password storage that need to be made to protect against this.

Guessing Passwords

To understand the power of Jeremi’s cluster, we first need to understand how to guess passwords.

Passwords are normally made up of alphanumeric characters plus some special characters like: @#$%^. Different companies and different logins within a company have different policies, but there are typically no more than 95 different characters: 26 lowercase letters + 26 uppercase letters + 10 digits + 33 other special symbols. Therefore there are 95⁸ different passwords possible in an 8-character password.

If 348 billion guesses are made in one second then this will require (95⁸ divided by 348 billion) seconds is required to try all possible passwords. This works out at approximately 19064 seconds or nearly 5 hours and 18 minutes. Using a cluster like Jeremi’s is not practical for an online attack but is practical for cracking a database of passwords offline.

Trying all 10-character passwords would take in the order of a year and 12-character passwords would take significantly longer! Such brute force attacks on these passwords would be impractical, but not all security policies, and certainly not all passwords, are that strong.

Performing a dictionary attack (trying words and combinations of words from a dictionary) significantly reduces the number of guesses attempted. This type of attack works well when applied to a stolen database. One specific password might not be guessed, but across the whole database weak passwords will exist and will be found.

Password Storage

The cluster, as described by Jeremi, performs its attack on the stored database of passwords. Passwords can be securely stored in a number of ways. NTLM stores a hash of the password. No extra data is added. Therefore, each guess can be compared to each entry in the database. This means that it would take 5 hours and 18 minutes to find all 8 character passwords in a database secured by NTLM.

Another common mechanism for securing passwords is the salted hash and is used to protect passwords for UNIX logins and commonly used to protect online account passwords. This mechanism commonly stores an MD5 hash of the user’s password with a randomly generated, user-specific value or salt. The salt is public but the results obtained during guesses of one password cannot be used when guessing another password unless rainbow tables (pre-computed tables of partial results) are used.

The results published indicate that it would take no more than twice as long to try all 8-character passwords when MD5 is used. Online sites might instead use SHA-1, but this only doubles the time again, which is less than 24 hours.

New solutions such as RSA Distributed Credential Protection (DCP) have emerged that are designed to add an extra layer of protection and make it significantly more difficult for an attacker to successfully gain access to password or credential data stores.  DCP scrambles, randomizes and splits secrets (like passwords, credentials, pins, answers to life and challenge questions) into two locations, even if these secrets are already hashed and/or salted.

Conclusions

The results published show that the most common techniques of storing passwords are vulnerable to offline attack. They also show that when a password is secured using ‘bcrypt’ or ‘sha512crypt’ the number of guesses possible is dramatically reduced and thus security is dramatically increased. Both algorithms are secure against brute force attacks. But, dictionary attacks will still work against weak passwords.

And this is the crux of the problem: weak passwords, regardless of the mechanism used, are vulnerable. There are different mechanisms available like those employed by RSA Distributed Credentials Protection that separately stores two randomized values based on the hash, making it significantly harder to obtain the database of passwords in the first place.

The cluster created by Jeremi used 25 GPUs. He claims that the software can scale up to at least 128 AMD GPUs. Also GPUs are getting faster with more parallel streams so the number of guesses per second on these dedicated cracking machines is only going to get higher.

Don’t be the next news headline: rethink your password storage.

***This blog contribution was provided by Sean Parkinson, Principal Software Engineer at RSA.***