0

An investigation by UKFast has revealed that it is possible to build a super-cracker computer for around the same price as your average low-spec budget desktop PC. Yet unlike your average budget PC, it is claimed that this cybercrime dream machine is capable of processing billions of password combinations per second.

Investigators from UKFast built this low budget but high powered password cracker using two readily available graphics cards to provide the firepower necessary to drive the processing of password combos at such an alarmingly fast rate.

dweb-cracker

Costing less than £400 ($620) this particular machine was built by the security team at UKFast and could crack a 'complex password' of six random alpha-numerical and special characters in under 90 seconds. Bog standard six character passwords were dead in under a second. Obviously, the longer the password so the longer the time to crack becomes providing that you stick to the non-dictionary and mixed alpha-numerical and special character construction method. Jump into the realms of the 15 character truly random password, which is my own personal baseline these days, and to be honest it's hardly worthwhile for the bad guys to bother with.

So why does this machine deserve the title of 'super cracker' then? Well that's simple and twofold: firstly, the vast majority of folk out there do not have long and complex passwords and many sites and services still restrict the maximum length of a password and disallow the use of special characters; secondly, these are exactly the kind of computers being put to use by the bad guys in decoding those stolen databases of encrypted (hashed but not salted) usernames and passwords that you read about in the news.

Stuart Coulson, who is head of the security team that built the budget beast, explains that it's "the architecture of the graphics cards" that provides the firepower needed to complete repetitive tasks such as brute force cracking passwords at lower cost and faster speed. "The closest alternative that has this level of cracking power would cost more than £600 just for the graphics card" Coulson continues, concluding "the fact that this level of power is so readily available to cyber criminals highlights the importance of long and complicated passwords and for businesses to use strong encryption algorithms for their data.”

Edited by happygeek: unstuck

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

6
Contributors
9
Replies
17
Views
5 Years
Discussion Span
Last Post by happygeek
0

these are exactly the kind of computers being put to use by the bad guys in decoding those stolen databases of encrypted (salted but not hashed) usernames and passwords that you read about in the news.

Sorry, that's absolutely not how encryption works. Salting only means anything in the context of hashing.

0

You'd still be limited by number of attempts if you're cracking something remotely, so no worries folks, we're not "dead" yet.

1

Scorpiono I tihnk you missed the entire point of the article. This article is trying to talk about cracking password hashes after the password database has already been compromised.

2

these are exactly the kind of computers being put to use by the bad guys in decoding those stolen databases of encrypted (salted but not hashed) usernames and passwords that you read about in the news.

.

Sorry, that's absolutely not how encryption works. Salting only means anything in the context of hashing.

I think he meant Hashed but not Salted, as this was the case with the LinkedIn incident.

Votes + Comments
thanks for spotting that stupid typo which I missed when editing
0

I did, indeed, mean hashed and not salted. Damn my eyes, and thanks for spotting the stupid typo which is now corrected. Oops :)

0

Scorpiono, as Rash has pointed out, the bad guys don't attempt to crack individual passwords from your login screen online. They use these tools to crack already compromised/stolen password hashes offline where they have all the time in the world to do so. The point of the article being, that all the time in the world can eqaute to no time at all given the right equipment (which is now dirt cheap to put together) and the wrong passwords...

-1

I think he meant Hashed but not Salted, as this was the case with the LinkedIn incident.

Hi

Ironically, LinkedIn may have place you in touch with somebody United Nations agency may have bypassed time unit all at once. that is what networking is all regarding. it is a tool and if you put into effect employing a hammer rather than a screwdriver, sensible luck to you.

Thanks
SEOSAILOR

Votes + Comments
nonsense posting...
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.