Building a budget super-cracker cybercrime computer

Updated happygeek 0 334 Views

An investigation by UKFast has revealed that it is possible to build a super-cracker computer for around the same price as your average low-spec budget desktop PC. Yet unlike your average budget PC, it is claimed that this cybercrime dream machine is capable of processing billions of password combinations per second.

Investigators from UKFast built this low budget but high powered password cracker using two readily available graphics cards to provide the firepower necessary to drive the processing of password combos at such an alarmingly fast rate.

dweb-cracker

Costing less than £400 ($620) this particular machine was built by the security team at UKFast and could crack a 'complex password' of six random alpha-numerical and special characters in under 90 seconds. Bog standard six character passwords were dead in under a second. Obviously, the longer the password so the longer the time to crack becomes providing that you stick to the non-dictionary and mixed alpha-numerical and special character construction method. Jump into the realms of the 15 character truly random password, which is my own personal baseline these days, and to be honest it's hardly worthwhile for the bad guys to bother with.

So why does this machine deserve the title of 'super cracker' then? Well that's simple and twofold: firstly, the vast majority of folk out there do not have long and complex passwords and many sites and services still restrict the maximum length of a password and disallow the use of special characters; secondly, these are exactly the kind of computers being put to use by the bad guys in decoding those stolen databases of encrypted (hashed but not salted) usernames and passwords that you read about in the news.

Stuart Coulson, who is head of the security team that built the budget beast, explains that it's "the architecture of the graphics cards" that provides the firepower needed to complete repetitive tasks such as brute force cracking passwords at lower cost and faster speed. "The closest alternative that has this level of cracking power would cost more than £600 just for the graphics card" Coulson continues, concluding "the fact that this level of power is so readily available to cyber criminals highlights the importance of long and complicated passwords and for businesses to use strong encryption algorithms for their data.”

Member Avatar for Toba
Toba 99 Junior Poster

these are exactly the kind of computers being put to use by the bad guys in decoding those stolen databases of encrypted (salted but not hashed) usernames and passwords that you read about in the news.

Sorry, that's absolutely not how encryption works. Salting only means anything in the context of hashing.

Member Avatar for Rashakil Fol
Rashakil Fol 978 Super Senior Demiposter

Instructions for proper password digestion:

http://codahale.com/how-to-safely-store-a-password/

Edited by Rashakil Fol
happygeek commented: good piece, thanks for the share +11
Member Avatar for Sergiu.BSA
Sergiu.BSA 0 Newbie Poster

You'd still be limited by number of attempts if you're cracking something remotely, so no worries folks, we're not "dead" yet.

Member Avatar for Rashakil Fol
Rashakil Fol 978 Super Senior Demiposter

Scorpiono I tihnk you missed the entire point of the article. This article is trying to talk about cracking password hashes after the password database has already been compromised.

Member Avatar for |-|x
|-|x 126 Junior Poster in Training

these are exactly the kind of computers being put to use by the bad guys in decoding those stolen databases of encrypted (salted but not hashed) usernames and passwords that you read about in the news.

.

Sorry, that's absolutely not how encryption works. Salting only means anything in the context of hashing.

I think he meant Hashed but not Salted, as this was the case with the LinkedIn incident.

happygeek commented: thanks for spotting that stupid typo which I missed when editing +11
Member Avatar for happygeek
happygeek 2,411 Most Valuable Poster

I did, indeed, mean hashed and not salted. Damn my eyes, and thanks for spotting the stupid typo which is now corrected. Oops :)

Member Avatar for happygeek
happygeek 2,411 Most Valuable Poster

Scorpiono, as Rash has pointed out, the bad guys don't attempt to crack individual passwords from your login screen online. They use these tools to crack already compromised/stolen password hashes offline where they have all the time in the world to do so. The point of the article being, that all the time in the world can eqaute to no time at all given the right equipment (which is now dirt cheap to put together) and the wrong passwords...

Member Avatar for seosailor
seosailor -2 Newbie Poster

I think he meant Hashed but not Salted, as this was the case with the LinkedIn incident.

Hi

Ironically, LinkedIn may have place you in touch with somebody United Nations agency may have bypassed time unit all at once. that is what networking is all regarding. it is a tool and if you put into effect employing a hammer rather than a screwdriver, sensible luck to you.

Thanks
SEOSAILOR

happygeek commented: nonsense posting... -2
Member Avatar for happygeek
happygeek 2,411 Most Valuable Poster

WHAT???

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Edit Preview